Configuring Active Directory Lightweight Directory Services in Server 2022
Posted on 17th June 2023
Introduction
In Server 2022, Active Directory Lightweight Directory Services (AD LDS) is a new role service. AD LDS provides flexible support for directory-enabled applications, without the dependencies that are required for Active Directory Domain Services (AD DS). You can run multiple AD LDS instances on a single server, each with its own configuration set and data store.
Configuring AD LDS
To use AD LDS, you must first install and configure the AD LDS server role. To install the AD LDS server role, use the following procedure.
- Log on to the computer on which you want to install AD LDS as a member of the Domain Admins group or the Enterprise Admins group.
- Click Start, point to Administrative Tools, and then click Server Manager.
- In the left pane, expand Roles, and then click Add Roles.
- On the Before you begin page, click Next.
- On the Select Server Roles page, select the Active Directory Lightweight Directory Services check box, and then click Next.
- On the Active Directory Lightweight Directory Services page, click Next.
- On the Confirm Installation Selections page, click Install.
- On the Results page, click Close.
After you have installed the AD LDS server role, you can configure AD LDS by using either the Active Directory Lightweight Directory Services Setup Wizard or Ldp.exe.
Configuring AD LDS by Using the Active Directory Lightweight Directory Services Setup Wizard
You can use the Active Directory Lightweight Directory Services Setup Wizard to configure an AD LDS instance. To use the Active Directory Lightweight Directory Services Setup Wizard, use the following procedure.
- Log on to the computer on which you installed the AD LDS server role as a member of the Domain Admins group or the Enterprise Admins group.
- Click Start, point to Administrative Tools, and then click Active Directory Lightweight Directory Services Setup Wizard.
- On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page, click Next.
- On the Select a Deployment Configuration page, click Create a new instance of Active Directory Lightweight Directory Services, and then click Next.
- On the Set Up Instance Identifier page, in Instance name, type a name for the AD LDS instance, and then click Next.
- On the Select service accounts page, in Service account, click Network Service, and then click Next.
- On the Specify ports page, in LDAP TCP/IP Port, type 389, and then click Next.
- On the Choose a replication partner page, click This instance will not be replicated, and then click Next.
- On the Summary page, click Next.
- On the Completing the Active Directory Lightweight Directory Services Setup Wizard page, click Finish.
Configuring AD LDS by Using Ldp.exe
You can use Ldp.exe to configure an AD LDS instance. Ldp.exe is a standard LDAPv3 client that is included in Windows Server. To use Ldp.exe to configure an AD LDS instance, use the following procedure.
- Log on to the computer on which you installed the AD LDS server role as a member of the Domain Admins group or the Enterprise Admins group.
- Click Start, click Run, type cmd in the Open box, and then click OK.
- At the command prompt, type the following command, and then press ENTER:
- At the command prompt, type quit, and then press ENTER.
ldifde -i -f ms-adam-schema.ldf -s localhost:389 -b "cn=Schema,cn=Configuration,dc=X" -j . -c DC=X "cn={21D12FEC-3AEF-4B15-A644-B3CA0E8C884A}"
Conclusion
In this article, you learned about Active Directory Lightweight Directory Services (AD LDS), how to install and configure AD LDS, and how to use Ldp.exe to configure an AD LDS instance.
Active Directory Lightweight Directory Services (AD LDS), formerly known as Active Directory Application Mode (ADAM), is a Lightweight Directory Access Protocol (LDAP) directory service that provides a flexible means of storing and managing directory data without the dependencies that are required for Active Directory Domain Services (AD DS). AD LDS runs as a service on Microsoft Windows Server and is available in all server editions.
AD LDS shares many of the same features as AD DS, including support for multiple partitions, an extensible schema, and an identical management console. AD LDS does not, however, require the creation of domains or domain controllers.
Installing AD LDS is a two-step process. First, you must install the AD LDS server role, and then you must create an AD LDS instance.
To install the AD LDS server role
1. Open Server Manager.
2. On the Dashboard, click Add roles and features.
3. On the Before you begin page, click Next.
4. On the Select installation type page, select Role-based or feature-based installation, and then click Next.
5. On the Select destination server page, select a server from the server pool, and then click Next.
6. On the Select server roles page, expand Active Directory Lightweight Directory Services, and then select the check box next to AD LDS. Click Next.
7. On the Features page, click Next.
8. On the Confirm installation selections page, click Install.
9. On the Installation progress page, wait for the installation to complete, and then click Close.
Creating an AD LDS instance
After you install the AD LDS server role, you can create one or more AD LDS instances on the computer. You can create AD LDS instances by using the Active Directory Lightweight Directory Services Setup Wizard or by using Ldp.exe.
To create an AD LDS instance by using the Active Directory Lightweight Directory Services Setup Wizard
1. Open Server Manager.
2. Click Tools, and then click Active Directory Lightweight Directory Services Setup Wizard.
3. On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page, click Next.
4. On the Select a Deployment Configuration page, select the Create a new instance of Active Directory Lightweight Directory Services check box, and then click Next.
5. On the Set Up Instance Identifier page, type a name for the AD LDS instance, and then click Next.
6. On the Set Up Service Accounts page, click Next.
7. On the Specify Ports page, click Next.
8. On the Review Options page, click Next.
9. On the Confirm Installation Selections page, click Install.
10. On the Completing the Active Directory Lightweight Directory Services Setup Wizard page, click Finish.
Configuring AD LDS security
After you install AD LDS, you must configure security for the AD LDS instance and for the AD LDS application partitions that you plan to create. You configure AD LDS security by using the Active Directory Users and Computers snap-in, the Ldp.exe tool, or a script.
Configuring AD LDS instance security
An AD LDS instance has a single security principal, the AD LDS instance administrator, who is responsible for managing the AD LDS configuration set and the AD LDS schema. The AD LDS instance administrator account is not a member of the Administrators group. By default, only the AD LDS instance administrator has permissions to access the AD LDS configuration set.
To add AD LDS administrators
1. Open the Active Directory Users and Computers snap-in.
2. In the console tree, expand the AD LDS instance for which you want to add administrators.
3. Right-click the Users container, and then click New User.
4. In the New Object – User dialog box, type the user name, and then click Next.
5. Type and confirm the password, and then click Next.
6. Click Finish.
Configuring AD LDS application partitions
After you install an AD LDS instance, you can create one or more AD LDS application partitions. You can create AD LDS application partitions by using the Active Directory Sites and Services snap-in, the Ldp.exe tool, or a script.
An AD LDS application partition is a directory partition that stores AD LDS data and that can be replicated to other AD LDS servers. By default, all AD LDS servers have a built-in application partition, the schema partition, which contains the AD LDS schema.
To create an AD LDS application partition
1. Open the Active Directory Sites and Services snap-in.
2. In the console tree, expand the site in which you want to create the application partition.
3. Expand the AD LDS server for which you want to create the application partition.
4. Right-click Application Partitions, and then click New Application Partition.
5. In the New Object – Application Partition dialog box, type the fully qualified domain name (FQDN) of the application partition, and then click OK.