Active Directory Lightweight Directory Services

  • Article

This article contains a brief overview of Active Directory Lightweight Directory Services (AD LDS), a list of the benefits to using AD LDS, and a list of what's new in AD LDS for Windows Server 2008.

Overview

AD LDS is a Lightweight Directory Access Protocol (LDAP) directory service designed for use with directory-enabled applications. A directory-enabled application is one that uses a directory, as opposed to a database or flat file, for its data store.

AD LDS serves as an identity provider for business scenarios that desire an extranet directory to store customer user accounts, etc., where these accounts need to be separate from the enterprise Active Directory Domain Services (AD DS) user account store.

AD LDS is one of two identity providers that are supported by Active Directory Federation Services (AD FS) for authentication purposes and to supply claims to federation-aware Web applications, the other being AD DS. AD LDS is also a supported store for authorization policy by Windows Authorization Manager (AzMan). In environments where AD DS exists, AD LDS can use AD DS for the authentication of Windows security principals.

Developers of strictly federation-aware Web applications are largely insulated from any interactions with identity providers such as AD LDS because AD FS takes over the authentication responsibilities.

For in-depth discussions of AD DS and AD LDS, along with code samples, see the following articles:

Introduction to System.DirectoryServices.ActiveDirectory (S.DS.AD)

Introduction to System.DirectoryServices.Protocols (S.DS.P)

New Ways to Manage Active Directory Using the .NET Framework 2.0

Using ADAM with ActiveDirectoryMembershipProvider for Forms Authentication

Major Benefits

The following lists briefly discuss the major benefits to using AD LDS.

Functional benefits:

  • Uses the same directory service technology as AD DS. There is a common framework for both the network operating system (NOS) services of AD DS and the application services of AD LDS, which increases reusability of design and code.

  • Increases the scalability of directory services by separating the NOS services from the application services.

  • Can use X.500-style naming contexts, such as O=Fabrikam and C=US.

  • Can use Windows security principals for authentication and access control.

Operational benefits:

  • Easy to deploy; installation and setup are simple

  • Can be installed without affecting AD DS

  • Can be reinstalled or restarted without a computer reboot

  • Uses the same administrative model as AD DS

  • Increases reliability by separating application directory services from NOS directory services

Benefits over using AD DS:

  • Does not incur the overhead of domains

  • Does not require the deployment of domains or domain controllers

  • Multiple instances, each tailored to a specific application, can run concurrently on a single AD LDS installation

  • Each AD LDS configuration set has a separate schema, independent of the AD DS schema

  • Runs on Windows XP Professional, as well as, Windows Server 2003 and Windows Server 2008

For a detailed listing, see Comparing ADAM to Active Directory. For a discussion of using AD LDS versus AD DS for an AzMan store, see AD or ADAM?

New and Improved Features

AD LDS was first released as Active Directory Application Mode (ADAM) in Windows Server 2003 R2. It has been updated with the following new and improved features for Windows Server 2008:

  • A supported role for Server Core installations

    Server Core is a new installation option that creates a low-maintenance environment ideal for specific role-based services. Server Core is designed to reduce management and servicing requirements, while limiting the attack surface of a Windows Server 2008 installation.

  • Install from Media (IFM) option

    Allows a one-step Ntdsutil or Dsdbutil process to create installation media for subsequent AD LDS installations. For more information, see Step-by-Step Guide for Active Directory Lightweight Directory Services Backup and Restore.

  • Auditing for AD LDS changes

    A new audit policy subcategory, Directory Service Changes, is added to log old and new values when changes are made to objects and their attributes. For more information, see AD DS: Auditing.

  • Database Mounting Tool (Dsamain.exe)

    Improves recovery processes by providing a means to compare data as it exists in snapshots or backups that are taken at different times so that you can better decide which data to restore after data loss. This feature eliminates the need to restore multiple backups to compare the AD LDS data that they contain. For more information, see AD DS: Database Mounting Tool.

  • Support for Active Directory Sites and Services

    The Active Directory Sites and Services snap-in can be used to manage replication among AD LDS instances. For more information on the tool, see Step-by-Step Guide to Active Directory Sites and Services

  • A dynamic list of LDAP Data Interchange Format (LDIF) files during instance setup

    Custom LDIF files are available during AD LDS setup—in addition to the default LDIF files that are provided with AD LDS—by adding the files to the %systemroot%\ADAM directory.

  • Recursive linked-attribute queries

    A single LDAP query can follow nested attribute links, which can be very useful in determining group membership and ancestry. For more information, see Microsoft Knowledge Base Article 914828.

See Also

Concepts

Develop Federation-Aware Applications

Other Resources

Active Directory Lightweight Directory Services (2008)

Windows Server 2003 Active Directory Application Mode

Active Directory Lightweight Directory Services (MSDN)

Active Directory Application Mode (TechNet)

Lightweight Directory Access Protocol

Active Directory Domain Services