Introduction to Lightweight Directory Services

Lightweight Directory Services is a lightweight version of Active Directory Domain Services. This video provides an introduction to Lightweight Directory Services and what it can and cannot do. Download the PDF handout itfreetraining.com/handouts/adlds/adlds-intro.pdf AD LDS Active Directory Lightweight Directory Services (AD LDS) was originally a downloadable add-on to Windows Server called Active Directory Application Mode (ADAM). In Windows Server 2008 this became an additional role included in the operating system. AD LDS uses the same code as AD DS and thus provides some of the same functionality. As you will see, it provides a lot of the same functionality but is also flexible enough to offer additional options that are not possible using AD DS. AD LDS Example In this example, a user needs to access a web server. This web server has been placed on a perimeter network and separated from the internet and the internal network by a firewall. The web server needs to be able to authenticate users, however for security reasons the company does not want to place a Domain Controller on the perimeter network. Rather than install a Domain Controller on the perimeter network, another option is to install AD LDS on the web server. Since it uses the same code base as a Domain Controller, it is able to authenticate users the same way a Domain Controller would. In order to achieve this, the user's database is replicated from a Domain Controller on the commercial network to the perimeter network. AD LDS also allows you to choose which data you want to replicate, for example, you could choose to replicate the user data but not the group data. AD LDS also supports additional data to be added. This means additional data can be added that the web server can be accessed through AD LDS which means this additional data does not need to be added to AD DS. This solution helps keep Active Directory secure and also help prevents extra data being added to the database. Differences between AD LDS and AD DS AD LDS is designed more to run software rather than to run domains so it not a replacement for AD DS. It can run on a computer that is in a workgroup, does not require DNS and also can run on client operating systems like Windows 7 and 8. For this reason, it is a good choice for application support and for testing. For example, a developer can have their own install running on their client operating system and thus be able to make whatever changes they want, something that is not possible using a production domain. AD LDS supports multiple instances as well, so the administrator is free to create as many local copies as they wish. AD LDS does not support domain features like group policy, global catalog support and the ability to manage workstations. For this reason it cannot be used as a replacement for Domain Controllers. Even though these domain features are not available, AD LDS does support sites and replication. This means AD LDS installation can replicate data between each other and also with Domain Controllers, however support of trusts is not supported so this limits an AD LDS instance to working with only the one domain. Differences between Directory Services and Databases A directory service and a database fundamentally work differently. For this reason they tend to be used for different types of applications. Directory Services are hierarchical based, allowing security to be applied to an object. If you want to add additional objects you need to change the schema. Changes to the schema cannot be undone after they have been made. Since Directory Services is hierarchical in nature, it can perform fast searches, for example looking up a person in the Directory Service would be quite fast. Directory Services can be modified in multiple locations at the same time. If multiple changes are made at the same time, the last write performed will overwrite any previous writes. A relational database in comparison offers faster write times than a directory service as the data is stored in rows and column rather than a hierarchy. Data is locked before it is updated so there is no chance that data will be changed in two locations at the same time. A relational database does not have a schema so changes to the layout of the data can be changed at any time. This include the ability to reverse changes later on which is not possible with a Directory Service. For the rest of the descrption please see itfreetraining.com/adlds#intro See    / itfreetraining   or itfreetraining.com/ for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 731 -741 "Active Directory Lightweight Directory Services Overview" technet.microsoft.com/en-us/library/hh831593.aspx

• #education
• #adlds
• #active_directory_lightweight_directory_services
• #itfreetraining