|
| 1 | +--- |
| 2 | +title: Preparing for Azure AD Provisioning to Active Directory Lightweight Directory Services (preview) |
| 3 | +description: This document describes how to configure Azure AD to provision users into Active Directory Lightweight Directory Services as an example of an LDAP directory. |
| 4 | +services: active-directory |
| 5 | +author: billmath |
| 6 | +manager: amycolannino |
| 7 | +ms.service: active-directory |
| 8 | +ms.subservice: app-provisioning |
| 9 | +ms.topic: how-to |
| 10 | +ms.workload: identity |
| 11 | +ms.date: 11/15/2022 |
| 12 | +ms.author: billmath |
| 13 | +ms.reviewer: arvinh |
| 14 | +--- |
| 15 | + |
| 16 | +# Prepare Active Directory Lightweight Directory Services for provisioning from Azure AD |
| 17 | + |
| 18 | +The following documentation provides tutorial information demonstrating how to prepare an Active Directory Lightweight Directory Services (AD LDS) installation. This can be used as an example LDAP directory for troubleshooting or to demonstrate [how to provision users from Azure AD into an LDAP directory](on-premises-ldap-connector-configure.md). |
| 19 | + |
| 20 | +## Prepare the LDAP directory |
| 21 | + |
| 22 | +If you do not already have a directory server, the following information is provided to help create a test AD LDS environment. This setup uses PowerShell and the ADAMInstall.exe with an answers file. This document does not cover in-depth information on AD LDS. For more information, see [Active Directory Lightweight Directory Services](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831593(v=ws.11)). |
| 23 | + |
| 24 | +If you already have AD LDS or another directory server, you can skip this content, and continue at the [Tutorial: ECMA Connector Host generic LDAP connector](on-premises-ldap-connector-configure.md) for installing and configuring the ECMA connector host. |
| 25 | + |
| 26 | +### Create an SSL certificate, a test directory and install AD LDS. |
| 27 | +Use the PowerShell script from [Appendix A](#appendix-a---install-ad-lds-powershell-script). The script performs the following actions: |
| 28 | + 1. Creates a self-signed certificate that will be used by the LDAP connector. |
| 29 | + 2. Creates a directory for the feature install log. |
| 30 | + 3. Exports the certificate in the personal store to the directory. |
| 31 | + 4. Imports the certificate to the trusted root of the local machine. |
| 32 | + 5. Installs the AD LDS role on our virtual machine. |
| 33 | + |
| 34 | +On the Windows Server virtual machine where you are using to test the LDAP connector, edit the script to match your computer name, and then run the script using Windows PowerShell with administrative privileges. |
| 35 | + |
| 36 | +### Create an instance of AD LDS |
| 37 | +Now that the role has been installed, you need to create an instance of AD LDS. To create an instance, you can use the answer file provided below. This file will install the instance quietly without using the UI. |
| 38 | + |
| 39 | +Copy the contents of [Appendix B](#appendix-b---answer-file) in to notepad and save it as **answer.txt** in **"C:\Windows\ADAM"**. |
| 40 | + |
| 41 | +Now open a cmd prompt with administrative privileges and run the following executable: |
| 42 | + |
| 43 | +``` |
| 44 | +C:\Windows\ADAM> ADAMInstall.exe /answer:answer.txt |
| 45 | +``` |
| 46 | + |
| 47 | +### Create containers and a service account for AD LDS |
| 48 | +The use the PowerShell script from [Appendix C](#appendix-c---populate-ad-lds-powershell-script). The script performs the following actions: |
| 49 | + 1. Creates a container for the service account that will be used with the LDAP connector. |
| 50 | + 1. Creates a container for the cloud users, where users will be provisioned to. |
| 51 | + 1. Creates the service account in AD LDS. |
| 52 | + 1. Enables the service account. |
| 53 | + 1. Adds the service account to the AD LDS Administrators role. |
| 54 | + |
| 55 | +On the Windows Server virtual machine, you are using to test the LDAP connector run the script using Windows PowerShell with administrative privileges. |
| 56 | + |
| 57 | +### Grant the NETWORK SERVICE read permissions to the SSL certificate |
| 58 | +In order to enable SSL to work, you need to grant the NETWORK SERVICE read permissions to our newly created certificate. To grant permissions, use the following steps. |
| 59 | + |
| 60 | + 1. Navigate to **C:\Program Data\Microsoft\Crypto\Keys**. |
| 61 | + 2. Right-click on the system file located here. It will be a guid. This container is storing our certificate. |
