AD LDS is implemented in Windows Server 2008 as a server role. To install the server role, use Server Manager to add the role. To install the server role on a Windows Server 2008 computerrunning Server Core, run the start /w ocsetup DirectoryServices-ADAM-ServerCore command. During the role installation, you do not need to make any installation decisions other than choosing to install the role. In order to install AD LDS, your user account must be a member of the local Administrators group.
Configuring Instances and Application Partitions
After installing the AD LDS server role, you use the Active Directory Lightweight Directory Services Setup Wizard to create AD LDS service instances. Multiple instances of AD LDS can run simultaneously on the same computer. Each instance of the AD LDS directory service has a separate directory data store, a unique service name, and a unique service description that is assigned during installation. When you run the wizard, you also have the option of creating an application directory partition.
To create a new AD LDS instance by using the Active Directory Lightweight Directory Services Setup Wizard, complete the following steps:
1. Start the Active Directory Lightweight Directory Services Setup Wizard. You can start the wizard from the Administrative Tools menu or from Server Manager.
2. On the Welcome page, click Next.
3. On the Setup Options page, you have a choice of creating a new instance or creating a replica of an existing instance, as shown in image. Click A Unique Instance and then click Next.
4. On the Instance Name page, provide a name for the AD LDS instance that you are installing. The name that you choose must meet the following requirements:
❑ It must be different from other ADAM instances running on the same computer.
❑ It must be no longer than 44 characters.
❑ It must use characters only from the ranges of a through z, A through Z, or 0 through 9.
❑ The name ntds cannot be used.
5. On the Ports page, specify the communications ports that the AD LDS instance uses to communicate. AD LDS can communicate using both LDAP and Secure Sockets Layer (SSL).
6. On the Application Directory Partition page, you can create an application directory partition during the AD LDS installation, as shown in Figure below. If you do not install an application directory partition now, you must create an application directory partition manually after installation. When you create the application partition, you must provide a fully qualified partition name.
7. On the File Locations page, you can view and change the installation directories for AD LDS data and recovery (log) files. By default, AD LDS data and recovery files are
installed in %ProgramFiles%Microsoft ADAMinstancenamedata, where instancename represents the AD LDS instance name that you specified on the Instance Name page.
8. On the Service Account Selection page, select an account to be used as the service account for AD LDS. The account that you select determines the security context in which the AD LDS instance runs. The Active Directory Lightweight Directory Services Setup Wizard defaults to the Network Service account.
9. On the AD LDS Administrators page, select a user or group to become the default administrator for the AD LDS instance. The user or group that you select will have full administrative control of the AD LDS instance. By default, the Active Directory Lightweight Directory Services Setup Wizard specifies the currently logged-on user. You can change this selection to any local or domain account or group on your network.
10. On the Importing LDIF Files page, you can import schema .ldf files into the AD LDS instance, as shown screenshot.
11. On the Ready To Install page, review your installation selections. After you click Next, the Active Directory Lightweight Directory Services Setup Wizard copies files and sets up AD LDS on your computer.
AD LDS Management Tools
In most cases, after you install an AD LDS instance, you will install the application that will use the instance (in fact, the application may install AD LDS and configure the instance for you). However, you can also manage AD LDS instances by using the administration tools provided with AD LDS.
Using the ADSI Edit Tool
ADSI Edit is a Microsoft Management Console (MMC) snap-in for general administration of AD LDS. It is installed as part of the AD LDS and AD DS server roles. To use ADSI Edit to administer an AD LDS instance, you must first connect to the instance. When you open ADSI
Edit for the first time, it is not connected to any directory. To connect to a directory, on the Action menu, click Connect To. On the Connection Settings screen, you must provide the following information:
■ A name for this connection If you choose one of the well-known naming contexts, this name is filled in for you.
■ A connection point This can be a well-known naming context like the configuration or schema partitions, the rootDSE object, or the Default naming context (which only applies to AD DS domains or application directory partitions). If you want to connect to an application directory partition, you must enter the distinguished name of the application directory partition.
