Selecting an AD LDS Service Account

Applies To: Windows Server 2008

On the Service Account Selection page of the Active Directory Lightweight Directory Services Setup Wizard, you must select a service account for use by the AD LDS instance. The account that you select determines the security context in which the AD LDS instance runs. Changing the service account after installation may require some additional configuration.

Note

The first AD LDS instance in a configuration set determines the default replication authentication method.

Service account requirements

AD LDS runs as a service, and it requires a service account. AD LDS service account requirements depend on the Windows workgroup or domain environment into which you install AD LDS, as well as the computer on which AD LDS is running.

For AD LDS instances that are joined to a configuration set, the service account is also used to authenticate against other AD LDS instances in the configuration set for replication. The type of authentication that is used between replication partners is determined by the environment in which AD LDS is running and by the service accounts in use. For more information, see Introduction to Administering AD LDS Replication and Configuration Sets.

The following table outlines AD LDS service account requirements.

Security context Service account for first AD LDS instance Service account for replica AD LDS instances Default replication authentication method**

Workgroup

Network Service

Replica AD LDS instances not allowed

Not applicable

Workstation user

Workstation user

Negotiated pass-through*

Not applicable

Windows 2000 domain or forest

-or-

Windows Server 2003 domain or forest

-or-

Windows Server 2008 domain or forest

Network Service

-or-

Domain user

Network Service

-or-

Domain user

Negotiated

Domain user

Domain user

-or-

Network Service

Negotiated

Not applicable

*When a workstation user account is used on the first AD LDS instance in a configuration set, all subsequent AD LDS instances in the same configuration set must use an identical local workstation account name and password as the AD LDS service account.

**When the Network Service account is used as the AD LDS service account, the replication authentication mode is set to Negotiated by default.

Additional Considerations

  • The Network Service account is a special, built-in account, with authority similar to that of an authenticated user account. The name of the account is NT AUTHORITY\NetworkService. The Network Service account has limited access to the local computer and authenticated access (as the computer account) to network resources. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources using the credentials of the computer account.

  • The account that is used as the AD LDS service account must be able to create, read, and modify files in the directory %ProgramFiles%\Microsoft ADAM\instancename\data.