| 62 | + 1. Select properties. |
| 63 | + 1. At the top, select the **Security** tab. |
| 64 | + 1. Select **Edit**. |
| 65 | + 1. Click **Add**. |
| 66 | + 1. In the box, enter **Network Service** and select **Check Names**. |
| 67 | + 1. Select **NETWORK SERVICE** from the list and click **OK**. |
| 68 | + 1. Click **Ok**. |
| 69 | + 1. Ensure the Network service account has read and read & execute permissions and click **Apply** and **OK**. |
| 70 | + |
| 71 | +### Verify SSL connectivity with AD LDS |
| 72 | +Now that we have configured the certificate and granted the network service account permissions, test the connectivity to verify that it is working. |
| 73 | + 1. Open Server Manager and select AD LDS on the left |
| 74 | + 2. Right-click your instance of AD LDS and select ldp.exe from the pop-up. |
| 75 | + [](../../../includes/media/active-directory-app-provisioning-ldap/ldp-1.png#lightbox)</br> |
| 76 | + 3. At the top of ldp.exe, select **Connection** and **Connect**. |
| 77 | + 4. Enter the following information and click **OK**. |
| 78 | + - Server: APP3 |
| 79 | + - Port: 636 |
| 80 | + - Place a check in the SSL box |
| 81 | + [](../../../includes/media/active-directory-app-provisioning-ldap/ldp-2.png#lightbox)</br> |
| 82 | + 5. You should see a response similar to the screenshot below. |
| 83 | + [](../../../includes/media/active-directory-app-provisioning-ldap/ldp-3.png#lightbox)</br> |
| 84 | + 6. At the top, under **Connection** select **Bind**. |
| 85 | + 7. Leave the defaults and click **OK**. |
| 86 | + [](../../../includes/media/active-directory-app-provisioning-ldap/ldp-4.png#lightbox)</br> |
| 87 | + 8. You should now, successfully bind to the instance. |
| 88 | + [](../../../includes/media/active-directory-app-provisioning-ldap/ldp-5.png#lightbox)</br> |
| 89 | + |
| 90 | +### Disable the local password policy |
| 91 | +Currently, the LDAP connector provisions users with a blank password. This provisioning will not satisfy the local password policy on our server so we are going to disable it for testing purposes. To disable password complexity, on a non-domain-joined server, use the following steps. |
| 92 | + |
| 93 | +>[!IMPORTANT] |
| 94 | +>Because on-going password sync is not a feature of on-premises LDAP provisioning, Microsoft recommends that AD LDS is used specifically with federated applications, when used in conjunction with AD DS, or when updating existing users in an instance of AD LDS. |
| 95 | +
|
| 96 | + 1. On the server, click **Start**, **Run**, and then **gpedit.msc** |
| 97 | + 2. On the **Local Group Policy editor**, navigate to Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy |
| 98 | + 3. On the right, double-click **Password must meet complexity requirements** and select **Disabled**. |
| 99 | + [](../../../includes/media/active-directory-app-provisioning-ldap/local-1.png#lightbox)</br> |
| 100 | + 5. Click **Apply** and **Ok** |
| 101 | + 6. Close the Local Group Policy editor |
| 102 | + |
| 103 | + |
| 104 | +Next, continue in the guidance to [provision users from Azure AD into an LDAP directory](on-premises-ldap-connector-configure.md) to download and configure the provisioning agent. |
| 105 | + |
| 106 | +## Appendix A - Install AD LDS PowerShell script |
| 107 | +The following PowerShell script can be used to automate the installation of Active Directory Lightweight Directory Services. You'll need to edit the script to match your environment; in particular, change `APP3` to the hostname of your computer. |
| 108 | + |
| 109 | + |
| 110 | + |
| 111 | +```powershell |
| 112 | +# Filename: 1_SetupADLDS.ps1 |
| 113 | +# Description: Creates a certificate that will be used for SSL and installs Active Directory Lighetweight Directory Services. |
| 114 | +# |
| 115 | +# DISCLAIMER: |
| 116 | +# Copyright (c) Microsoft Corporation. All rights reserved. This |
| 117 | +# script is made available to you without any express, implied or |
| 118 | +# statutory warranty, not even the implied warranty of |
| 119 | +# merchantability or fitness for a particular purpose, or the |
| 120 | +# warranty of title or non-infringement. The entire risk of the |
| 121 | +# use or the results from the use of this script remains with you. |
| 122 | +# |
| 123 | +# |
| 124 | +# |
| 125 | +# |
| 126 | +#Declare variables |
| 127 | +$DNSName = 'APP3' |
| 128 | +$CertLocation = 'cert:\LocalMachine\MY' |
| 129 | +$logpath = "c:\" |
| 130 | +$dirname = "test" |
| 131 | +$dirtype = "directory" |
