Configuring AD LDS to sync with Multiple AD Domains
Problem
Prerequisites
- Windows 2008 R2
- 2 Active Directory Domains with a trust between the two
Solution:
1. Install AD LDS Role on a server
- Application directory partition: DC=Combined,DC=Com
- Open c:\windows\adam\ADSchemaAnalyzer
- Load target schema (AD Domain controller)
- Load Base Schema (AD LDS Instance)
- Click on schema and select "Mark all no present elements as included"
- Click file and select Create LDIF file to save the differences to a file
- c:\windows\adam\ldifde -i -s
localhost -c "CN=Configuration,DC=X" #ConfigurationNamingContext -f Domain1-ExportedSchemaFile.LDF
5. Follow steps 3 & 4 for each additional domain you will be syncing with the AD LDS Instance
6. Import ADAMSync metadata to the LDS Instance
- ldifde.exe -i -s localhost -c "CN=Configuration,DC=X" #ConfigurationNamingContext -f MS-AdamSyncMetadata.LDF
- Domain
10. Install the XML config file using the ADAMSync command below one at a time:
- C:\WINDOWS\adam\adamsync.exe /install localhost C:\Windows\ADAM\Domain
- C:\WINDOWS\adam\adamsync /sync localhost "dc=combined,dc=com" /log c:\windows\adam\Logs\synclog.txt
This comment has been removed by the author.
ReplyDeleteJef - do you repeat steps 10/11 for each domain every time you want to sync, e.g. once a day? Does ADAMSync ignore users from a different domain when purging AD users that are deleted? Otherwise it would seem that each ADAMSync would clobber the users from other domains if there are duplicate OU names in each domain.
ReplyDeleteYes that is correct you have to run 10 & 11 for each domain but you have to make sure the sync finishes before you run it for the next domain. In our environment i have a batch job that runs those two commands and i i give it about 5 minutes before i run the next domain sync.
ReplyDelete