Pages

July 17, 2013

Configuring AD LDS to sync with Multiple AD Domains

Configuring AD LDS to sync with Multiple AD Domains




Problem


- You have user accounts in two domains that you would like to be able to authenticate from an application that can only look at one LDAP server at a time.

Prerequisites
- Windows 2008 R2
- 2 Active Directory Domains with a trust between the two

Solution:

1. Install AD LDS Role on a server

2. Open the LDS Wizard and create a new unique instance

  • Application directory partition: DC=Combined,DC=Com


3. Use AD Schema Analyzer to compare the AD of the first domain to the AD LDS instance and export the schema file.

  • Open c:\windows\adam\ADSchemaAnalyzer
  • Load target schema (AD Domain controller)
  • Load Base Schema (AD LDS Instance)
  • Click on schema and select "Mark all no present elements as included"
  • Click file and select Create LDIF file to save the differences to a file


4. Import Schema file from previous step
  • c:\windows\adam\ldifde -i -s localhost -c "CN=Configuration,DC=X" #ConfigurationNamingContext -f Domain1-ExportedSchemaFile.LDF

5. Follow steps 3 & 4 for each additional domain you will be syncing with the AD LDS Instance

6. Import ADAMSync metadata to the LDS Instance
     - ldifde.exe -i -s localhost -c "CN=Configuration,DC=X" #ConfigurationNamingContext -f MS-AdamSyncMetadata.LDF

8. Make a copy of the c:\windows\adam\ms-adamsyncconf.xml and create a config file for each domain you are syncing.
     - Domain-MS-ADAMSyncConf.xml

9. Edit the Domain-MS-AdamSyncConf.XML file with the appropriate details for your domain

10. Install the XML config file using the ADAMSync command below one at a time:
     - C:\WINDOWS\adam\adamsync.exe /install localhost C:\Windows\ADAM\Domain-MS-AdamSyncConf.XML /passprompt

11. Run a Sync using ADAMSync command
     - C:\WINDOWS\adam\adamsync /sync localhost "dc=combined,dc=com" /log c:\windows\adam\Logs\synclog.txt

12. Repeat steps 10 & 11 for each XML config file.
Labels: , , , , ,

4 comments:

  1. UnknownMay 16, 2014 at 12:26 PM

    This comment has been removed by the author.

    ReplyDelete
  2. UnknownMay 16, 2014 at 12:27 PM

    Jef - do you repeat steps 10/11 for each domain every time you want to sync, e.g. once a day? Does ADAMSync ignore users from a different domain when purging AD users that are deleted? Otherwise it would seem that each ADAMSync would clobber the users from other domains if there are duplicate OU names in each domain.

    ReplyDelete
  3. JefMay 16, 2014 at 12:46 PM

    Yes that is correct you have to run 10 & 11 for each domain but you have to make sure the sync finishes before you run it for the next domain. In our environment i have a batch job that runs those two commands and i i give it about 5 minutes before i run the next domain sync.

    ReplyDelete
  4. AnonymousJune 7, 2024 at 9:22 AM

    I followed all steps but getting error while syncing computer objects, I can see 46 objected synced successfully but in entry 47 getting error. Any help

    Processing Entry: Page 1, Frame 1, Entry 47, Count 1, USN 0

    Processing source entry

    Processing in-scope entry 6db978e7a8cfb744898a308d36d5453e.

    An internal error occurred: DnManip::DnManip.

    An internal error occurred: DnManip::DnManip.

    ReplyDelete

Subscribe to: Post Comments (Atom)