none
AD LDS Question

    Question

  • Hello everyone,

    I don't know if I'm posting in the right forum, but I couldn't find a LDS forum.

    Windows Server 2012 R2 with AD LDS installed and configured.

    Instance contains two partitions. I'm basically importing users from two production domains to the two partitions - that's working fine.

    Question: Is there a way to have a user account that can have access (or bind) to both partitions?

    I tried creating a user account at the instance level, and made that account a member of the Administrators role. I tried adding that account object to the Administrator's container for each of the partitions, but this gave me an error message. I also created a user account on one of production domains and made this account a member of the Administrators container in each partition and I was able to add the account, but I can't connect to either of the partitions.

    Thanks!

    Tuesday, November 29, 2016 3:42 PM

Answers

  • Okay, so here's how I did it.

    To recap, I have the default LDS instance (created when I installed the role), then I created two partitions.

    I'm importing users from two production domains to the two LDS partitions.

    Production.domain1.com -> DC=partition1,DC=CU-Presence,DC=com

    Production.domain2.com -> DC=partition2,DC=CU-Presence,DC=com

    The following was done on both LDS partitions.

    1. Go to Roles and go to properties of Administrators object
    2. Now find member attribute and edit its properties, click on Add Windows Account... button and add the an account from one of your production domains
    3. Click OK all the way to save the changes

    Next, right click on each partition and click on Update Schema Now and then restart LDS services.

    At this point, using LDAP.exe, connect to your LDS server and then bind to it using the account from step 2, then press CTRL+T to view a tree for one of the partitions.

    Note: My issue was that I was using an account from the local LDS instance.

    • Marked as answer by GonzEd Wednesday, November 30, 2016 8:33 PM
    Wednesday, November 30, 2016 8:33 PM

All replies

  • I believe that this will not be possible. This taking into account that these are distinct bases with their own scheme. What you can do is keep LDS syncing from your AD DS.

    look: https://technet.microsoft.com/en-us/library/cc770408(v=ws.11).aspx

    Tuesday, November 29, 2016 4:53 PM
  • Yeah, I'm already syncing from my production AD to LDS and that's working properly.

    The issue I'm referring to is because Cisco's Call Manager has a somewhat outdated document that states that it is possible. In their documentation they're using a single user account to access several partitions in LDS.

    Tuesday, November 29, 2016 4:59 PM
  • Have you tried something like this?

    https://adamsync.wordpress.com/2012/05/11/adding-builtinadministrators-to-ad-lds-administrators/

    Thanks for taking the time. It looks like this is for importing to the a local Administrator account to a LDS instance. I'm able to do that just fine. I need to be able to bind to several instances in a LDS partition using a single account.
    Tuesday, November 29, 2016 7:40 PM
  • Hi,
    As far as I know, we could run multiple AD LDS instances on a single computer. Each instance runs as a separate service in its own execution context. I have not found the clearer official documents regarding this question.
    In addition, based on my experience, when we create AD LDS instance and select a service account to manage the instance, I have tried to select the same service account while creating another LDS instance. Just reference for your question.
    Please see: https://technet.microsoft.com/en-us/library/cc816778(v=ws.10).aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, November 30, 2016 8:56 AM
    Moderator
  • Okay, so here's how I did it.

    To recap, I have the default LDS instance (created when I installed the role), then I created two partitions.

    I'm importing users from two production domains to the two LDS partitions.

    Production.domain1.com -> DC=partition1,DC=CU-Presence,DC=com

    Production.domain2.com -> DC=partition2,DC=CU-Presence,DC=com

    The following was done on both LDS partitions.

    1. Go to Roles and go to properties of Administrators object
    2. Now find member attribute and edit its properties, click on Add Windows Account... button and add the an account from one of your production domains
    3. Click OK all the way to save the changes

    Next, right click on each partition and click on Update Schema Now and then restart LDS services.

    At this point, using LDAP.exe, connect to your LDS server and then bind to it using the account from step 2, then press CTRL+T to view a tree for one of the partitions.

    Note: My issue was that I was using an account from the local LDS instance.

    • Marked as answer by GonzEd Wednesday, November 30, 2016 8:33 PM
    Wednesday, November 30, 2016 8:33 PM
  • Hi,
    Appreciate for the update and share.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, December 1, 2016 1:55 AM
    Moderator