Administering AD LDS Instances

Applies To: Windows Server 2008

This guide provides administrators with step-by-step instructions for managing Active Directory Lightweight Directory Services (AD LDS) instances in Windows Server 2008.

Each AD LDS instance runs as an independent—and separately administered—service on a computer. You can configure the account under which an AD LDS instance runs, stop and restart an AD LDS instance, and change the AD LDS instance service display name and service description. In addition, you can enable Secure Sockets Layer (SSL) connections in AD LDS by installing certificates. In Active Directory environments, each AD LDS instance attempts to create a Service Principal Name (SPN) object in the directory to be used for replication authentication. Depending on the network environment into which you install AD LDS, you may have to create SPNs manually.

AD LDS service account

The service account that an AD LDS instance uses determines the access that the AD LDS instance has on the local computer and on other computers in the network. AD LDS instances also use the service account to authenticate other AD LDS instances in their configuration set, to ensure replication security. You determine the AD LDS service account during AD LDS installation. For information about AD LDS service account requirements, see Selecting an AD LDS Service Account.

To modify the AD LDS service account for an AD LDS instance, you can use the change service account command in the Dsdbutil command-line tool. For more information, see Dsdbutil (https://go.microsoft.com/fwlink/?LinkID=122543).

AD LDS instance name

During setup, you assign a name to the AD LDS instance, which is used in the creation of the file directory structure and registry keys for AD LDS. In addition, the name that you assign is used to create the service name, service display name, and service description, as shown in the example in the following table.

Name supplied during setup Service name Service display name Service description

instance1

ADAM_instance1

instance1

Blank (no default description provided)

The name that you specify for an AD LDS instance during setup must meet the following requirements:

  • It must be unique with respect to other AD LDS instances that are running on the same computer.

  • It must be no longer than 44 characters.

  • It must use characters only from the ranges of a through z, A through Z, or 0 through 9.

  • The name "ntds" cannot be used.

The service display name appears in Windows Server 2008 Programs and Features dialog box and in the Services snap-in. The service description appears in the Services snap-in. You can modify the service display name and the service description anytime after installation.

In this guide