AD Query1

Posted on 2011-03-08
Medium Priority
Last Modified: 2012-05-11
Please explain how this feature is possible?

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Service (AD LDS), formerly known as Active Directory Application Mode, can be used to provide directory services for directory-enabled applications. Instead of using your organization’s AD DS database to store the directory-enabled application data, AD LDS can be used to store the data. AD LDS can be used in conjunction with AD DS so that you can have a central location for security accounts (AD DS) and another location to support the application configuration and directory data (AD LDS). Using AD LDS, you can reduce the overhead associated with Active Directory replication, you do not have to extend the Active Directory schema to support the application, and you can partition the directory structure so that the AD LDS service is only deployed to the servers that need to support the directory-enabled application.

Learn More


      Install from Media Generation. The ability to create installation media for AD LDS by using Ntdsutil.exe or Dsdbutil.exe.

      Auditing. Auditing of changed values within the directory service.

      Database Mounting Tool. Gives you the ability to view data within snapshots of the database files.

      Active Directory Sites and Services Support. Gives you the ability to use Active Directory Sites and Services to manage the replication of the AD LDS data changes.

      Dynamic List of LDIF files. With this feature, you can associate custom LDIF files with the existing default LDIF files used for setup of AD LDS on a server.

      Recursive Linked-Attribute Queries. LDAP queries can follow nested attribute links to determine additional attribute properties, such as group memberships.

************Here I cannot understand what is LDIF? What are recursive linked attribute querries? How does the Actiuve Directiry help in the replication of the data changes? How to view thw data with the snap shots of the database file? How to create the installation media? How Auditing of changed values can be done and how is it possible?********************

Question by:kunalclk
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 11

Accepted Solution

Tasmant earned 2000 total points
ID: 35082147
- Install from Media Generation : the short name is IFM. you create a backup of you ADDS or ADLDS database in order to minimize the amount of replication when you install another instance of your database (ADDS or ADLDS). Imagine a DC over a WAN link with very slow bandwidth, and a very large database, you would reduce the time to replicate the first time. Using IFM you will just replicate the change since the backup date.

- What are recursive linked attribute querries: in fact, imaginean user member of a group. this group can be member of another group, and so on ... since Windows 2003 with the following patch: http://support.microsoft.com/kb/914828/en-us, you can use the LDAP_MATCHING_RULE_IN_CHAIN operator to retrieve the nested list list of groups for an user.
I join you some examples:
- dsquery * -limit 0 -filter "&(memberof:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=domain,DC=com)" -attr samaccountname
- dsquery * -limit 0 -filter "&(memberof=CN=Domain Admins,CN=Users,DC=domain,DC=com)" -attr samaccountname
for these examples if you have an user member of a custom, itself member of domains group, you will see the difference while processing the request.

- Active Directory Sites and Services is responsible for ADDS to replicate Naming Context (Domain, Configuration, Schema, and most of time DomainsDNSZones and ForestDNSZones). When using ADLDS, you create another Naming Context, and you can use the Active Directory Sites and Services MMS snap-in to configure the replication topology for your ADLDS instance.
Refer to this for more details: http://technet.microsoft.com/en-us/library/cc754361%28WS.10%29.aspx
You need to import some specific information in the Configuration NC of your ADLDS instance.
In the Sites and Services console, right--click on the root and select "change domain controller", you can choose the server and the port to connect to your ADLDS instance.
So as soon as you have more than 1 server hosting your ADLDS instance, you can use the AD Sites and services to customize the replication.

- Auditing: as well with ADDS, it's important for some organizations to audit the changed done with ADDS. ADLDS use the same way. Because you use credentials to connect to ADLDS (using ADDS account or ADLDS account), you can audit who is responsible for some change. Some steps are required before being able to audit:
It's the same than auditing Files or Folders changes, but for AD (DS or LDS).

- Sanpshots: Snapshots is a new feature with Windows 2008 ADDS and ADLDS. Before the AD service couldn't be stopped, neither snapshots. Now you can schedule tasks to create snapshots with ntdsutil. This can be usefull to restore objects. When you delete objects, some attributes are automatically cleaned. Therefore it can be a pain to retrieve them. Now you can restore the object, and compare with the snapshot to restore the missing attributes (by example).
you will find information here:

-Dynamic List of LDIF files
LDIF Files are usually used to export and/or import data into ADDS or ADLDS automatically.
The files have the extension .ldf and are used to setup ADDS, to extend the schema, to import data ...
The support of Dynamic List of LDIF files bring you the way to create your own .LDF files and store them in %systemroot%\ADAM. Therefore, as soon as you setup the ADLDS instance, your .LDF files will be read and executed as part of the setup. You can populate your ADLDS instance with plenty of objects already configured.
You will find some information here: http://support.microsoft.com/kb/237677/en-us
the syntax for ldif files is tricky, so be careful with them, else you will get errors.

Author Comment

ID: 35174079

Author Closing Comment

ID: 35174087

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question