Active Directory Application Mode (ADAM)

http://windowsitpro.com/article/articleid/43843/windows-tips--tricks-update--august-
30-2004.html

ADAM, which was introduced with Windows Server 2003, addresses requirements of
directory-enabled applications that don't need to store their data in Active Directory
(AD) but could still benefit from the security and authentication AD can offer.

For example, an application might have to store a large amount of information that
other applications don't need or that doesn't need to be replicated to every domain
controller (DC). ADAM uses a separate database that has many of AD's features
(e.g., schema, replication, management) but is totally separate from AD. This
separate database means that you can have a separate schema for each ADAM
instance--a feature that can be useful for testing. Like AD, ADAM offers a Lightweight
Directory Access Protocol (LDAP) interface that lets LDAP- and AD-based applications
seamlessly use ADAM.

Say you need to store a large amount of extra information about your users for an
application or a portal. Typically, you'd have to change the AD schema to enable this
information to be stored in AD, but because the AD schema is forestwide, you might
hesitate to change it. Instead of changing the schema, you can create an ADAM
instance to store all the extra attributes for the users. The application or portal could
authenticate against AD, then look up the additional information in ADAM.

ADAM runs as a nonsystem service and doesn't have to run on a DC. And because it's
a nonsystem service, you can have multiple instances of ADAM running on one box.
(However, you must configure each instance to listen on a unique LDAP port--for
example, only one instance could use the default ports 389 and 636.) The following
platforms support ADAM:

* Windows Server 2003, Standard Edition

* Windows Server 2003, Enterprise Edition
* Windows Server 2003, Datacenter Edition
* Windows XP Professional Edition Service Pack 1 (SP1)

Windows Server 2003, Web Edition doesn't support ADAM; however, you can install
ADAM on Windows XP SP1 and above, which is useful for developer testing.

Many tools you use for AD management also apply to ADAM, such as the Repadmin
command, the Microsoft Management Console (MMC) ADSI Edit snap-in, and LDP.
ADAM also offers its own ADAM-specific tools such as Dsdbutil (ADAM's version of
Ntdsutil) and Dsmgmt. For more information about ADAM, as well as the
downloadable files you need to install it, go to
http://www.microsoft.com/windowsserver2003/adam/default.mspx.

Q. How can I install Active Directory Application Mode (ADAM)?

A. Download the ADAM installation file at

http://www.microsoft.com/windowsserver2003/adam/default.mspx and execute it.
The file self-expands to a folder you select. Navigate to the selected folder and
perform the following steps:
1. Double-click adamsetup.exe.
2. At the "Welcome to the Active Directory Application Mode Setup Wizard" screen,
click Next.
 3. Select the "I accept the terms in the license agreement" option and click Next.
4. Under the installation options, select to install "ADAM and ADAM administration
tools" and click Next.
5. In the window that the figure at
http://www.windowsitpro.com/articles/images/adaminst1.gif shows, you can select
the type of instance to create--a new unique instance or a replica of an existing
instance. Select the "A unique instance" option and click Next.
6. Enter the instance name for this ADAM installation. This name, with the prefix
ADAM_ appended to it, names the service; for example, if you enter the name
portal1, the service name is ADAM_portal1. Click Next to display the window that the
figure at http://www.windowsitpro.com/articles/images/adaminst2.gif shows.
7. Next, you must specify the Lightweight Directory Access Protocol (LDAP) ports to
use. By default, the ports are 389 for regular communications and 636 for Secure
Sockets Layer (SSL)-encrypted LDAP communications. If you're installing ADAM on an
existing domain controller (DC), these ports are already in use, so you'll have to
select other ports. Also, if you're installing a second instance of ADAM on a system
and the first instance already uses ports 389 and 636, you'll need to select different
port numbers. The recommended custom ports start at 50000, so you could use
50000 for LDAP and 50001 for SSL. Enter your port numbers and click Next.
8. You're then asked whether you want to create an application partition. If you
select "Yes, create an application directory partition", you must enter a valid partition
name--for example,
"cn=App1,o=Savilltech,c=US"
Click Next.
9. Choose the location for the database files and recovery files. You can accept the
defaults (C:\program files\microsoft adam\\data) or enter a custom location. Click
Next.
10. Specify the account to run the ADAM service. In most cases you can use the
default, "Network service account." Click Next. When the machine on which you're
installing ADAM isn't in a domain and you select the Network service account, the
wizard tells you that ADAM won't be able to replicate with other machines.
11. Next, you're prompted to specify the ADAM default administrator. By default,
this is the current user; alternatively, you can select "This account" and specify a
different user or group--for example, the Domain Admins group. Click Next.
12. At the window that the figure at
http://www.windowsitpro.com/articles/images/adaminst4.gif shows, you can select
the LDAP Data Interchange Format (LDIF) files to load. LDIF files define attributes and
classes that will be added to your schema. For example, you can add the MS-
InetOrgPerson type (i.e., the InetOrgPerson user definition). Select the "Import the
selected LDIF files for this instance of ADAM" option, add the .ldf files you want to
import to the "Selected LDIF files" list, and click Next.
13. At the summary screen, click Next.
14. After the ADAM installation is done, click Finish.

