4 Feb 2011

Configuring the Active Directory Lightweight Directory Service (3)

The concept of an instance is unique to AD LDS (as opposed to the Active Directory). As I mentioned in a previous article, a single Windows 2008 server can host multiple directories. Each of these directories is referred to as an instance.

You must assign a name to each instance that you create. The name that you choose is used as a mechanism for uniquely identifying the instance on the server.

In addition to assigning the instance a name, you will also have to assign the instance a port number. Normally, LDAP communications take place over port 389 and SSL encrypted LDAP communications take place over port 636. You can use these port numbers for AD LDS, but only if you do not plan to install the Active Directory Directory Services on the server.

One thing to keep in mind is that each AD LDS instance requires a unique port number. Of course this holds true only when there are multiple AD LDS instances present on a single server. If you have a dedicated server for each AD LDS instance, then each instance will be able to use Ports 389 and 636 (assuming that the server isn't also acting as a domain controller).

Finally, each AD LDS instance has a corresponding application directory partition. When you create an application directory partition, you will be required to provide it with a name. The name that you use can be in either X.500 format or it can be in FQDN format.

Now that I have explained what elements are required for creating an AD LDS instance, let's go ahead and create one. Begin the process by opening the Active Directory Lightweight Directory Services Setup Wizard. You can find a shortcut to this wizard on the server's Administrative Tools menu.

When the Active Directory Lightweight Directory Services Setup Wizard starts, click Next to bypass the wizard's Welcome screen. At this point, you will see a screen similar to the one shown in Figure 1, asking if you want to create a unique instance or a replica of an existing instance. Since we are setting up a new instance, choose the A Unique Instance option. I will be discussing replica instances in Part 4.


Figure 1: Tell Windows that you want to create a unique instance.

Click Next and you will be promoted to provide a name and an optional description for the instance that you are creating, as shown in Figure 2. For the sake of demonstration I will be using the default instance name (which is Instance1). In the real world however, I recommend using a more descriptive name.


Figure 2: You must provide a name and an optional description for the instance that you are creating.

When you click Next, you will be taken to the screen shown in Figure 3. As you can see in the figure, Windows defaults to using port number 50,000 for LDAP communications with the new instance, and port number 50,001 for SSL encrypted LDAP communications. You can change these port numbers to anything that you want (including 389 and 636) so long as those port numbers are not already in use on the server and you do not plan to make the server a domain controller.


Figure 3: Windows defaults to using ports 50,000 and 50,001 for use with the new AD LDS instance.

Click Next, and you will be taken to the screen shown in Figure 4. As you can see in the figure, this screen asks you if you want to create an application directory partition. The application directory partition is essentially a directory enabled repository that you can use for storing application data.


Figure 4: You will almost always want to go ahead and create an application directory partition.

Since the whole point of creating an AD LDS instance is to allow for application data to be stored in a directory partition, you will almost always choose the option that creates a new application directory partition. There are really only two situations in which you would not want to create an application directory partition. You would obviously not want to create an application directory partition if you wanted to manually create the partition later on. The other situation in which you wouldn't want to create an application directory partition would be when you plan to install an application that automatically creates the necessary partition itself.

As I explained earlier, you must provide a name for the application directory partition. You must enter this name as a distinguished name. According to TechNet "AD LDS supports both X.500 style and Domain Name System (DNS) - style distinguished names for top level directory partitions". Having said that, I have to tell you that I have never seen a DNS style distinguished name used for an application directory partition in the real world. If you look back at Figure 4, you can see that even Microsoft seems to give preference to X.500 style distinguished names because the example distinguished name shown in the screen capture is in X.500 style format.

Regardless of the type of distinguished name that you choose to enter, it is important to get the name right on the first try. Otherwise, Windows will allow you to get all the way to the end of the wizard before giving you an error.

After you have provided a distinguished name for the partition that you are creating, click Next and you will be prompted to specify a path beneath which to store the data files and the data recovery files that are to be used with the AD LDS instance. This portion of the wizard, which you can see in Figure 5, should seem familiar to anyone who has ever set up an Active Directory domain controller.


Figure 5: You must provide a path to be used by the AD LDS database.

In an Active Directory environment, it is usually acceptable to use the default path. When it comes to AD LDS however, you may want to redirect the data files and the data recovery files to a high speed or fault tolerant array, depending on how extensively the AD LDS instance will be used.

After providing the necessary paths, click Next and you will be prompted to provide a service account for use with the AD LDS instance. You can use a network service account, or you can provide a domain service account. Of course servers that host AD LDS instances are not always domain members, so in some cases you may be forced to use network service accounts.

Click Next, and you will be prompted to specify the name of a user or a group who should have administrative access to the partition that you are creating. By default, Windows will use the account that you are logged on with when you create the account, as shown in Figure 6, but you are usually going to be better off manually specifying an administrative group.


Figure 6: Specify the name of the user or group that should have administrative control over the AD LDS instance.

After clicking Next, you should see a screen asking you which LDIF files you want to import. The LDIF files that you select will establish the schema for the instance. You are free to select any of the LDIF files or any combination of the files. The documentation for the application that will be making use of the AD LDS instance should provide you with guidance as to which LDIF files to import.

When you click Next, you should see a summary of the options that you have selected throughout the wizard. Assuming that everything appears to be correct, click Next and the AD LDS instance will be created.  When the process completes, click Finish to close the wizard.

No comments:

Post a Comment