Using my previous post in this series as a launchpad, I will now provide you with a step-by-step guide on synchronizing your AD LDS instance with Active Directory. This guide will walk you through a number of similar steps in the aforementioned post, but will outline necessary differences that will be required for this type of instance.
First, we will install the AD LDS Instance:
1. Create and AD LDS instance by clicking Start -> Administrative Tools -> Active Directory Lightweight Directory Services Setup Wizard.
The Setup Wizard appears.
2. Click Next.
The Setup Options dialog box appears.
For the sake of this guide, a unique instance will be the primary focus. I will have a separate post regarding AD LDS replication at some point in the near future.
3. Select A unique instance.
4. Click Next and the Instance Name dialog box appears.
The instance name will help you identify and differentiate it from other instances that you may have installed on the same end point. The instance name will be listed in the data directory for the instance as well as in the Add or Remove Programs snap-in.
5. Enter a unique instance name, for example IDG.
6. Click Next to display the Ports configuration dialog box.
7. Leave ports at their default values unless you have conflicts with the default values.
8. Click Next to display the Application Directory Partition dialog box.
This is an area that was somewhat confusing for me when I first tried installing an ADAM instance. Given that I was fairly new to all things LDAP and Active Directory, I did not understand why it was important to create an application directory partition and what I should use for the partition name. The importance is providing a unique partition name that you can leverage with your application via LDAP calls. If you did not have a directory partition, then your instance will effectively be useless until you add one. Write the partition name down somewhere as you will need it later on in this guide.
Note: The partition name should be something unique and follow the normal distinguished name syntax. For example, I used dc=idg,dc=local. If translated to a domain name, it would be idg.local. To keep things simple, I would recommend using something that is indicative of your project and is unique to avoid naming exceptions down the line.
9. Select Yes, create an application directory partition and enter the Partition name of your choosing, for example dc=idg,dc=local.
10. Click Next to display the File Locations dialog box.
Take note that the instance name you added in step 4 is indicated in the data storage path.
11. Leave the AD LDS File locations at their default values.
12. Click Next to display the Service Account Selection dialog box.
13. Select an account to associate with ADAM:
- Network service account if you are using AD LDS as a stand-alone instance and the end point is not a domain controller.
- This account with its associated User name/password if you are installing AD LDS on a domain controller.
Attention:If you select Network service account, you must add the passPrompt flag when installing the AD LDS Synchronization configuration XML file. You can avoid this by selecting This Account with the User name and Password for an Administrative user.
If you select Network service account, the following warning may appear.
Click Yes to continue.
14. Click Next to select the account and display the AD LDS Administrators dialog box.
You can select “Currently logged on user” if you are currently logged on as a domain user with administrative privileges over the instance. Select “This Account” for a user account other than the user who is currently logged onto the server. Additionally, if you want to have more than one administrator for the instance, you can select a security group from Active Directory.
15. Ensure that Currently logged on user: is selected and click Next.
The Importing LDIF Files dialog box appears.
16. Select the LDIF files needed for your instance.
You should research which LDIF would be most useful for your specific application. When setting up an instance that will be synchronized with Active Directory, I make sure that MS-AdamSyncMetadata.LDF, MS-UserProxy.LDF, and, depending upon the use case MS-InetOrgPerson.LDF. If you want to mimic the your 2008 Active Directory schema, you should import MS-adamschemaw2k8.LDF. The latter LDF will need to be imported after the installation of your AD LDS instance has completed.
17. Select Next to display the Ready to Install dialog box.
18. Click Next to install the new AD LDS instance.
Once the installation is complete, a successful completion message appears.
19. Click Finish.
AD Schema Analyzer and AD Schema:
You must export the Active Directory schema from your domain controller and load it into your instance of AD LDS.
To export the Active Directory schema and load it into AD LDS
- Run the AD Schema Analyzer tool:C:WindowsADAMADSchemaAnalyzer.exe
- Click File -> Load target schema….
