Using the ADAM Administration Tools

  • Article

Applies To: Windows Server 2003 R2

An ADAM instance runs as a standard user service, rather than as a system service, and it can be stopped and started through the Services snap-in in Microsoft Management Console (MMC). In addition, ADAM includes several administration tools for general administration tasks. In the following exercises, you:

  • Use the Services snap-in to stop and restart your ADAM instance.

  • Use ADAM ADSI Edit (ADAM-adsiedit.msc) to browse your directory.

  • Configure the ADAM Schema snap-in.

  • Use ADSchemaAnalyzer to produce a file that can be used to extend a schema with elements from another schema.

  • Use Active Directory to ADAM Synchronizer to copy data from Active Directory to an ADAM instance.

Stopping and Restarting an ADAM Instance

To stop and restart an ADAM instance by using the Services snap-in

  1. Click Start, point to Administrative Tools, and then click Services.

  2. The ADAM instance that you just installed is listed in the details pane of the Services snap-in, along with other services on the computer. ADAM instances are listed in Services by their name, which in this case is instance1. Click the ADAM instance that you installed, as shown in the following:

    Stopping and starting ADAM

  3. To stop the ADAM instance, on the Action menu, click Stop.

  4. After the ADAM instance is stopped, on the Action menu, click Start to restart the ADAM instance.

Using the ADAM ADSI Edit Administration Tool

The main administration tool for ADAM is ADAM ADSI Edit. In this exercise, you use ADAM ADSI Edit to bind to, view, and browse your ADAM instance.

To bind to, view, and browse an ADAM instance using ADAM ADSI Edit

  1. Click Start, point to All Programs, point to ADAM, and then click ADAM ADSI Edit.

  2. In the console tree, click ADAM ADSI Edit. The ADAM ADSI Edit snap-in looks like the following:

    ADAM ADSI Edit

  3. On the Action menu, click Connect to. The Connection Settings dialog box appears.

  4. In Connection name, you can type a label under which this connection will appear in the console tree of ADAM ADSI Edit. For this connection, type:

    ADAM demo

  5. In Server name, type the host or DNS name of the computer on which the ADAM instance is running.

    Note

    Because, in this exercise, ADAM is running on the local computer, you can use localhost as the server name.

  6. In Port, type the LDAP or SSL communication ports in use by ADAM. Or, as in this case, accept the default value of 389.

    Note

    To list the port numbers used by ADAM instances, click Start, point to All Programs, point to ADAM, click ADAM Tools Command Prompt, and then, at the command prompt, type: dsdbutil "list instances" quit

  7. Under Connect to the following node, you can connect to a well-known naming context, such as the configuration or schema directory partition, or you can specify the distinguished name of a partition to which you want to connect. For this exercise, click Distinguished name (DN) or naming context, and type:

    o=Microsoft,c=US

    This is the distinguished name of the application partition that you created during setup.

  8. Under Connect using these credentials, click The account of the currently logged on user. The Connection Settings dialog box now looks like the following:

    ADAM ADSI Edit Connection Settings

  9. Click OK. The ADAM ADSI Edit snap-in looks like the following:

    ADAM ADSI Edit, connected

  10. In the console tree, double-click ADAM demo, and then double-click O=Microsoft,c=US. The ADAM ADSI Edit snap-in now shows the application directory partition:

    ADAM ADSI Edit application directory partition

  11. In the console tree, click any container to view the objects in that container. For example, click CN=Roles.

  12. To open a different directory partition on the ADAM instance, in the console tree, click ADAM ADSI Edit, and then, on the Action menu, click Connect to.

  13. Fill out the Connection Settings dialog box as shown, and then click OK.

    ADAM ADSI Edit, connecting configuration container

    The Connection Settings dialog box now looks like the following:

    ADAM ADSI Edit configuration container

    You can now browse the contents of the configuration directory partition of your ADAM instance.

  14. To close ADAM ADSI Edit, on the File menu, click Exit.

Configuring the ADAM Schema Snap-in Administration Tool

You can use another ADAM administration tool, the ADAM Schema snap-in, to administer the ADAM schema. If you have ever used the Active Directory Schema snap-in, the ADAM Schema snap-in should look very familiar to you. Before you can use the ADAM Schema snap-in, you need to create an MMC file for it, as described in this procedure.

