Prepare Directory Servers: Active Directory Lightweight Directory Services (AD LDS)

Created: 2012-04-20 08:09:59
Modified: 2020-07-13 13:29:52
Tags: AD LDS ADAM System Requirements UnitySync

Active Directory Lightweight Directory Services (AD LDS, and formerly known as ADAM), is so customizable that it’s difficult to create a generic default configuration for it. That said, here are configuration tips for syncing to/from AD LDS. If you have trouble configuring or running test connections to your AD LDS directory, contact Support@dirwiz.com for assistance.

Configuration Requirements

  • You can use the default AD LDS schema
  • Create a dedicated UnitySync user account.
  • If you need to synchronize an expanded attribute set in AD LDS, you will need to create a custom sourcedef and custom mapping. Please contact support@dirwiz.com for guidance.
  • The UnitySync AD LDS User Account may be made a member of the AD LDS admin group or you may assign special permissions to grant the UnitySync user account permissions to individual Destination AD LDS containers. Details on how to configure the AD LDS User Account follow.

Create the UnitySync AD LDS User Account and Sync Container

Find below the steps required to create the UnitySync AD LDS User Account and the AD LDS sync container. Perform the following steps in ADSI Edit:

  • Create the Sync container (where the sync will create objects):

    • Select the root in which to create the new container.
    • Click New > Object > Organizational Unit > Next
    • Enter the container name value (i.e. Jons World), click Next, click Finish.
    • If your AD LDS user login will not be an Admin account, you’ll need to apply Special Permissions , giving your non Admin user account write access.
  • Create the AD LDS UnitySync user login account

    • Select the root in which to create the UnitySync user account.
    • Click New > Object > User > Next
    • Enter the user name value (i.e. JonDoe), click Next, click Finish.
    • Right click the new user (i.e. CN=JonDoe), select Reset Password.
    • Enter the password, confirm password and click OK.
    • Open CN=Roles.
    • Richt Click CN=Readers, select Properites.
    • Double click the attribute ‘Member’.
    • Click Add AD LDS Account.
    • Enter the DN of your UnitySync User Account (i.e. cn=JonDoe,dc=acme), click OK.
    • Click OK
    • Right click your UnitySync user account (i.e. CN=JonDoe), select Properties.
    • Double click attribute msDS-UserAccountDisabled, select FALSE, click OK.
    • Double click attribute msDS-UserDontExpirePassword, select TRUE, click OK.

IMPORTANT NOTE: The DontExpirePassword setting is not required, but recommended. The password is specified in each UnitySync connection. If this is set to False and your password will expire and be reset regularly, you must modify your UnitySync connections to include the new password at the same time.

Login ID Syntax and Sync Container Configuration

Preferred login ID syntax is user@domain.com. Please be sure userprincipalname is set to this format.

In order for your UnitySync AD LDS User account to have appropriate permissions to manage objects in your AD LDS directory, you may make your UnitySync AD LDS user account a member of the ADMIN group (recommended).

OR

You may apply ‘Special Permissions’ on the Sync container, granting the UnitySync AD LDS user account permissions to just that one container.

To Configure Special Permissions

You must first complete the steps outlined above for Creating your ADAM UnitySync User Account and Sync Container.

Refer to instructions on configuring your LDS user permissions in the related Microsoft Technet articles: https://technet.microsoft.com/en-us/library/hh831593.aspx

IMPORTANT NOTE: Please keep in mind when configuring the AD LDS User permissions, the UnitySync user must have permission to create, modify, and delete child objects (including contacts and sub-ou’s) within the Sync Container.

Tips for Configuring Your Connection

  • Select the Map Template for adam.

  • For AD LDS Destination connections:

    • Destination tabs Placement DN is required.
    • On Sync, Inetorgperson object types are created.
  • For AD LDS Source connections:

    • Source tabs Selection DN is required.
    • On Discovery, Users and Inetorgperson types are pulled.
Knowledgebase

Directory
  1. Directify - Self Service

  2. Mimic - Replication

  3. UnitySync - Sync
Password
  1. emPass - Sync
Obsolete
  1. Profiler
  2. SimpleSync