Directory Services API Element Differences
When using Directory Services API elements to program for AD LDS, there are several important differences from programming for Active Directory.
The following table lists the differences in the Directory Services programming elements when used with AD LDS.
| Programming element | Difference |
|---|---|
| DsBindWithSpnEx | Added the NTDSAPI_BIND_FORCE_KERBEROS flag. |
| DsBindByInstance | New function. |
| ADAM_SCP_SITE_NAME_STRING | String constant used by AD LDS for constructing keyword values for SCP publication for a site name, for example: "site:Default-First-Site-Name". |
| ADAM_SCP_PARTITION_STRING | String constant used by AD LDS for constructing keyword values for SCP publication for a partition distinguished name, for example: "partition:O=FABRIKAM,L=WA,C=US". |
| ADAM_SCP_INSTANCE_NAME_STRING | String constant used by AD LDS for constructing keyword values for SCP publication for an instance name, for example: "instance:someinstance". |
| ADAM_SCP_FSMO_STRING | String constant used by AD LDS for constructing keyword values for SCP publication for an FSMO name prefix, for example: "fsmo:naming". |
| ADAM_SCP_FSMO_NAMING_STRING | String constant used by AD LDS for constructing keyword values for SCP publication for an FSMO name suffix, for example: "fsmo:naming". |
| ADAM_SCP_FSMO_SCHEMA_STRING | String constant used by AD LDS for constructing keyword values for SCP publication for an FSMO name suffix, for example: "fsmo:schema". |
| ADAM_REPL_AUTHENTICATION_MODE_NEGOTIATE_PASS_THROUGH | Negotiate with pass-through authentication. All instances must run using service accounts with the same name and password. Used with the ms-DS-Repl-Authentication-Mode attribute of the configuration partition for an AD LDS instance. |
| ADAM_REPL_AUTHENTICATION_MODE_NEGOTIATE | Negotiate authentication. If Kerberos is available, it will be used. Otherwise, authentication will fall back to NTLM unless machine policy forbids this.Used with the ms-DS-Repl-Authentication-Mode attribute of the configuration partition for an AD LDS instance. |
| ADAM_REPL_AUTHENTICATION_MODE_MUTUAL_AUTH_REQUIRED | AD LDS will require Kerberos mutual authentication.Used with the ms-DS-Repl-Authentication-Mode attribute of the configuration partition for an AD LDS instance. |
| NTDSDSA_OPT_DISABLE_SPN_REGISTRATION | New value for nTDSDSA objects. |
AD LDS does not support the userAccountControl attribute. Instead, AD LDS uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute. The following table lists the userAccountControl flags and their corresponding AD LDS attributes. Any userAccountControl flags that are not listed below are not supported by AD LDS.
| AD LDS attribute | userAccountControl flag (defined in iads.h) | Hexadecimal value |
|---|---|---|
| ms-DS-UserAccountAutoLocked | ADS_UF_LOCKOUT | 0x00000010 |
| msDS-UserAccountDisabled | ADS_UF_ACCOUNTDISABLE | 0x00000002 |
| msDS-UserDontExpirePassword | ADS_UF_DONT_EXPIRE_PASSWD | 0x00010000 |
| ms-DS-UserEncryptedTextPasswordAllowed | ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED | 0x00000080 |
| msDS-UserPasswordExpired | ADS_UF_PASSWORD_EXPIRED | 0x00800000 |
| ms-DS-UserPasswordNotRequired | ADS_UF_PASSWD_NOTREQD | 0x00000020 |