■ The server to which you are connecting If you are using a port other than the standard LDAP ports, you must also provide the port number for the connection.
Using the Ldp.exe Tool
Ldp.exe is a tool that can be used to administer any LDAP directory service. To use Ldp.exe to administer an AD LDS instance, you must connect and bind to the instance and then display the hierarchy (tree) of a distinguished name of the instance:
1. To connect to an instance using LDP, open a command prompt and type Ldp.exe and then press Enter.
2. On the Connection menu, click Connect. Provide the server name and the port used for the AD LDS instance and choose whether or not to use SSL.
3. After connecting to the instance, you need to provide your credentials by binding to the instance. On the Connection menu, click Bind.
❑ To bind using the credentials that you logged on with, click Bind As Currently Logged-on User.
❑ To bind using a domain user account, click Bind With Credentials; then type the user name, password, and domain name (or the computer name if you are using a local workstation account) of the account that you are using.
❑ To bind using just a user name and password, click Simple Bind and type the user name and password of the account that you are using.
❑ To bind using an advanced method (NTLM, Distributed Password Authentication (DPA), Negotiate, or Digest), click Advanced DIGEST. Then click Advanced, and in the Bind Options dialog box, select the desired method and set other options as needed.
4. After you have been authenticated, on the View menu, click Tree. Type or select the distinguished name for the directory partition that you want to connect to.
5. To view information about the objects in the directory partition, click the object in the left pane. Detailed information about the object is displayed in the right pane, as shown in next figure .
6. To edit the object, right-click the object and select one of options for modifying the object or adding child objects.
Using the Dsdbutil Tool
Dsdbutil is a directory service management tool that provides much of the same functionality as Ntdsutil does for AD DS. With Dsdbutil, you can:
■ Backup and perform authoritative restores of AD LDS data.
■ Move the AD LDS data files.
■ Change the AD LDS service account and port numbers.
■ List all of the AD LDS instances running on a server.
To use Dsdbutil, start the utility from a command prompt. Then connect to a specific instance by typing Activate Instance instancename. To see all of the commands available in Dsdbutil, type Help. Like Ntdsutil, Dsdbutil also provides context sensitive help, so typing Help at any
command prompt will display all of the options available in that context.
Configuring Access Control
In AD LDS, each directory object has an access control list (ACLs) that determines which users have access to that object. By default, ACLs are assigned only at the top of each directory partition. All objects in a given directory partition inherit these ACLs. If your application required specific permissions to be assigned at different levels in the directory structure, you can use tools such as Dsacls and Ldp.exe to view and assign permissions. Dsacls is a command-line tool that can be used to view and modify permissions in a directory like AD LDS. Dsacls uses the following syntax.
dsacls object [/a] [/d {user | group}:permissions […]] [/g {user | group}:permissions […]] [/i:{p | s | t}] [/n] [/p:{y | n}] [/r {user | group} […]] [/s [/t]]
Dsacls uses permissions bits in the command to configure permissions on the object. For example, dsacls provides the generic permissions: GR – Generic Read, GE – Generic Execute, GW – Generic Write, and GA – Generic All.
You can also use Ldp.exe to configure permissions on AD LDS objects. To configure permissions using LDP, complete the following steps:
1. Open Ldp.exe and then connect and bind to an AD LDS instance.
2. On the View menu, click Tree View and then select the directory partition that you are connecting to.
3. Right-click the directory partition object for which you want to modify the permissions, click Advanced, and then click Security Descriptor. The Security Descriptor dialog box displays all access control entries (ACEs) and their assigned access rights over the selected directory partition object.
4. Click anywhere in the discretionary access control list (DACL) and then click Add ACE. Type the distinguished name of the user account and select the appropriate permissions. You can also choose to allow or deny permissions and configure permission inheritance.
Windows Management and Scripting 