To create an MMC file for the ADAM Schema snap-in

  1. Click Start, click Run, type mmc /a, and then click OK.

  2. On the File menu, click Add/Remove Snap-in, and then click Add.

  3. In Available Standalone Snap-ins, click ADAM Schema, click Add, click Close, and then click OK.

  4. To save this console, on the File menu, click Save.

  5. In File name, type the following, and then click Save.

    %windir%\system32\adamschmmgmt.msc

    The ADAM Schema snap-in looks like the following:

    ADAM Schema snap-in

  6. To connect to your ADAM instance through ADAM Schema, in the console tree, right-click ADAM Schema, click Change ADAM Server, and then complete the dialog box as follows:

    ADAM Schema snap-in connection

  7. Click OK. The ADAM Schema snap-in now looks like the following. You can browse and view the ADAM schema classes and attributes:

    ADAM Schema snap-in classes and attributes

  8. To create a shortcut for the ADAM Schema snap-in on your Start menu:

    1. Right-click Start, click Open All Users, double-click the Programs folder, and then double-click the ADAM folder.

    2. On the File menu, point to New, and then click Shortcut.

    3. In the Create Shortcut Wizard, in Type the location of the item, type adamschmmgmt.msc, and then click Next.

    4. On the Select a Title for the Program page, in Type a name for this shortcut, type ADAM Schema, and then click Finish.

Using ADSchemaAnalyzer

You can use ADSchemaAnalyzer to help migrate the Active Directory schema to ADAM, from one ADAM instance to another, or from any LDAP-compliant directory to an ADAM instance. You can use ADSchemaAnalyzer to load a target (source) schema, mark the elements you want to migrate, and then export them to the base ADAM schema. You can also compare the two schemas or two LDAP Data Interchange Format (LDIF) files.

Important

When using ADSchemaAnalyzer to create an LDIF file, you should load both a target and a base schema. Otherwise, the resulting LDIF file might not be usable by the ldifde tool

To create an LDIF file with ADSchemaAnalyzer

  1. Click Start, point to All Programs, point to ADAM, click ADAM Tools Command Prompt, and then, at the command prompt, type:

    adschemaanalyzer

  2. To load a target schema, click File, and then click Load target schema, and then do one of the following:

    • To load the domain Active Directory schema as the target schema, in the dialog box, type your user name, password, and domain, and then click OK.

    • To load a different schema (such as the schema of an Active Directory forest or an another LDAP-compliant directory), in the dialog box, type the server name and port of the directory containing the target schema, type your user name ,password, and domain as needed, and then click OK.

  3. To load the schema of your ADAM instance as the base schema, click File, click Load base schema, and then in Server[:port], type the server name and port of the ADAM instance.

  4. In the dialog box, click OK.

  5. Click Tools, click Options, and on the LDIF generation tab, click Update with references to new and present elements.

    Important

    If this option is not selected and you proceed to create an LDIF file with the default option of Update with references to new elements only, the resultant LDIF file will not contain all the differences between the schemas. For example, the User class in you Active Directory schema might have Optional Attributes that are not included in the User class in your ADAM schema. If the LDIF file that was created through ADschemaanalyzer does not contain these Optional Attributes and later you attempt to synchronize data in your Active Directory forest and the ADAM configuration set into which this LDIF file has been imported, Adamsync will fail with an object violation error.

  6. In the resulting tree, mark all elements that you want to export to your base schema by right-clicking the element and selecting one of the following options:

    • Auto automatically marks an element as included or excluded in the export. If an element is marked as Auto (included), you can right-click that element, and then click Why auto included? to see the reverse dependency tree for the element.

    • Included marks an element so that it is included in the export. ADSchemaAnalyzer marks all related elements, such as superclasses, auxClasses, must/may contains, defaultObjectCategory, and possSuperiors. ADSchemaAnalyzer includes propsets for included attributes and back-links for links.

    • Excluded marks an element so that it is not included in the export. You can block certain paths in the dependency graph. For example, you might want to import domainDns, but not samAccountDomain (which is an auxClass of domainDns). You can exclude a complete element, such as the samAccountDomain class, or you can exclude a relationship; for example, you can remove the auxClass reference from the domainDns class. If you exclude a relationship, any other classes that reference that element continue to include it.

    • Present means that the element is present on the target server. By default, the top class is marked as present.

    Note

    If later you plan to synchronize data by using Adamsync, click Schema, and then click Mark all non-present elements as included.

  7. To create the LDIF file, click File, and then click Create LDIF file. To save the created LDIF file, type in the file name and save it at an appropriate location. For example, C:\Windows\ADAM\Differences.LDIF.

