Synchronize with Active Directory Domain Services
Applies To: Windows Server 2008
You can use adamsync command line tool to synchronize data from an Active Directory Domain Services (AD DS) forest to a configuration set of an Active Directory Lightweight Directory Services (AD LDS) instance. There are two prerequisites before you can synchronize data from an AD DS forest to the configuration set of an AD LDS instance:
The schema objects in the AD LDS instance must match the schema objects in the AD DS forest.
The schema in the AD LDS instance must be extended for schema objects that are required by the adamsync command line tool.
Important
adamsync does not synchronize user passwords between AD DS and AD LDS.
Matching the schema objects in the AD LDS instance with the schema objects in the AD DS forest
To ensure that your AD LDS schema matches the AD DS schema, use AD DS/LDS Schema Analyzer to create an LDIF file that will contain the target schema elements, and then import this LDIF file into your base AD LDS schema by using the ldifde command.
Note
You can use AD DS/LDS Schema Analyzer to help migrate the Active Directory schema to AD LDS, from one AD LDS instance to another, or from any LDAP-compliant directory to an AD LDS instance. You can use AD DS/LDS Schema Analyzer to load a target (source) schema, mark the elements you want to migrate, and then export them to the base AD LDS schema. You can also compare the two schemas or two LDAP Data Interchange Format (LDIF) files.
When using AD DS/LDS Schema Analyzer to create an LDIF file, you should load both a target and a base schema. Otherwise, the resulting LDIF file might not be usable by the ldifde tool.
Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.
To create an LDIF file with AD DS/LDS Schema Analyzer
To open AD DS/LDS Schema Analyzer, at the command prompt, change the directory to %windir%\ADAM, type the following command, and then press ENTER:
adschemaanalyzer
To load a target schema, click File, and then click Load target schema, and then do one of the following:
To load the domain Active Directory schema as the target schema, in the dialog box, type your user name, password, and domain, and then click OK.
To load a different schema (such as the schema of an Active Directory forest or an another LDAP-compliant directory), in the dialog box, type the server name and port of the directory containing the target schema, type your user name, password, and domain as needed, and then click OK.
To load the schema of your AD LDS instance as the base schema, click File, click Load base schema, and then in Server[:port], type the server name and port of the AD LDS instance.
In the dialog box, click OK.
Click Tools, click Options, and on the LDIF generation tab, click Update with references to new and present elements.
Important
If this option is not selected and you proceed to create an LDIF file with the default option of Update with references to new elements only, the resultant LDIF file will not contain all the differences between the schemas. For example, the User class in you AD DS schema might have Optional Attributes that are not included in the User class in your AD LDS schema. If the LDIF file that was created through AD DS/LDS Schema Analyzer does not contain these Optional Attributes and later you attempt to synchronize data in your AD DS forest and the AD LDS configuration set into which this LDIF file has been imported, adamsync will fail with an object violation error.
Since later you plan to synchronize data by using adamsync, click Schema, and then click Mark all non-present elements as included.
To create the LDIF file, click File, and then click Create LDIF file. To save the created LDIF file, type in the file name and save it at an appropriate location. For example, C:\Windows\ADAM\Differences.LDIF
To import the LDIF file into the AD LDS instance in order to update the AD LDS schema to match the AD DS schema, open the created LDIF file, copy the ldifde command created by the AD DS/LDS Schema Analyzer, (for example,
ldifde –i –u –f differences.ldf –s server:port –b username domain password –j . –c “cn=Configuration, dc=X” #configurationNamingContext
) and paste it into the command prompt. Edit the ldifde command to reflect your AD LDS server name and port, and then press ENTER.
Extending the AD LDS instance schema for objects that are required by adamsync
You can use the following procedure to extend the AD LDS schema to include schema objects that are required by the adamsync command line tool.
Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.
To extend the AD LDS instance schema to include objects that are required by adamsync
At the command prompt, change the directory to %windir%\ADAM, type the following command, and then press ENTER:
ldifde -i -f MS-AdamSyncMetadata.ldf -s <server>:<port> -c CN=Configuration,DC=X #ConfigurationNamingContext
For example, to extend the AD LDS schema on a local server, type the following command, and then press ENTER:
ldifde -i -f MS-AdamSyncMetadata.ldf -s localhost:50000 -c CN=Configuration,DC=X #ConfigurationNamingContext
To open the configuration file MS-AdamSyncConf.xml in a text editor (Notepad.exe) and modify it with the appropriate parameters, type the following command, and then press ENTER:
notepad MS-AdamSyncConf.xml
In Notepad, make the following changes to the contents of the configuration file:
Replace the value of <source-ad-name> with the name of the source AD DS domain controller, for example, <source-ad-name>SeattleDC1</source-ad-name>.
