Microsoft® Official Course

Module 14

Implementing and Administering AD LDS

Module Overview

Overview of AD LDS

Deploying AD LDS

Configuring AD LDS Instances and Partitions•Configuring AD LDS Replication

Lesson 1: Overview of AD LDS

What Is AD LDS?

AD LDS Deployment Scenarios•Discussion: AD LDS or AD DS?

What Is AD LDS?

AD LDS is:•An LDAP-based directory service•Used for applications

AD LDS can be more flexible than AD DS because:•You can run multiple instances of AD LDS on a single computer•A DNS infrastructure is not required•You can modify AD LDS to meet specific application requirements

AD LDS Deployment Scenarios

AD LDS is used most commonly in the following usage scenarios:•Providing an LDAP-based application directory•Providing an extranet authentication store•Consolidating identity systems•Providing a development environment forAD DS•Providing a configuration store for distributed applications•Migrating legacy directory-enabled applications

Discussion: AD LDS or AD DS?

AD LDS or AD DS for: •Creating a phone book application?•Creating an ordering application?•Deploying Exchange Server 2013?•Splitting into two separate companies?

Lesson 2: Deploying AD LDS

Components of AD LDS

Demonstration: Installing the AD LDS Server Role

AD LDS Schema

Client Connections to AD LDS

AD LDS SPNs•AD LDS Service Publication

Components of AD LDS

An AD LDS deployment consists of the following components:• Instance•Database• Partitions• Schema

Demonstration: Installing the AD LDS Server Role

In this demonstration, you will learn how to install the AD LDS server role

AD LDS Schema

•An AD LDS schema defines the types of objects and data that can be used by an instance•The schema is stored in a configuration set

Client Connections to AD LDS

To connect to AD LDS, you:• Can use LDAP or LDAP over SSL

•Must use the port numbers assigned to the AD LDS instance

•Must configure the IP address or DNS name of the AD LDS server

To secure client connections to AD LDS:• Install a digital certificate on the server

• Configure clients to use LDAP over SSL to connect to the server

AD LDS SPNs

Integrated component Benefits of integration

SPN

• Used when AD LDS and AD DS co-exist on the same network to allow users to locate available services

Parts of the SPN• Service class, service type• Instance name, port number

SPN registration

• Service account or Network Service account

• Automatic registration sometimes fails. To perform registration manually

Replication with AD DS• Can force the use of SPNs for

replicating between AD LDS and AD DS

AD LDS Service Publication

AD DS

1

2

3

Service publication is the act of sending service information about AD LDS to AD DS. which helps client computers locate information about the AD LDS service. The process steps are:

AD LDS

(domain joined)

Publish a service connection pointto AD DS

Query AD DS for

service connection points

Query DNS for A

D LDS

Lesson 3: Configuring AD LDS Instances and Partitions

What Is an AD LDS Instance?

Demonstration: Creating AD LDS Instances

AD LDS Authentication and Authorization

How Access Control Works in AD LDS

Demonstration: Creating a User in AD LDS•What Is an AD LDS Partition?

What Is an AD LDS Instance?

Instance 1

SchemaPartitions

PartitionD:\App1

D:\App2

Schema

Instance 2

Admin 1

Admin 2

AD LDS Server

Demonstration: Creating AD LDS Instances

In this demonstration, you will learn how to create an AD LDS instance on one server

AD LDS Authentication and Authorization

Internet or Partner Network

Internal Network

Perimeter

AD DS

AD LDS ServerWeb ServerApplication Server

Authen

ticat

ion

How Access Control Works in AD LDS

•Access control is used to limit the information that users can access in AD LDS partitions•AD LDS provides access control that:•Authenticates the identity of all users•Uses ACLs to determine if users have permissions to access specific objects

•AD LDS uses access control to restrict access to AD LDS data

Demonstration: Creating a User in AD LDS

In this demonstration, you will learn how to create a user account in AD LDS

What Is an AD LDS Partition?

•An AD LDS application partition holds the data that is used by an application •A single AD LDS Instance:

•Multiple application directory partitions can be created in each AD LDS instance. However, each partition shares a single schema

Application Partition 1Configuration Partition

Schema Partition

Lesson 4: Configuring AD LDS Replication

Why Implement AD LDS Replication?

How AD LDS Replication Works

What Is a Configuration Set?

AD LDS Replication Topology•Demonstration: Configuring AD LDS Replication

Why Implement AD LDS Replication?

AD LDS replication:•Enables multiple copies of an AD LDS instanceto be stored on different servers •Provides high availability for criticalapplications•Provides load balancing•Enables geographically distributed applications

How AD LDS Replication Works

AD LDS uses multimaster replication, which means that:• All instances are writable• Changes on one instance are replicated to other

instances

Administrator updates User 2 on Server 1 at 9:25 P.M. Server

1

Server 3

Server 2

Administrator updates User 2 on Server 2 at 9:26 P.M.

AD LDS servers replicate changes to all servers

What Is a Configuration Set?

Configuration Partition

Schema Partition

App 1 Partition

Configuration Set 1

Configuration Partition

Schema Partition

App 2 Partition

Instance B

Configuration Set 2

Configuration Partition

Schema Partition

App 3 Partition

App 4 Partition

Configuration Partition

Schema Partition

App 3 Partition

Instance C

AD LDS-SRV 2 AD LDS-SRV 3AD LDS-SRV 1

(AD LDS-SRV 2) (AD LDS-SRV 2)

App 2 Partition

AD LDS Replication Topology

Site 1

Site 2

Site 3

• KCC maintain the replication topology in a configuration set• Active Directory Sites and Services can be used to manage• ISTG builds and maintains connections between partners• Replication topology is stored in the configuration partition

After-hours replication only

Demonstration: Configuring AD LDS Replication

In this demonstration, you will learn how to:• Create an AD LDS replica

• Verify AD LDS replication

Lab: Implementing and Administering AD LDS

Exercise 1: Configuring AD LDS Instances and Partitions•Exercise 2: Configuring AD LDS Replication

Logon Information:Virtual machines: 10969A-LON-DC1

10969A-LON-SVR1User name: Adatum\AdministratorPassword: Pa$$w0rd

Estimated Time: 60 minutes

Lab Scenario

A. Datum Corporation is now implementing a number of new line-of-business (LOB) applications that users in various regions will use. In addition to London, A. Datum has users in Toronto, Canada and Sydney, Australia. Users in these locations will access the new LOB applications. These appli-cations have some specific schema requirements, so they will use AD LDS for authentication and authorization. You must deploy and configure AD LDS to support these new LOB applications.

Lab Review

In the lab, when you deployed AD LDS to LON-SVR1, what was the default port number? Why was this different from LON-DC1?

What are the options for high availability for AD LDS?•Do the instances that are part of the same configuration set run on the same computer or on separate computers?

Module Review and Takeaways

•Review Questions

Course Evaluation