Selecting an AD LDS Service Account
Applies To: Windows Server 2008
On the Service Account Selection page of the Active Directory Lightweight Directory Services Setup Wizard, you must select a service account for use by the AD LDS instance. The account that you select determines the security context in which the AD LDS instance runs. Changing the service account after installation may require some additional configuration.
Note
The first AD LDS instance in a configuration set determines the default replication authentication method.
Service account requirements
AD LDS runs as a service, and it requires a service account. AD LDS service account requirements depend on the Windows workgroup or domain environment into which you install AD LDS, as well as the computer on which AD LDS is running.
For AD LDS instances that are joined to a configuration set, the service account is also used to authenticate against other AD LDS instances in the configuration set for replication. The type of authentication that is used between replication partners is determined by the environment in which AD LDS is running and by the service accounts in use. For more information, see Introduction to Administering AD LDS Replication and Configuration Sets.
The following table outlines AD LDS service account requirements.
| Security context | Service account for first AD LDS instance | Service account for replica AD LDS instances | Default replication authentication method** |
|---|---|---|---|
Workgroup |
Network Service |
Replica AD LDS instances not allowed |
Not applicable |
Workstation user |
Workstation user |
Negotiated pass-through* |
Not applicable |
Windows 2000 domain or forest -or- Windows Server 2003 domain or forest -or- Windows Server 2008 domain or forest |
Network Service -or- Domain user |
Network Service -or- Domain user |
Negotiated |
Domain user |
Domain user -or- Network Service |
Negotiated |
Not applicable |
*When a workstation user account is used on the first AD LDS instance in a configuration set, all subsequent AD LDS instances in the same configuration set must use an identical local workstation account name and password as the AD LDS service account.
**When the Network Service account is used as the AD LDS service account, the replication authentication mode is set to Negotiated by default.
Additional Considerations
The Network Service account is a special, built-in account, with authority similar to that of an authenticated user account. The name of the account is NT AUTHORITY\NetworkService. The Network Service account has limited access to the local computer and authenticated access (as the computer account) to network resources. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources using the credentials of the computer account.
The account that is used as the AD LDS service account must be able to create, read, and modify files in the directory %ProgramFiles%\Microsoft ADAM\instancename\data.