Active Directory Lightweight Directory Services – Application Data Partitions

An AD LDS instance can hold more than one Application Data Partition.  The Application Data Partition is where user, group, etc. objects are stored.  It can provide an effective boundary between partitions, and is useful for SharePoint when using a single AD LDS instance with multiple customers that must remain isolated from each other.

One restriction with Application Data Partitions is that one partition cannot inherit the path of another partition.  E.g., you cannot create a partition of “CN=SharePoint,DC=fabrikam,DC=local” if you already have a partition of “DC=fabrikam,DC=local”.  You can, however, create multiple partitions based off of the same root DN, e.g. “CN=SharePoint,DC=fabrikam,DC=local” and “CN=SharePoint2,DC=fabrikam,DC=local”.

To create an Application Data Partition, first connect and bind with an authenticated user to the AD LDS instance with ldp.exe.  Note that this instance already has a partition of “CN=SharePoint,DC=fabrikam,DC=local”:

In ldp.exe, go to Browse –> Add Child.

Enter the new DN, e.g. “CN=SharePoint2,DC=fabrikam,DC=local”.  Next, under Edit Entry, set the Attribute to “objectClass” and Values to “container”, then click Enter.  Next, change the Attribute to “instanceType” and the Value to “5”, again click Enter.  It should look similar to this:

Next, click Run.  Message text similar to this will appear in the log window:

-----------
***Calling Add...
ldap_add_s(ld, "CN=SharePoint2,DC=fabrikam,DC=local", [2] attrs)
Added {CN=SharePoint2,DC=fabrikam,DC=local}.
-----------
The new partition has been created.  Next, connect to the new partition with ADSI Edit, using the same server/port combination, but the new DN.

If you receive the following error when attempting to connect to the partition with ADSI Edit, close ADSI Edit and re-open it, then try to connect again.

To delete an Application Data Partition, first run ADSI Edit.  Connect to the Configuration partition to identify the Configuration DN.

Next, run ldp.exe.  Connect and bind as an authenticated user.  Go to View –> Tree, and connect to the Configuration DN of the AD LDS instance.  Find “CN=Partitions” and expand the tree.  Each Application Data Partition will have a DN starting with “CN={GUID}”  Click on one of the containers to show the information about the container.

Find the attribute “nCName”.  This container corresponds to the “CN=SharePoint2,DC=fabrikam,DC=local” Application Data Partition.  To delete it and all data within the partition.  Ldp should output a log similar to the following:

-----------
ldap_delete_s(ld, "CN=7a1c0eda-9e1c-4307-9b4b-2475c8262a6f,CN=Partitions,CN=Configuration,CN={51435092-6E63-4B14-B4CA-F27C35BE886F}");
Deleted "CN=7a1c0eda-9e1c-4307-9b4b-2475c8262a6f,CN=Partitions,CN=Configuration,CN={51435092-6E63-4B14-B4CA-F27C35BE886F}"
-----------

Attempting to connect to the instance from AD LDS will now yield an error similar to this:

The partition has been successfully deleted.

Active Directory Lightweight Directory Services – Recycle Bin

To enable the AD LDS Recycle Bin, open a command prompt, navigate to C:\Windows\ADAM, and run:

ldifde.exe -i -f MS-ADAM-Upgrade-2.LDF -s localhost:389 -j . -$ adamschema.cat

Where “localhost:389” is the host and port where AD LDS is running.  If the currently logged on user does not have access to the AD LDS instance, specify the –b switch with a username and –p switch with a  valid password.  Note that before running this command, all members involved in AD LDS instance replication should be online.

The output should look like this:

Verifying file signature

Connecting to "localhost:389"

Logging in as current user using SSPI

Importing directory from file "MS-ADAM-Upgrade-2.LDF"

Loading entries...............................

30 entries modified successfully.

The command has completed successfully

Now, delete a user via ADSI Edit (or any other method).  Next, from an elevated command prompt, run ldp.exe.  Go to Options –> Controls and select Return deleted objects from the Load Predefined dropdown menu and click OK.

Next, under Connection, Connect, then Bind as an Administrative user to the AD LDS instance.  Finally, under the View menu, show the Tree of the Domain BaseDN.  There is a new container for Deleted Objects:

Right click a Deleted object.  Add the Attribute “isDeleted” and under Operation select “Delete”, then click on Enter.  Next, add the Attribute “distinguishedName” and enter the full DN to where the object should be recovered to, change the Operation to “Replace” and click on Enter.  Select the Extended checkbox.  It should look similar to this:

Click Run.  The object will then be moved to the desired location and removed from the Deleted Objects container.

Finally, in ADSI Edit, reset the user’s password and set the msDS-UserAccountDisabled attribute to False.  Set the attribute used for the user’s login (e.g. mail).  Once completed, the user will be able to log back into SharePoint.

Active Directory Lightweight Directory Services – Backup

Backing up AD LDS is similar to backing up Active Directory: either take a backup of the System State via Windows Server Backup, or via the command line AD LDS utility dsdbutil.exe.

To back up an AD LDS instance via PowerShell, call dsdbutil with the required parameters.  Also note that the folder that dsdbutil is saving the backup to must be empty of all files and subfolders.

   1: $InstanceName = $args[0]

   2: if($InstanceName -eq $null){exit}

   3: $BackupRoot = "C:\backup"

   4: ri $BackupRoot\$InstanceName\* -Confirm:$false -Recurse

   5: dsdbutil "Activate Instance $InstanceName" ifm "Create Full $BackupRoot\$InstanceName" quit quit

This script can be run via .\ADLDSBackup.ps1 InstanceName.  A backup will be placed in C:\backup\InstanceName\adamntds.dit.