- Enter the details for your existing Domain Controller as shown below:
- Once completed, you should get a message indicating that the schema has been validated and loaded.
- If you get any errors, check the information that you have entered in step 3 to ensure it is correct.
- Next, click File -> Load base schema….
- Enter your AD LDS instance information to load the base schema.
- This is similar to step 3. In this step, however, you will perform a Simple bind as shown below.
- Click Tools -> Options.
- Select the LDIF generation tab and select the option, Update with references to new and present elements, then click OK.
- Click Schema -> Mark all non-present elements as included.
- Click File -> Create LDIF file….
- ldif file to be created, then click Save.
- Load the ldif created in step 11 using the following command:
ldifde -i -s localhost -c “DC=X” “CN={04BBF6D6-D561-4CFD-AD99-2E72825573A3}” -t 389 -f c:WindowsADAMADAMSync.ldif
Note: The value, CN={04BBF6D6-D561-4CFD-AD99-2E72825573A3} is the identifier for your AD LDS instance. To get this value, you can do the following:
Synchronizing the AD LDS instance with your existing Domain Controller
- Open a command prompt.
- Get the SID of the AD LDS instance you created by running the following command:ldifde -d “” -s localhost -p base -l schemaNamingContext -f output.txt
- From the output.txt file above, extract the value that is similar to: CN={04BBF6D6-D561- 4CFD-AD99-2E72825573A3} and paste it into the command above.
Synchronizing the AD LDS instance with your existing Domain Controller
You must use the AD LDS synchronizer (adamsync) to extend the AD LDS schema so that it can synchronize with your domain controller.
To synchronize the AD LDS instance with your existing Domain Controller
- Open a command prompt.
- Install the configuration file that will be used during the synchronization with your domain controller.
Use the following configuration as a template to bring users over from your domain controller as type proxyUser. Copy and paste this into your text editor of choice and save the file as <filename>.XML in the ADAM directory (C:WindowsADAM).
<?xml version=”1.0″?>
<doc>
<configuration>
<description>sample Adamsync configuration file</description>
<security-mode>object</security-mode>
<source-ad-name>DomainControllerHostName</source-ad-name>
<source-ad-partition>dc=SourceDomain,dc=SourceOrg</source-ad-partition>
<source-ad-account></source-ad-account>
<account-domain></account-domain>
<target-dn>dc=TargetDomain,dc=TargetOrg</target-dn>
<query>
<base-dn>dc=SourceDomain,dc=SourceOrg</base-dn>
<object-filter>(objectCategory=person)</object-filter>
<attributes>
<include>objectSID</include>
<include>sourceObjectGuid</include>
<include>userPrincipalName</include>
<include>uid</include>
<exclude></exclude>
</attributes>
</query>
<user-proxy>
<source-object-class>user</source-object-class>
<target-object-class>userProxy</target-object-class>
</user-proxy>
<schedule>
<aging>
<frequency>0</frequency>
<num-objects>0</num-objects>
</aging>
<schtasks-cmd></schtasks-cmd>
</schedule>
</configuration>
<synchronizer-state>
<dirsync-cookie></dirsync-cookie>
<status></status>
<authoritative-adam-instance></authoritative-adam-instance>
<configuration-file-guid></configuration-file-guid>
<last-sync-attempt-time></last-sync-attempt-time>
<last-sync-success-time></last-sync-success-time>
<last-sync-error-time></last-sync-error-time>
<last-sync-error-string></last-sync-error-string>
<consecutive-sync-failures></consecutive-sync-failures>
<user-credentials></user-credentials>
<runs-since-last-object-update></runs-since-last-object-update>
<runs-since-last-full-sync></runs-since-last-full-sync>
</synchronizer-state>
</doc>
The fields that must be updated in this configuration file are:
|
<source-ad-name> |
Set to the FQDN of your existing domain controller. |
|
<source-ad-partition> |
Set to the base DN of your existing domain controller.
|
|
<target-dn> |
Set to the base DN for your AD LDS instance. |
|
<base-dn> |
Set to the base DN of your existing domain controller. |
- Install the configuration file using the following command:
C:WindowsADAMADAMSync /install localhost:<port> %windir%ADAM<configurationfile>.XML
The “<port>” and “<configurationfile>” variables will need to be replaced with the port you are using for your AD LDS instance as well as the name you provided when saving the ADAM Sync Config xml file.