Replace the value of <source-ad-partition> with the distinguished name of the source domain, for example, <source-ad-partition>dc=fabrikam,dc=com</source-ad-partition>.
Replace the value of <source-ad-account> with the name of an account in the Domain Admins group of the source domain, for example, <source-ad-account>administrator</source-ad-account>.
Replace the value of <account-domain> with the fully qualified Domain Name System (DNS) name of the source domain, for example, <account-domain>fabrikam.com</account-domain>.
Replace the value of <target-dn> with the name of the partition of the target AD LDS instance, for example, <target-dn>DC=Microsoft,DC=US</target-dn>.
Note
If you are preparing to synchronize an AD LDS instance on a computer running Windows Server 2008, you must specify a naming context head as the value for <target-dn>. If you do not specify a naming context head as the distinguished name of the target AD LDS instance in the configuration file, the following error message appears when you attempt to run adamsync in the next step: "The target partition given was not the head of a partition. AdamSync cannot continue."
- Replace the value of \<base-dn\> with the base distinguished name of the container in the source domain where you want the search for synchronizing objects to start, for example, \<base-dn\>ou=users,dc=fabrikam,dc=com\</base-dn).
- Modify the query filter (the default being \<object-filter\>(objectClass=\*)\</object-filter\>), depending on what objects you want to synchronize.
Important
Do not delete any unused fields from this file.
Note
It is not necessary to synchronize an entire domain naming context. To save disk space and avoid synchronization problems, consider excluding objects and attributes that are not necessary to ADAM (for example, DNS records, FRS subscriptions, and DN-binary values), and edit your MS-AdamSyncConf.xml file appropriately. For more information, see Adamsync Configuration File XML Reference (https://go.microsoft.com/fwlink/?LinkId=119621).
In Notepad, on the File menu, click Save As, type a new name for the file, click Save, and then close Notepad.
To install the modified configuration file, at the command prompt, type the following command, substituting the file name that was used in the procedure above for .xml_file, and then press ENTER:
adamsync /install <server>:<port> .xml_file
For example,
adamsync /install localhost:50000 %windir%\ADAM\MS-AdamSyncConf.xml
Synchronizing AD DS data to an AD LDS instance
You can use the following procedure to synchronize the data from your AD DS data to the AD LDS configuration set.
Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.
To synchronize AD DS forest data to an AD LDS instance
At a command prompt, type the following command, and then press ENTER:
adamsync /sync <server>:<port> ADLDS_configuration_dn /log
Replace ADLDS_configuration_dn with the distinguished name of the AD LDS namespace where you saved the configuration MS-AdamSyncConf.xml file (or the value of target_dn in MS-AdamSyncConf.xml file). For example,
adamsync /sync localhost:50000 DC=microsoft,DC=US” /log
.
The following table contains the parameters for the preceding procedures and other commonly used adamsync
parameters. For more information about adamsync
parameters, at a command prompt, type adamsync /?
, and then press ENTER.
Parameter | Description |
---|---|
|
Displays command-line options. |
|
Installs the configuration that is contained in the specified input file. |
|
Synchronizes the specified configuration. |
|
Performs a full replication synchronization for the specified configuration. |
|
Performs an aging search for the specified configuration. An aging search determines—by searching for the AD LDS objects in AD DS—if the AD LDS objects in a configuration have been deleted in AD DS. |
|
Performs a replication synchronization for the specified object in the specified configuration. Use the distinguished name of the object. |
You must have Read or Dirsync access to the objects or partitions in the AD DS forest that you want to synchronize.
You must have full control of an application directory partition on an AD LDS instance to run this command.
For more information, see Adamsync.
Note
There are alternative solutions for synchronizing data between AD DS and AD LDS. For more information, see Identity Lifecycle Manager 2007 (ILM 2007) Technical Library (https://go.microsoft.com/fwlink/?LinkID=122832)and Identity Integration Feature Pack for Microsoft Windows Server Active Directory with Service Pack 2 (SP2) (https://go.microsoft.com/fwlink/?LinkID=45227).