ADAM is now installed. You can check your installation by starting the ADAM ADSI
Edit tool and making sure you can connect. If you run the command “net start” at a
command prompt, you'll see a service listed that's the name of your instance
(without the ADAM_ prefix). If you received an error during installation about creating
a folder in the \windows\adam folder, simply manually create an empty \adam folder
under the \windows folder and retry the installation.

Q. How can I add an Active Directory Application Mode (ADAM) replica to an

existing ADAM instance?

A. ADAM lets you replicate partitions between ADAM servers. Like trees in an AD
forest, the ADAM servers must share a common configuration and schema to
replicate a partition. To add a replica to an existing ADAM instance, perform the
following steps:
1. Double-click adamsetup.exe.
2. At the "Welcome to the Active Directory Application Mode Setup Wizard" screen,
click Next.
3. Select the "I accept the terms in the license agreement" option and click Next.
4. Under the installation options, select to install "ADAM and ADAM administration
tools" and click Next.
5. You can now select the type of instance to create--a new unique instance or a
replica of an existing instance. Select the "A replica of an existing instance" option
and click Next.
6. Enter the instance name for this ADAM installation. This name, with the prefix
ADAM_ appended to it, names the service--for example, if you enter the name
portal1, the service name is ADAM_portal1. Click Next. To simplify matters, you might
want to give this instance the same name as the instance you're replicating from.
7. Next, you're asked to specify the Lightweight Directory Access Protocol (LDAP)
ports to use. Enter the port numbers you want and click Next. For more information
about LDAP ports, see the FAQ "How can I install Active Directory Application Mode
(ADAM)?".
8. At the window that the figure at
http://www.windowsitpro.com/articles/images/adamreplicaadd1.gif shows, enter the
existing server name and the number of its LDAP port that you want to join. (Specify
a host or DNS name for the server name, not an IP address.) Click Next.
9. You're asked for credentials to be used to add this ADAM instance to the existing
configuration set. Either select the current logged-on account or enter an account to
use; click Next.
10. A list of partitions that are available on the existing ADAM server is displayed.
Select the partitions you want to replicate and click Next.
11. Proceed with the steps as if you're performing a unique ADAM installation, as
described in "How can I install Active Directory Application Mode (ADAM)?".

Q. How can I verify that my Active Directory Application Mode (ADAM)

partition replica addition worked?
A. On the replica server, open the ADAM version of the Microsoft Management
Console (MMC) ADSI Edit snap-in (Start, Programs, ADAM, ADAM ADSI Edit) and
connect to the replicated partition by following these steps:
1. Start the ADAM ADSI Edit tool on the replica server.
2. Right-click the ADAM ADSI Edit root in the treeview pane and select "Connect to."
3. Enter a connection name and leave the server name as localhost and the port as
389 (unless you changed the port during installation).
4. Under "Connect to the following node," select the "Distinguished name (DN) or
naming context" option, which the figure at
http://www.windowsitpro.com/articles/images/adamconnectpart.gif shows, and enter
the name of the partition you've replicated.
5. Click OK.

If the replica addition works, ADSI Edit should now display the contents of your
partition. It's a good idea to create an object in one copy of the replica and make
sure it's replicated to the other members of the replica set. If the partition isn't
cached, it hasn't replicated. If this occurs, you could try stopping and starting the
ADAM service on the replica system, then try to reconnect.

Q. How can I create an object under Active Directory Application Mode

(ADAM)?
A. Because ADAM is primarily used by applications, each application that uses an
ADAM instance typically creates and manages the objects within it. However, you can
use the Microsoft Management Console (MMC) ADAM ADSI Edit tool to create objects,
although doing so on a large scale isn't advisable because it's time-consuming. To
use the ADAM ADSI Edit tool to create objects, perform these steps:

1. Start the ADAM ADSI Edit tool.

2. Right-click the ADAM ADSI Edit root in the treeview pane and select "Connect to."
3. Enter a connection name and leave the server name as localhost and the port as
389 (unless you changed the port during installation).
4. Under "Connect to the following node," select the "Distinguished name (DN) or
naming context" option and enter the partition name.
5. Right-click the partition name or a container within it and select New, Object
from the context menu, which the figure at
http://www.windowsitpro.com/articles/images/adamcreateobj1.gif shows.
6. A dialog box appears that contains a list of the available object types you can
create. (The list contents vary depending on which LDAP Data Interchange Format--
LDIF--files you loaded into ADAM.) Select an object type (e.g., user) and click Next.
7. Enter the object's name (i.e., the cn value)--for example, John Savill--and click
Next.
8. You can now either click Finish or click More Attributes, which lets you set values
for optional attributes. Set any attributes as required, then click Finish.