Configuring AD LDS to sync with Multiple AD Domains

Problem

- You have user accounts in two domains that you would like to be able to authenticate from an application that can only look at one LDAP server at a time.

Prerequisites
- Windows 2008 R2
- 2 Active Directory Domains with a trust between the two

Solution:

1. Install AD LDS Role on a server

2. Open the LDS Wizard and create a new unique instance

• Application directory partition: DC=Combined,DC=Com

3. Use AD Schema Analyzer to compare the AD of the first domain to the AD LDS instance and export the schema file.

• Open c:\windows\adam\ADSchemaAnalyzer
• Load target schema (AD Domain controller)
• Load Base Schema (AD LDS Instance)
• Click on schema and select "Mark all no present elements as included"
• Click file and select Create LDIF file to save the differences to a file

4. Import Schema file from previous step

• c:\windows\adam\ldifde -i -s localhost -c "CN=Configuration,DC=X" #ConfigurationNamingContext -f Domain1-ExportedSchemaFile.LDF

5. Follow steps 3 & 4 for each additional domain you will be syncing with the AD LDS Instance

6. Import ADAMSync metadata to the LDS Instance
     - ldifde.exe -i -s localhost -c "CN=Configuration,DC=X" #ConfigurationNamingContext -f MS-AdamSyncMetadata.LDF

8. Make a copy of the c:\windows\adam\ms-adamsyncconf.xml and create a config file for each domain you are syncing.
     - Domain-MS-ADAMSyncConf.xml

9. Edit the Domain-MS-AdamSyncConf.XML file with the appropriate details for your domain

10. Install the XML config file using the ADAMSync command below one at a time:
     - C:\WINDOWS\adam\adamsync.exe /install localhost C:\Windows\ADAM\Domain-MS-AdamSyncConf.XML /passprompt

11. Run a Sync using ADAMSync command
     - C:\WINDOWS\adam\adamsync /sync localhost "dc=combined,dc=com" /log c:\windows\adam\Logs\synclog.txt

12. Repeat steps 10 & 11 for each XML config file.