Active Directory 2008: AD LDS Management Facts…

You should be aware of the following methods of AD LDS instance configuration:

Method Description
Move an instance An AD LDS replica instance can be   moved into a site object by using the Active Directory Sites and Services.   Membership in the Administrators group or equivalent is required to complete   this procedure.

  1. Open Active Directory Sites        and Services from the Administrative tools in the Start menu.
  2. Click on Change Domain        Controller, then specify the name and the port number of the server that        holds the AD LDS instances in the configuration set for which you        want to create site objects.
  3. Open the Servers        container by double-clicking the Sites container, then        double-clicking the site that contains the AD LDS instance that you        want to move, then double-clicking the Servers container.
  4. In the Servers        container, right-click the AD LDS instance that you want to move,        then click Move.
  5. In the Move Server        dialog box, select the site to which you want to move the AD LDS        instance, then click OK.
Import data into an instance Data can be imported into an   AD LDS instance in the following ways:

  • Using the Importing LDIF        Files page in the AD LDS Setup Wizard during setup of the instance.
  • Manually, by using the Ldifde        command anytime after creation of the instance.

Prior to importing the data, use   the Ldifde tool to export the data from an existing LDAP directory.

Create a replication schedule A replication schedule for an AD   LDS instance can be created using ADSI edit.

  • Scheduling replication is optional;        the AD LDS replication schedule is set to the Once per Hour        option by default.
  • Because intrasite AD LDS        replication uses update notifications to replicate data, intrasite        replication is only affected by a replication frequency schedule when no        update notifications occur in the specified time frame.
Synchronize data Use the Adamsync /sync   command to synchronize data from an AD DS forest to the configuration   set of an AD LDS instance.

  • The AD LDS instance must have        been configured by importing the MS-AdamSyncMetadata.LDF file.
  • You must run the command each        time you want to synchronize data.

AD LDS must verify the user’s credentials or bind users into the directory through successful authentication before they can request directory data. Binding to an AD LDS instance takes place in the following ways:

  • The      user account resides directly in AD LDS. You can bind as an AD LDS      security principal using Ldp.exe in Server Manager.
  • The      user account resides on a local computer or in an Active Directory Domain      Services domain. You can bind as a Windows Security principal using the      ADSI Edit snap-in.
  • The      user is bound through an AD LDS proxy object using redirection. This      allows AD LDS to accept and process bind requests to an AD LDS      proxy object that has the Security Identifier (SID) from an AD DS      security principal as one of its attributes. A user who binds to an      AD LDS instance through a proxy object receives membership in the      Users group on each naming context that is held by the AD LDS instance.
    Bind redirection provides the following benefits:

    • Binding provides AD DS users with access to both       AD LDS data and AD DS data using AD DS domain credentials       for Single Sign-On (SSO).
    • AD LDS proxy objects can be used to store user       data that is specific to a particular application in AD LDS, while       using AD DS to store more widely used directory data.
    • Unlike other types of binding, bind redirection       enables a user to bind to AD LDS by means of a simple bind while       still using AD DS credentials.

You should know the following about configuring security principles and binding:

  • Passwords      can be set for security principals either by using ADSI Edit or by using Ldp.exe      over an encrypted, non-SSL connection.
  • You      can set or modify a password for an AD LDS security principal using the      ADSI Edit snap-in.
  • AD LDS      allows the use of Windows security principals for authentication and      access control.
  • Windows      users can be members of AD LDS groups.
  • A      Windows user binding to an AD LDS instance receives membership only      in the AD LDS groups to which that user has been explicitly added as      a member.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s