Note: If you decided to run AD LDS under the Network Service account user, you must add the /passPrompt flag to the end of the ADAMSync command. This prompts you for your password so that the synchronization can be performed successfully.
C:WINDOWSADAMADAMSync /sync localhost:<port> <AD LDS Instance DN> /log <logname>.log
<port> is the port number on which your AD LDS instance is listening.
<ADAM Instance DN> is the unique instance you entered during the installation, for example dc=idg,dc=local.
<logname>.log is any arbitrary name that you choose for the log file. This file is created during the synchronization.
Note : If the synchronization completes quickly, check the log for any problems that may have occurred. Normally, the synchronization lasts a few minutes based on the size your existing domain controller. Additionally, you must run this command every time you add in new users who have been added to the main domain controller. It is standard to schedule a job that runs the sync periodically.
Additional Note: The adamsync utility will, by default, halt the synchronization if a single error occurs. Normally, these errors apply to objects which do not fully fit the parameters of your synchronization config file. If I experience any error, I modify my synchronization command as follows:
C:WINDOWSADAMADAMSync /force -1 /sync localhost:<port> <AD LDS Instance DN> /log <logname>.log
The “/force” flag with a “-1″ simply tells the the scynchronization to keep running in spite of any errors. Be sure to review the sync log upon completion.
After the synchronization is complete, open ADSI Edit (Start -> All Programs -> Administrative Tools -> ADSI Edit) to view the changes that have taken place. If ADSI Edit is already open, simply right-click the connection for your AD LDS instance and click Refresh. You should see all the containers and users that were synchronized from your domain controller.
{ 9 comments… read them below or add one }
Hello,
I’m encountering an error during base schema load. It looks like an ADSchemaAnalyzer.exe error. The error message is quite long and starts with following sentences: “An error occured. Please contact the administrator with the following information:
The SDDL string contains an invalid sid or a sid that cannot be translated.
Parameter name: sddlForm…” later Stack Trace appears.
I’m installing AD LDS on Win2k8R2 stand-alone server. The service works on Network Service Account.
Thanks in advance for any tips.
Can we do this in a reverse way ? I mean syncing data from from Active directory to AD LDS ?
I’m also encountering the same error as Kacper above. When I attempt to load the base schema I get the error:
“An error occured. Please contact the administrator with the following information:
The SDDL string contains an invalid sid or a sid that cannot be translated.
Parameter name: sddlForm…”
This by far the best article describing the process, after reading a lot I can now finally understand what needs to be done.
However, as Eric and Kacper already pointed out, it is giving an error when using ADSchemaAnalyzer.exe when installing AD LDS on Win2k8R2 stand-alone server and the service works on Network Service Account.
Since I am preparing this AD LDS to be put in the DMZ, I have to do it on a stand-alone server. I also have to use the network Service Account as I want to be prompted for password of a domain account .
Will you please update with the needed steps for such a scenario.
Thanks in advanced,
Has anybody found a solution to the “The SDDL string contains an invalid sid or a side that cannot be translated”
I am also encountering the same issue/configuration
Hello,
i have the SDDL Error too
Any Solutions?
I found a solution for the SDDL error. Your LDS server must be joined to the domain, and you must run ADSchemaAnalyzer when logged into the LDS server using a domain account, not the local administrator account. When loading the base schema, select secure authentication, and enter your local administrator username and password and set the LDS server hostname as the domain. The base configuration will load without error.
For those who have encountered the “The SDDL string contains an invalid sid or a side that cannot be translated”.
Go see his post : http://www.thegeekispeak.com/archives/490
Hello,
i have the SDDL Error too
Any Solutions?