[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


AD Query1

Posted on 2011-03-08
Medium Priority
Last Modified: 2012-05-11
Please explain how this feature is possible?

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Service (AD LDS), formerly known as Active Directory Application Mode, can be used to provide directory services for directory-enabled applications. Instead of using your organization’s AD DS database to store the directory-enabled application data, AD LDS can be used to store the data. AD LDS can be used in conjunction with AD DS so that you can have a central location for security accounts (AD DS) and another location to support the application configuration and directory data (AD LDS). Using AD LDS, you can reduce the overhead associated with Active Directory replication, you do not have to extend the Active Directory schema to support the application, and you can partition the directory structure so that the AD LDS service is only deployed to the servers that need to support the directory-enabled application.

Learn More


      Install from Media Generation. The ability to create installation media for AD LDS by using Ntdsutil.exe or Dsdbutil.exe.

      Auditing. Auditing of changed values within the directory service.

      Database Mounting Tool. Gives you the ability to view data within snapshots of the database files.

      Active Directory Sites and Services Support. Gives you the ability to use Active Directory Sites and Services to manage the replication of the AD LDS data changes.

      Dynamic List of LDIF files. With this feature, you can associate custom LDIF files with the existing default LDIF files used for setup of AD LDS on a server.

      Recursive Linked-Attribute Queries. LDAP queries can follow nested attribute links to determine additional attribute properties, such as group memberships.

************Here I cannot understand what is LDIF? What are recursive linked attribute querries? How does the Actiuve Directiry help in the replication of the data changes? How to view thw data with the snap shots of the database file? How to create the installation media? How Auditing of changed values can be done and how is it possible?********************

Question by:kunalclk
  • 2
LVL 11

Accepted Solution

Tasmant earned 2000 total points
ID: 35082147
- Install from Media Generation : the short name is IFM. you create a backup of you ADDS or ADLDS database in order to minimize the amount of replication when you install another instance of your database (ADDS or ADLDS). Imagine a DC over a WAN link with very slow bandwidth, and a very large database, you would reduce the time to replicate the first time. Using IFM you will just replicate the change since the backup date.

- What are recursive linked attribute querries: in fact, imaginean user member of a group. this group can be member of another group, and so on ... since Windows 2003 with the following patch: http://support.microsoft.com/kb/914828/en-us, you can use the LDAP_MATCHING_RULE_IN_CHAIN operator to retrieve the nested list list of groups for an user.
I join you some examples:
- dsquery * -limit 0 -filter "&(memberof:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=domain,DC=com)" -attr samaccountname
- dsquery * -limit 0 -filter "&(memberof=CN=Domain Admins,CN=Users,DC=domain,DC=com)" -attr samaccountname
for these examples if you have an user member of a custom, itself member of domains group, you will see the difference while processing the request.

- Active Directory Sites and Services is responsible for ADDS to replicate Naming Context (Domain, Configuration, Schema, and most of time DomainsDNSZones and ForestDNSZones). When using ADLDS, you create another Naming Context, and you can use the Active Directory Sites and Services MMS snap-in to configure the replication topology for your ADLDS instance.
Refer to this for more details: http://technet.microsoft.com/en-us/library/cc754361%28WS.10%29.aspx
You need to import some specific information in the Configuration NC of your ADLDS instance.
In the Sites and Services console, right--click on the root and select "change domain controller", you can choose the server and the port to connect to your ADLDS instance.
So as soon as you have more than 1 server hosting your ADLDS instance, you can use the AD Sites and services to customize the replication.

- Auditing: as well with ADDS, it's important for some organizations to audit the changed done with ADDS. ADLDS use the same way. Because you use credentials to connect to ADLDS (using ADDS account or ADLDS account), you can audit who is responsible for some change. Some steps are required before being able to audit:
It's the same than auditing Files or Folders changes, but for AD (DS or LDS).

- Sanpshots: Snapshots is a new feature with Windows 2008 ADDS and ADLDS. Before the AD service couldn't be stopped, neither snapshots. Now you can schedule tasks to create snapshots with ntdsutil. This can be usefull to restore objects. When you delete objects, some attributes are automatically cleaned. Therefore it can be a pain to retrieve them. Now you can restore the object, and compare with the snapshot to restore the missing attributes (by example).
you will find information here:

-Dynamic List of LDIF files
LDIF Files are usually used to export and/or import data into ADDS or ADLDS automatically.
The files have the extension .ldf and are used to setup ADDS, to extend the schema, to import data ...
The support of Dynamic List of LDIF files bring you the way to create your own .LDF files and store them in %systemroot%\ADAM. Therefore, as soon as you setup the ADLDS instance, your .LDF files will be read and executed as part of the setup. You can populate your ADLDS instance with plenty of objects already configured.
You will find some information here: http://support.microsoft.com/kb/237677/en-us
the syntax for ldif files is tricky, so be careful with them, else you will get errors.

Author Comment

ID: 35174079

Author Closing Comment

ID: 35174087

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question