Active Directory Lightweight Directory Services
This article contains a brief overview of Active Directory Lightweight Directory Services (AD LDS), a list of the benefits to using AD LDS, and a list of what's new in AD LDS for Windows Server 2008.
AD LDS is a Lightweight Directory Access Protocol (LDAP) directory service designed for use with directory-enabled applications. A directory-enabled application is one that uses a directory, as opposed to a database or flat file, for its data store.
AD LDS serves as an identity provider for business scenarios that desire an extranet directory to store customer user accounts, etc., where these accounts need to be separate from the enterprise Active Directory Domain Services (AD DS) user account store.
AD LDS is one of two identity providers that are supported by Active Directory Federation Services (AD FS) for authentication purposes and to supply claims to federation-aware Web applications, the other being AD DS. AD LDS is also a supported store for authorization policy by Windows Authorization Manager (AzMan). In environments where AD DS exists, AD LDS can use AD DS for the authentication of Windows security principals.
Developers of strictly federation-aware Web applications are largely insulated from any interactions with identity providers such as AD LDS because AD FS takes over the authentication responsibilities.
For in-depth discussions of AD DS and AD LDS, along with code samples, see the following articles:
Introduction to System.DirectoryServices.ActiveDirectory (S.DS.AD)
Introduction to System.DirectoryServices.Protocols (S.DS.P)
New Ways to Manage Active Directory Using the .NET Framework 2.0
Using ADAM with ActiveDirectoryMembershipProvider for Forms Authentication
The following lists briefly discuss the major benefits to using AD LDS.
Uses the same directory service technology as AD DS. There is a common framework for both the network operating system (NOS) services of AD DS and the application services of AD LDS, which increases reusability of design and code.
Increases the scalability of directory services by separating the NOS services from the application services.
Can use X.500-style naming contexts, such as O=Fabrikam and C=US.
Can use Windows security principals for authentication and access control.
Easy to deploy; installation and setup are simple
Can be installed without affecting AD DS
Can be reinstalled or restarted without a computer reboot
Uses the same administrative model as AD DS
Increases reliability by separating application directory services from NOS directory services
Benefits over using AD DS:
Does not incur the overhead of domains
Does not require the deployment of domains or domain controllers
Multiple instances, each tailored to a specific application, can run concurrently on a single AD LDS installation
Each AD LDS configuration set has a separate schema, independent of the AD DS schema
Runs on Windows XP Professional, as well as, Windows Server 2003 and Windows Server 2008
For a detailed listing, see Comparing ADAM to Active Directory. For a discussion of using AD LDS versus AD DS for an AzMan store, see AD or ADAM?
New and Improved Features
AD LDS was first released as Active Directory Application Mode (ADAM) in Windows Server 2003 R2. It has been updated with the following new and improved features for Windows Server 2008:
A supported role for Server Core installations
Server Core is a new installation option that creates a low-maintenance environment ideal for specific role-based services. Server Core is designed to reduce management and servicing requirements, while limiting the attack surface of a Windows Server 2008 installation.
Install from Media (IFM) option
Allows a one-step Ntdsutil or Dsdbutil process to create installation media for subsequent AD LDS installations. For more information, see Step-by-Step Guide for Active Directory Lightweight Directory Services Backup and Restore.
Auditing for AD LDS changes
A new audit policy subcategory, Directory Service Changes, is added to log old and new values when changes are made to objects and their attributes. For more information, see AD DS: Auditing.
Database Mounting Tool (Dsamain.exe)
Improves recovery processes by providing a means to compare data as it exists in snapshots or backups that are taken at different times so that you can better decide which data to restore after data loss. This feature eliminates the need to restore multiple backups to compare the AD LDS data that they contain. For more information, see AD DS: Database Mounting Tool.
Support for Active Directory Sites and Services
The Active Directory Sites and Services snap-in can be used to manage replication among AD LDS instances. For more information on the tool, see Step-by-Step Guide to Active Directory Sites and Services
A dynamic list of LDAP Data Interchange Format (LDIF) files during instance setup
Custom LDIF files are available during AD LDS setup—in addition to the default LDIF files that are provided with AD LDS—by adding the files to the %systemroot%\ADAM directory.
Recursive linked-attribute queries
A single LDAP query can follow nested attribute links, which can be very useful in determining group membership and ancestry. For more information, see Microsoft Knowledge Base Article 914828.
Develop Federation-Aware Applications
Active Directory Lightweight Directory Services (2008)
Windows Server 2003 Active Directory Application Mode
Active Directory Lightweight Directory Services (MSDN)
Active Directory Application Mode (TechNet)
Lightweight Directory Access Protocol