3

in my learning of AD DS Ecosystem I came across with this definition [link]:

By using the Windows Server® 2008 Active Directory® Lightweight Directory Services (AD LDS) role, formerly known as Active Directory Application Mode (ADAM), you can provide directory services for directory-enabled applications without incurring the overhead of domains and forests and the requirements of a single schema throughout a forest.

I don't quite understand what does it mean last sentence. The last month I started with AD DS for the very first time and now I'm securing a lot of meanings. I'm showing and summarizing you what I know and what I understand, so you can get an idea of my current knowledge:

  • Directory: the structure.
  • Directory Service: manager of a directory. Like a database manager but designed and enhanced for directories. X.500 is the most accepted and known standard set of protocols to define directory services.
  • LDAP: most accepted and known protocol to define directory services that work over a TCP/IP network.
  • AD

    AD is a Microsoft database to store user logon and group information, and configuration information that drives group policy and other application software. (Active Directory explained)

  • AD DS:

    Microsoft's Directory Server. (What is Active Directory Domain Services and how does it work?)

    Set of services and applications provide for Microsoft to administrate resources, users, authentications, authorizations, etc. over a network.

  • AD LDS: directory service belonging to AD DS.
  • AD definitions I already know too: domain, domain controller, tree, forest and namespace.
  • Schema: it defines object classes structures within a directory.
  • Directory-enabled application:

A directory-enabled application is an application that uses a naming or directory service. (http://docs.oracle.com/javase/jndi/tutorial/getStarted/concepts/java.html)

Now, what does "you can provide directory services for directory-enabled applications without incurring the overhead of domains and forests and the requirements of a single schema throughout a forest." mean? What is a single-schema? Why is this an advantage?

Thanks in advance.

Noob_Number_1
  • 145
  • 1
  • 7

1 Answers1

1

AD LDS can provide you with an LDAP solution that can refer to the windows authentication available in your active directory environment, but does not require replication.
In other words, there are no schema changes required to install AD LDS for an LDAP enabled application. As such you can install several AD LDS connected applications, which each have their own directory data stored locally, with it's own schema without affecting the main directory schema.

The advantage being that you don't need to replicate anything to your main schema, and lower replication traffic as a result.

Relevant quote from the microsoft documentation:

AD LDS can store “private” directory data, which is relevant only to the application, in a local directory service—possibly on the same server as the application—without requiring any additional configuration to the server operating system directory. This data, which is relevant only to the application and which does not have to be widely replicated, is stored solely in the AD LDS directory that is associated with the application. This solution reduces replication traffic on the network between domain controllers that serve the server operating system directory. However, if necessary you can configure this data to be replicated between multiple AD LDS instances.

Reaces
  • 5,547
  • 4
  • 36
  • 46
  • Ok. I think I'm starting to understand it but then I wonder what is the relation between schema and applications, where schema stands for "The schema contains definitions of all object classes (or object categories) and attributes that make up that object. That is, the schema is where the rules are about what kind of objects can be stored in the directory and what attributes are associated with each type of object." (Active Directory for dummies, 2nd edition, S. Clines and M. Loughry) – Noob_Number_1 Aug 19 '15 at 09:58
  • Are we talking about the same schema? – Noob_Number_1 Aug 19 '15 at 09:59
  • 1
    @Noob_Number_1 Applications connect to your LDAP to authenticate. The Schema is the object definitions contained in your LDAP directory. In this case the AD LDS has a seperate schema from the main directory services. I'm starting to get the feeling that you're here to answer some homework questions? – Reaces Aug 19 '15 at 09:59
  • Sorry, I don't quite understand what do you mean with homework questions. This question is only for me. I learned a lot of new definitions in last weeks (due to my job) and I want to be sure I really understand them. If I'm doing something wrong I apologize. – Noob_Number_1 Aug 19 '15 at 10:04
  • If I understand it well, applications require some additional information from objects of directory to do their stuff and this information stands in an own application schema which don't need to be replicated, although you can do it. If any change is done in this own schema and since you don't have to replicate it, no additional traffic is generated. – Noob_Number_1 Aug 19 '15 at 10:10
  • I suppose that it's a quite hard to understand and assure all this knowledge at the beginning until you put it into practice. I'm feeling I am swimming in a new whole ocean full of definitions, concepts and so on. Thanks for your help, @Reaces – Noob_Number_1 Aug 19 '15 at 10:27