Saturday, 27 August 2011

AD LDS – Syncronizing AD LDS with Active Directory

First, we will install the AD LDS Instance:

1. Create and AD LDS instance by clicking Start -> Administrative Tools -> Active Directory Lightweight Directory Services Setup Wizard.
The Setup Wizard appears.
ADLDS_Wiz_Start_1.jpg
2. Click Next.
The Setup Options dialog box appears.
ADLDS_Wiz_Start_2.jpg
For the sake of this guide, a unique instance will be the primary focus. I will have a separate post regarding AD LDS replication at some point in the near future.
3. Select A unique instance.
4. Click Next and the Instance Name dialog box appears.
ADLDS_Wiz_Start_3.jpg
The instance name will help you identify and differentiate it from other instances that you may have installed on the same end point. The instance name will be listed in the data directory for the instance as well as in the Add or Remove Programs snap-in.
5. Enter a unique instance name, for example IDG.
6. Click Next to display the Ports configuration dialog box.
ADLDS_Wiz_Start_4.jpg
7. Leave ports at their default values unless you have conflicts with the default values.
8. Click Next to display the Application Directory Partition dialog box.
ADLDS_Wiz_Start_5.jpg
This is an area that was somewhat confusing for me when I first tried installing an ADAM instance. Given that I was fairly new to all things LDAP and Active Directory, I did not understand why it was important to create an application directory partition and what I should use for the partition name. The importance is providing a unique partition name that you can leverage with your application via LDAP calls. If you did not have a directory partition, then your instance will effectively be useless until you add one. Write the partition name down somewhere as you will need it later on in this guide.
Note: The partition name should be something unique and follow the normal distinguished name syntax. For example, I used dc=idg,dc=local. If translated to a domain name, it would be idg.local. To keep things simple, I would recommend using something that is indicative of your project and is unique to avoid naming exceptions down the line.
9. Select Yes, create an application directory partition and enter the Partition name of your choosing, for example dc=idg,dc=local.
10. Click Next to display the File Locations dialog box.
ADLDS_Wiz_Start_10.jpg
Take note that the instance name you added in step 4 is indicated in the data storage path.
11. Leave the AD LDS File locations at their default values.
12. Click Next to display the Service Account Selection dialog box.
ADLDS_Wiz_Start_6.jpg
13. Select an account to associate with ADAM:
  • Network service account if you are using AD LDS as a stand-alone instance and the end point is not a domain controller.
  • This account with its associated User name/password if you are installing AD LDS on a domain controller.
Attention:If you select Network service account, you must add the passPrompt flag when installing the AD LDS Synchronization configuration XML file. You can avoid this by selecting This Account with the User name and Password for an Administrative user.
If you select Network service account, the following warning may appear.
Click Yes to continue.
14. Click Next to select the account and display the AD LDS Administrators dialog box.
ADLDS_Wiz_Start_7.jpg
You can select “Currently logged on user” if you are currently logged on as a domain user with administrative privileges over the instance. Select “This Account” for a user account other than the user who is currently logged onto the server. Additionally, if you want to have more than one administrator for the instance, you can select a security group from Active Directory.
15. Ensure that Currently logged on user: is selected and click Next.
The Importing LDIF Files dialog box appears.
ADLDS_Wiz_Start_8.jpg
16. Select the LDIF files needed for your instance.
You should research which LDIF would be most useful for your specific application. When setting up an instance that will be synchronized with Active Directory, I make sure that MS-AdamSyncMetadata.LDF, MS-UserProxy.LDF, and, depending upon the use case MS-InetOrgPerson.LDF. If you want to mimic the your 2008 Active Directory schema, you should import MS-adamschemaw2k8.LDF. The latter LDF will need to be imported after the installation of your AD LDS instance has completed.
17. Select Next to display the Ready to Install dialog box.
ADLDS_Wiz_Start_9.jpg
18. Click Next to install the new AD LDS instance.
Once the installation is complete, a successful completion message appears.
19. Click Finish.
AD Schema Analyzer and AD Schema:
You must export the Active Directory schema from your domain controller and load it into your instance of AD LDS.
To export the Active Directory schema and load it into AD LDS
  1. Run the AD Schema Analyzer tool:C:WindowsADAMADSchemaAnalyzer.exe
  2. Click File -> Load target schema….
  3. Enter the details for your existing Domain Controller as shown below:
  4. Once completed, you should get a message indicating that the schema has been validated and loaded.
  5. If you get any errors, check the information that you have entered in step 3 to ensure it is correct.
  6. Next, click File -> Load base schema….
  7. Enter your AD LDS instance information to load the base schema.
  8. This is similar to step 3. In this step, however, you will perform a Simple bind as shown below.
  9. Click Tools -> Options.
  10. Select the LDIF generation tab and select the option, Update with references to new and present elements, then click OK.
  11. Click Schema -> Mark all non-present elements as included.
  12. Click File -> Create LDIF file….
  13. ldif file to be created, then click Save.
  14. Load the ldif created in step 11 using the following command:
ldifde -i -s localhost -c “DC=X” “CN={04BBF6D6-D561-4CFD-AD99-2E72825573A3}” -t 389 -f c:WindowsADAMADAMSync.ldif
Note: The value, CN={04BBF6D6-D561-4CFD-AD99-2E72825573A3} is the identifier for your AD LDS instance. To get this value, you can do the following:

Synchronizing the AD LDS instance with your existing Domain Controller

  1. Open a command prompt.
  2. Get the SID of the AD LDS instance you created by running the following command:ldifde -d “” -s localhost -p base -l schemaNamingContext -f output.txt
  3. From the output.txt file above, extract the value that is similar to: CN={04BBF6D6-D561- 4CFD-AD99-2E72825573A3} and paste it into the command above.

