Lightweight Directory Access Protocol (LDAP) directories are commonplace in today's enterprise. It isn't unusual to find one directory that supports authentication and management of users and computers, another that supports VPN users, and a third that supports public key infrastructure (PKI). The growing sophistication of applications available to extranet and Internet users typified by business-to-business (B2B), business-to-consumer (B2C), and government-to-citizen systems has led to increased use of directories in the demilitarized zone (DMZ), too. Although Active Directory (AD) can support all these applications, AD requires a supporting infrastructure, such as DNS services, and significantly increases management overhead. Consequently, AD might be too heavyweight a solution for environments that require only a simple LDAP directory. In other cases, organizations that have deployed LDAP directories struggle with the problem of integrating directory security with OS security, often having to manage each separately and with different sets of credentials.
A full-featured yet flexible LDAP directory that can leverage the native security mechanisms of the Windows platform, Active Directory Application Mode (ADAM), solves both problems. In addition to supporting many Windows Server 2003 and Windows 2000 Server AD features, ADAM supports some non-AD features and can run on both Windows 2003 and Windows XP Service Pack 1 (SP1). Unlike AD, multiple instances of ADAM can run on a server, including a domain controller (DC), and you can specify which ports an ADAM instance listens on for LDAP requests. (You can't currently specify which interfaces and IP addresses ADAM listens on, however.) ADAM uses the same multimaster replication model that AD uses and supports sites that use scheduled intersite replication.
Windows 2003 licensees can download ADAM from Microsoft's Web site. In this article, I discuss how to install ADAM, populate it with user information, and integrate it with AD.
Installation
The ADAM download package is a little larger than 8MB. When you run the package, it prompts you for the folder to which to write the installation files. To install ADAM, simply execute the adamsetup.exe file. You must be a member of the Administrators group on the system on which you want to install ADAM.
The Active Directory Application Mode Setup Wizard helps you install and configure ADAM. The wizard's first page is the welcome page, which is followed by the End User License Agreement (EULA), then by a page that asks whether you want to install both ADAM and the accompanying tools or just ADAM itself. In the next step, the wizard asks whether you want to install a unique instance of ADAM or an instance that will be a replica of another local or remote instance. Whether you create a unique instance or a replica, the wizard prompts you for the name you want to give the instance and the ports that the instance will listen on—the default ports are TCP 389 for LDAP and TCP 636 for LDAP over Secure Sockets Layer (SSL). The instance name and the ports that the instance will listen on must be unique on the server. If you install ADAM on a DC or a server that's already running ADAM, the default ports will be in use and you'll need to select alternative ports.
When you create a unique instance of ADAM, the wizard asks whether it should create an application partition. If you're installing ADAM to support an application that will create its own partitions, you can elect not to create a partition; otherwise, you'll need to create a partition and specify its distinguished name (DN)—for example, CN=Partition,DC=CONTOSO,DC=COM. If you install an instance of ADAM that isn't unique (i.e., a replica of an existing instance that you want to use to form a replication set), the wizard prompts you to enter the host name and port number of an existing instance whose configuration and data the wizard can replicate, as Figure 1 shows. Subsequent steps request credentials for an account that has administrative privileges to the instance you're replicating and the partitions to replicate, as Figure 2 shows.
Next, the wizard prompts you for the location of the directory data and recovery files. ADAM can run under the context of the system's Network Service account or a named user account—the wizard lets you choose which you want to use. If your system isn't a member of a domain, you need to use a named user account if the instance is a replica or if you intend to create replicas of the instance later; for replication to work, the username and password must be the same for all instances. You need to ensure that any account you use as a service account for ADAM has the necessary privileges to log on as a service.
The next wizard step lets you select ADAM administrators. You can elect to make the logged-on user an administrator or name another user or group of users. If you're creating an application partition, you can select LDAP Data Interchange Format (LDIF) files to import and use to create a schema. ADAM ships with four LDIF files:
- MS-AZMan.ldf supports the Microsoft Authorization Manager, a framework for implementing role-based access-control security.
- MS-InetOrgPerson.ldf contains an implementation of Internet Engineering Task Force (IETF) Request for Comments (RFC) 2798's inetOrgPerson class, a standard object class that most modern LDAP directories use. (This class is available in Windows 2003 and as an extension to the Win2K AD schema.)
- MS-User.ldf contains a class that's similar to the Windows 2003 and Win2K AD User class.
- MS-UserProxy.ldf contains a class for creating proxy user objects in ADAM that map to user objects in AD and that AD can authenticate.