Christopher Chapman | MCTContent PM, Microsoft Learning, PDG Planning , Microsoft

Understanding Active Directory

Click to edit Master subtitle style

Microsoft Virtual AcademyActive Directory Lightweight

Directory Services (AD LDS)

Module Overview

• AD LDS Overview

• Implementing and Administering AD LDS

• Implementing AD LDS Replication

• Comparing AD DS and AD LDS

Lesson 1: AD LDS Overview

• How AD LDS Works

• AD LDS Administration Tools

• What Is the AD LDS Schema?

• Demonstration: Installing AD LDS

How AD LDS Works

AD LDS can be accessed via LDAPAD LDS can be accessed via LDAP

The store is organized into three partitions types:

Configuration

Schema

Application

The store is organized into three partitions types:

Configuration

Schema

Application

AD LDS is a hierarchical file-based directory storeAD LDS is a hierarchical file-based directory store

Uses the Extensible Storage Engine (ESE) for file storage Uses the Extensible Storage Engine (ESE) for file storage

ESE

AD LDS Administration Tools

Tool Usage

Active Directory Lightweight Directory Services Wizard

• Create a new instance of AD LDS

• Create a new replica of an AD LDS instance

ADSIEdit • Modifying data

• Viewing data

LDP

• Creating application partition instances

• Modifying data

• Viewing data

Ldifde or Csvde • Importing and exporting data

Dsacls • View or set permissions

AdamSync • Used to synchronize an instance of AD DS to AD LDS

ADSchemaAnalyzer• Used in migrating the Active Directory schema to

ADAM

What Is the AD LDS Schema?

AD LDS Schema defines the types of objects and data that can be created and stored in an AD LDS instance using object classes and attributes

AD LDS Schema defines the types of objects and data that can be created and stored in an AD LDS instance using object classes and attributes

Directory objects based on the automobile object class

Directory objects based on the automobile object class

Definition for an automobile object class

Definition for an automobile object class

Schema Partition

Directory objects based on the user object class

Directory objects based on the user object class

Application Partition

Definition for a user object classDefinition for a user object class

Demonstration: Installing AD LDS

• In this demonstration, you will see how to install Active Directory Lightweight Directory Services

Lesson 2: Implementing and Administering AD LDS• What Is an AD LDS Instance?

• What Is an AD LDS Application Partition?

• Demonstration: Configuring AD LDS Instances and Application Partitions

• AD LDS Users and Groups

• How Does Access Control Work in AD LDS?

What Is an AD LDS Instance?

An AD LDS Instance is a running copy of AD LDS service that contains is own communication interface and directory storeAn AD LDS Instance is a running copy of AD LDS service that contains is own communication interface and directory store

Directory Service

Client

A Single AD LDS Instance

Interfaces (LDAP, replication)

The directory store has its own copy of the three partitions

Directory Data Store (Adamntds.nit)

What Is an AD LDS Application Partition?

The AD LDS application partition holds the data that is used by the applicationThe AD LDS application partition holds the data that is used by the application

A Single AD LDS Instance

Multiple application directory partitions can be created in each LDS instance; however each partition would share a single set of configuration and schema partitions

Application partition 1

Configuration partition

Schema partition

Demonstration: Configuring AD LDS Instances and Application Partitions• In this demonstration, you will see how to configure

an AD LDS instance on a computer that is already running one instance

AD LDS provides four default, role-based groups stored in the roles container of the appropriate partitions

AD LDS Users and Groups

Role Default Members Default Access

Administrators

Configuration partition: AD LDS administrators that are assigned during AD LDS setup

Application partitions: The Administrators group from the configuration partition

Full access to all partitions

Readers None Read access to the partition

Users

Configuration partition: Transitively, all AD LDS users

Application partitions: Transitively, all AD LDS users that are created in the partition

None

Instances Configuration partition: All instances

How Does Access Control Work in AD LDS?

AD LDS Access Control:Authenticates the identity of users requesting access to the directory, allowing only successfully authenticated users into the directory

Uses security descriptors, called access control lists (ACLs), on directory objects to determine which objects an authenticated user can access

11

22

Lesson 3: Implementing AD LDS Replication • How AD LDS Replication Works

• Why Implement AD LDS Replication?

How AD LDS Replication Works

AD LDS uses multimaster replication:• All instances are writable• Changes on one instance are replicated to the other instances

AD LDS servers replicate changes to all servers

Client adds “User 2” on Server 1

Client modifies “User 1” display name on Server 2

Server 2Server 1

Server 3

Why Implement AD LDS Replication?

Why implement AD LDS Replication?

• High availability

• Load balancing

• Geographic limitations

Lesson 4: Comparing AD DS and AD LDS • Similarities between AD DS and AD LDS

• Differences between AD DS and AD LDS

• Integrating AD DS and AD LDS

Similarities Between AD DS and AD LDS

Similarities between AD DS and AD LDS:• Support LDAP connections

• Use multimaster replication

• Support delegated administration

• Use Extensible Storage Engine for the database store

Differences Between AD DS and AD LDS

Features AD LDS AD DS

Capable of multiple instances running on one server X

Runs on nondomain controllers X

Does not require DNS infrastructure X

Group policy X

Global Catalog functions X

Kerberos V5 Protocol authentication X

Full-featured administrator tools X

Automatic failover of services X

Integrating AD DS and AD LDS To integrate AD DS and AD LDS:

Prepare the schema for synchronization

Prepare the configuration for AdamSync

Run AdamSync

11

33

22

Module Review and Takeaways• Review Questions

• Summary of AD LDS

Thanks for Watching!

©2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.