Improve company productivity with a Business Account.Sign Up


AD Query1

Posted on 2011-03-08
Medium Priority
Last Modified: 2012-05-11
Please explain how this feature is possible?

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Service (AD LDS), formerly known as Active Directory Application Mode, can be used to provide directory services for directory-enabled applications. Instead of using your organization’s AD DS database to store the directory-enabled application data, AD LDS can be used to store the data. AD LDS can be used in conjunction with AD DS so that you can have a central location for security accounts (AD DS) and another location to support the application configuration and directory data (AD LDS). Using AD LDS, you can reduce the overhead associated with Active Directory replication, you do not have to extend the Active Directory schema to support the application, and you can partition the directory structure so that the AD LDS service is only deployed to the servers that need to support the directory-enabled application.

Learn More


      Install from Media Generation. The ability to create installation media for AD LDS by using Ntdsutil.exe or Dsdbutil.exe.

      Auditing. Auditing of changed values within the directory service.

      Database Mounting Tool. Gives you the ability to view data within snapshots of the database files.

      Active Directory Sites and Services Support. Gives you the ability to use Active Directory Sites and Services to manage the replication of the AD LDS data changes.

      Dynamic List of LDIF files. With this feature, you can associate custom LDIF files with the existing default LDIF files used for setup of AD LDS on a server.

      Recursive Linked-Attribute Queries. LDAP queries can follow nested attribute links to determine additional attribute properties, such as group memberships.

************Here I cannot understand what is LDIF? What are recursive linked attribute querries? How does the Actiuve Directiry help in the replication of the data changes? How to view thw data with the snap shots of the database file? How to create the installation media? How Auditing of changed values can be done and how is it possible?********************

Question by:kunalclk
  • 2
LVL 11

Accepted Solution

Tasmant earned 2000 total points
ID: 35082147
- Install from Media Generation : the short name is IFM. you create a backup of you ADDS or ADLDS database in order to minimize the amount of replication when you install another instance of your database (ADDS or ADLDS). Imagine a DC over a WAN link with very slow bandwidth, and a very large database, you would reduce the time to replicate the first time. Using IFM you will just replicate the change since the backup date.

- What are recursive linked attribute querries: in fact, imaginean user member of a group. this group can be member of another group, and so on ... since Windows 2003 with the following patch:, you can use the LDAP_MATCHING_RULE_IN_CHAIN operator to retrieve the nested list list of groups for an user.
I join you some examples:
- dsquery * -limit 0 -filter "&(memberof:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=domain,DC=com)" -attr samaccountname
- dsquery * -limit 0 -filter "&(memberof=CN=Domain Admins,CN=Users,DC=domain,DC=com)" -attr samaccountname
for these examples if you have an user member of a custom, itself member of domains group, you will see the difference while processing the request.

- Active Directory Sites and Services is responsible for ADDS to replicate Naming Context (Domain, Configuration, Schema, and most of time DomainsDNSZones and ForestDNSZones). When using ADLDS, you create another Naming Context, and you can use the Active Directory Sites and Services MMS snap-in to configure the replication topology for your ADLDS instance.
Refer to this for more details:
You need to import some specific information in the Configuration NC of your ADLDS instance.
In the Sites and Services console, right--click on the root and select "change domain controller", you can choose the server and the port to connect to your ADLDS instance.
So as soon as you have more than 1 server hosting your ADLDS instance, you can use the AD Sites and services to customize the replication.

- Auditing: as well with ADDS, it's important for some organizations to audit the changed done with ADDS. ADLDS use the same way. Because you use credentials to connect to ADLDS (using ADDS account or ADLDS account), you can audit who is responsible for some change. Some steps are required before being able to audit:
It's the same than auditing Files or Folders changes, but for AD (DS or LDS).

- Sanpshots: Snapshots is a new feature with Windows 2008 ADDS and ADLDS. Before the AD service couldn't be stopped, neither snapshots. Now you can schedule tasks to create snapshots with ntdsutil. This can be usefull to restore objects. When you delete objects, some attributes are automatically cleaned. Therefore it can be a pain to retrieve them. Now you can restore the object, and compare with the snapshot to restore the missing attributes (by example).
you will find information here:

-Dynamic List of LDIF files
LDIF Files are usually used to export and/or import data into ADDS or ADLDS automatically.
The files have the extension .ldf and are used to setup ADDS, to extend the schema, to import data ...
The support of Dynamic List of LDIF files bring you the way to create your own .LDF files and store them in %systemroot%\ADAM. Therefore, as soon as you setup the ADLDS instance, your .LDF files will be read and executed as part of the setup. You can populate your ADLDS instance with plenty of objects already configured.
You will find some information here:
the syntax for ldif files is tricky, so be careful with them, else you will get errors.

Author Comment

ID: 35174079

Author Closing Comment

ID: 35174087

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
One thing I've always found frustrating is no matter how many times one asks the end users to not save things on their local machines, they do it anyway.  Forget that we don't back up the desktops - only the servers.  Well, let's sneak their data on…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question