  8. To import the LDIF file into the AD LDS instance in order to update the AD LDS schema to match the AD DS schema, open the created LDIF file, copy the ldifde command created by the AD DS/LDS Schema Analyzer, (for example, ldifde –i –u –f differences.ldf –s server:port –b username domain password –j . –c “cn=Configuration, dc=X” #configurationNamingContext) and paste it into the command prompt. Edit the ldifde command to reflect your AD LDS server name and port, and then press ENTER.

You can use the ldifde command at the ADAM tools command prompt to import the target schema elements in the LDIF file into the base ADAM schema. The beginning of the LDIF file contains complete instructions for performing this task.

Using Active Directory to ADAM Synchronizer

Active Directory to ADAM Synchronizer is a command-line tool that synchronizes data from an Active Directory forest to a configuration set of an ADAM instance. You can also use it to synchronize data between two ADAM instances.

Important

Active Directory to ADAM Synchronizer does not synchronize user passwords between Active Directory and ADAM.

There are two prerequisites before Active Directory to ADAM Synchronizer can synchronize data:

  • The schema objects in the ADAM instance must match the schema objects in the Windows Server 2003 Active Directory forest.

  • The schema in the ADAM instance must be extended for schema objects that are required by Active Directory to ADAM Synchronizer.

Note

You must use the -t port_number option with ldifde if the ADAM instance uses a port other than the default port 389.

To use Active Directory to ADAM Synchronizer for the first time

  1. Click Start, point to All Programs, click ADAM, and then click ADAM Tools Command Prompt to open a command window in the ADAM directory.

  2. To ensure that your ADAM schema matches the default Windows Server 2003 schema in Active Directory, use ADSchemaanalyzer to create an LDIF file that will contain the target schema elements, and then import this LDIF file into your base ADAM schema by using the ldifde command at the ADAM tools command prompt.

    Important

    When you create an LDIF file, make sure to select the Update with references to new and present elements option on the ADSchemaanalyzer Tools menu and the Mark all non-present elements as included option on the Schema menu. For detailed instructions, see Using ADSchemaAnalyzer.

  3. To extend the ADAM schema to include schema objects that are required by Active Directory to ADAM Synchronizer, at the command prompt, type the following command on a single line, and then press ENTER:

    ldifde -i -s localhost:389 -c CN=Configuration,DC=X #ConfigurationNamingContext -f MS-AdamSyncMetadata.ldf

  4. Modify the configuration file MS-AdamSyncConf.xml with the appropriate parameters:

    • Replace the value of <source-ad-name> with the name of the source Active Directory domain controller, for example, <source-ad-name>SeattleDC1</source-ad-name>.

    • Replace the value of <source-ad-partition> with the distinguished name of the source domain, for example, <source-ad-partition>dc=fabrikam,dc=com</source-ad-partition>.

    • Replace the value of <source-ad-account> with the name of an account in the Domain Admins group of the source domain, for example, <source-ad-account>administrator</source-ad-account>.

    • Replace the value of <account-domain> with the fully qualified name of the source domain, for example, <account-domain>fabrikam.com</account-domain>.

    • Replace the value of <target-dn> with the name of the partition of the target ADAM instance, in this case, <target-dn>DC=microsoft,DC=US</target-dn>.

    • Replace the value of <base-dn> with the base distinguished name of the source domain, for example, <base-dn>dc=fabrikam,dc=com</base-dn>.

    • Modify the query filter (the default being <object-filter>(objectClass=*)</object-filter>), depending on what objects you want to synchronize.

    Important

    Do not delete any unused fields from this file.

    Note

    It is not necessary to synchronize an entire domain naming context. To save disk space and avoid synchronization problems, consider excluding objects and attributes that are not necessary to ADAM (for example, DNS records, FRS subscriptions, and DN-binary values), and edit your MS-AdamSyncConf.xml file appropriately. For more information, see Adamsync Configuration File XML Reference (https://go.microsoft.com/fwlink/?LinkId=119621).

  5. Install the configuration file. At a command prompt, type the following command, and then press ENTER:

    ADAMSync /install localhost:389 %windir%\ADAM\MS-AdamSyncConf.xml

  6. Synchronize the data from the Active Directory forest to the ADAM configuration set. At a command prompt, type the following command, and then press ENTER:

    ADAMSync /sync localhost:389 "DC=microsoft,DC=US" /log

    The /log option displays detailed information about the status of the synchronization. You can also use ADAM ADSI Edit to verify that the data has been synchronized.