Synchronizing the AD LDS instance with your existing Domain Controller

You must use the AD LDS synchronizer (adamsync) to extend the AD LDS schema so that it can synchronize with your domain controller.
To synchronize the AD LDS instance with your existing Domain Controller
  1. Open a command prompt.
  2. Install the configuration file that will be used during the synchronization with your domain controller.
Use the following configuration as a template to bring users over from your domain controller as type proxyUser. Copy and paste this into your text editor of choice and save the file as <filename>.XML in the ADAM directory (C:WindowsADAM).
<?xml version=”1.0″?>
<doc>
<configuration>
<description>sample Adamsync configuration file</description>
<security-mode>object</security-mode>
<source-ad-name>DomainControllerHostName</source-ad-name>
<source-ad-partition>dc=SourceDomain,dc=SourceOrg</source-ad-partition>
<source-ad-account></source-ad-account>
<account-domain></account-domain>
<target-dn>dc=TargetDomain,dc=TargetOrg</target-dn>
<query>
<base-dn>dc=SourceDomain,dc=SourceOrg</base-dn>
<object-filter>(objectCategory=person)</object-filter>
<attributes>
<include>objectSID</include>
<include>sourceObjectGuid</include>
<include>userPrincipalName</include>
<include>uid</include>
<exclude></exclude>
</attributes>
</query>
<user-proxy>
<source-object-class>user</source-object-class>
<target-object-class>userProxy</target-object-class>
</user-proxy>
<schedule>
<aging>
<frequency>0</frequency>
<num-objects>0</num-objects>
</aging>
<schtasks-cmd></schtasks-cmd>
</schedule>
</configuration>
<synchronizer-state>
<dirsync-cookie></dirsync-cookie>
<status></status>
<authoritative-adam-instance></authoritative-adam-instance>
<configuration-file-guid></configuration-file-guid>
<last-sync-attempt-time></last-sync-attempt-time>
<last-sync-success-time></last-sync-success-time>
<last-sync-error-time></last-sync-error-time>
<last-sync-error-string></last-sync-error-string>
<consecutive-sync-failures></consecutive-sync-failures>
<user-credentials></user-credentials>
<runs-since-last-object-update></runs-since-last-object-update>
<runs-since-last-full-sync></runs-since-last-full-sync>
</synchronizer-state>
</doc>
The fields that must be updated in this configuration file are:
<source-ad-name>
Set to the FQDN of your existing domain controller.
<source-ad-partition>
Set to the base DN of your existing domain controller.
<target-dn>
Set to the base DN for your AD LDS instance.
<base-dn>
Set to the base DN of your existing domain controller.
  1. Install the configuration file using the following command:
C:WindowsADAMADAMSync /install localhost:<port> %windir%ADAM<configurationfile>.XML
The “<port>” and “<configurationfile>” variables will need to be replaced with the port you are using for your AD LDS instance as well as the name you provided when saving the ADAM Sync Config xml file.
Note: If you decided to run AD LDS under the Network Service account user, you must add the /passPrompt flag to the end of the ADAMSync command. This prompts you for your password so that the synchronization can be performed successfully.
C:WINDOWSADAMADAMSync /sync localhost:<port> <AD LDS Instance DN> /log <logname>.log
<port> is the port number on which your AD LDS instance is listening.
<ADAM Instance DN> is the unique instance you entered during the installation, for example dc=idg,dc=local.
<logname>.log is any arbitrary name that you choose for the log file. This file is created during the synchronization.
Note : If the synchronization completes quickly, check the log for any problems that may have occurred. Normally, the synchronization lasts a few minutes based on the size your existing domain controller. Additionally, you must run this command every time you add in new users who have been added to the main domain controller. It is standard to schedule a job that runs the sync periodically.
Additional Note: The adamsync utility will, by default, halt the synchronization if a single error occurs. Normally, these errors apply to objects which do not fully fit the parameters of your synchronization config file. If I experience any error, I modify my synchronization command as follows:
C:WINDOWSADAMADAMSync /force -1 /sync localhost:<port> <AD LDS Instance DN> /log <logname>.log
The “/force” flag with a “-1″ simply tells the the scynchronization to keep running in spite of any errors. Be sure to review the sync log upon completion.
After the synchronization is complete, open ADSI Edit (Start -> All Programs -> Administrative Tools -> ADSI Edit) to view the changes that have taken place. If ADSI Edit is already open, simply right-click the connection for your AD LDS instance and click Refresh. You should see all the containers and users that were synchronized from your domain controller.

Thanks
Jagadeesh

1 comments:

jaga said...

Guys, please use search tag to find the solution which you are been intrested.

thanks
Jaga's

Post a Comment