| 132 | +$featureLogPath = "c:\test\featurelog.txt" |
| 133 | +
|
| 134 | +#Create a new self-signed certificate |
| 135 | +New-SelfSignedCertificate -DnsName $DNSName -CertStoreLocation $CertLocation |
| 136 | +
|
| 137 | +#Create directory |
| 138 | +New-Item -Path $logpath -Name $dirname -ItemType $dirtype |
| 139 | +
|
| 140 | +#Export the certifcate from the local machine personal store |
| 141 | +Get-ChildItem -Path cert:\LocalMachine\my | Export-Certificate -FilePath c:\test\allcerts.sst -Type SST |
| 142 | +
|
| 143 | +#Import the certificate in to the trusted root |
| 144 | +Import-Certificate -FilePath "C:\test\allcerts.sst" -CertStoreLocation cert:\LocalMachine\Root |
| 145 | +
|
| 146 | +
|
| 147 | +#Install AD LDS |
| 148 | +start-job -Name addFeature -ScriptBlock { |
| 149 | +Add-WindowsFeature -Name "ADLDS" -IncludeAllSubFeature -IncludeManagementTools |
| 150 | + } |
| 151 | +Wait-Job -Name addFeature |
| 152 | +Get-WindowsFeature | Where installed >>$featureLogPath |
| 153 | +
|
| 154 | +
|
| 155 | + ``` |
| 156 | + |
| 157 | +## Appendix B - Answer file |
| 158 | +This file is used to automate and create an instance of AD LDS. You will edit this file to match your environment; in particular, change `APP3` to the hostname of your server. |
| 159 | + |
| 160 | +>[!IMPORTANT] |
| 161 | +> This script uses the local administrator for the AD LDS service account and has its password hard-coded in the answers. This action is for **testing only** and should never be used in a production environment. |
| 162 | +> |
| 163 | +> If you are installing AD LDS on a domain controller and not a member or standalone server, you will need to change the LocalLDAPPortToListenOn and LocalSSLPortToListonOn to something other than the well-known ports for LDAP and LDAP over SSL. For example, LocalLDAPPortToListenOn=51300 and LocalSSLPortToListenOn=51301. |
| 164 | +
|
| 165 | +``` |
| 166 | + [ADAMInstall] |
| 167 | + InstallType=Unique |
| 168 | + InstanceName=AD-APP-LDAP |
| 169 | + LocalLDAPPortToListenOn=389 |
| 170 | + LocalSSLPortToListenOn=636 |
| 171 | + NewApplicationPartitionToCreate=CN=App,DC=contoso,DC=lab |
| 172 | + DataFilesPath=C:\Program Files\Microsoft ADAM\AD-APP-LDAP\data |
| 173 | + LogFilesPath=C:\Program Files\Microsoft ADAM\AD-APP-LDAP\data |
| 174 | + ServiceAccount=APP3\Administrator |
| 175 | + ServicePassword=Pa$$Word1 |
| 176 | + AddPermissionsToServiceAccount=Yes |
| 177 | + Administrator=APP3\Administrator |
| 178 | + ImportLDIFFiles="MS-User.LDF" |
| 179 | + SourceUserName=APP3\Administrator |
| 180 | + SourcePassword=Pa$$Word1 |
| 181 | + ``` |
| 182 | +## Appendix C - Populate AD LDS PowerShell script |
| 183 | +PowerShell script to populate AD LDS with containers and a service account. |
| 184 | + |
| 185 | + |
| 186 | + |
| 187 | +```powershell |
| 188 | +# Filename: 2_PopulateADLDS.ps1 |
| 189 | +# Description: Populates our AD LDS environment with 2 containers and a service account |
| 190 | +
|
| 191 | +# DISCLAIMER: |
| 192 | +# Copyright (c) Microsoft Corporation. All rights reserved. This |
| 193 | +# script is made available to you without any express, implied or |
| 194 | +# statutory warranty, not even the implied warranty of |
| 195 | +# merchantability or fitness for a particular purpose, or the |
| 196 | +# warranty of title or non-infringement. The entire risk of the |
| 197 | +# use or the results from the use of this script remains with you. |
| 198 | +# |
| 199 | +# |
| 200 | +# |
| 201 | +# |
| 202 | +# Create service accounts container |
| 203 | +New-ADObject -Name "ServiceAccounts" -Type "container" -Path "CN=App,DC=contoso,DC=lab" -Server "APP3:389" |
| 204 | +Write-Output "Creating ServiceAccounts container" |
| 205 | +
|
| 206 | +# Create cloud users container |
| 207 | +New-ADObject -Name "CloudUsers" -Type "container" -Path "CN=App,DC=contoso,DC=lab" -Server "APP3:389" |
| 208 | +Write-Output "Creating CloudUsers container" |
| 209 | +
|
| 210 | +# Create a new service account |
| 211 | +New-ADUser -name "svcAccountLDAP" -accountpassword (ConvertTo-SecureString -AsPlainText 'Pa$$1Word' -Force) -Displayname "LDAP Service Account" -server 'APP3:389' -path "CN=ServiceAccounts,CN=App,DC=contoso,DC=lab" |
| 212 | +Write-Output "Creating service account" |
| 213 | +
|
| 214 | +# Enable the new service account |
| 215 | +Enable-ADAccount -Identity "CN=svcAccount,CN=ServiceAccounts,CN=App,DC=contoso,DC=lab" -Server "APP3:389" |
| 216 | +Write-Output "Enabling service account" |
| 217 | +
|
| 218 | +# Add the service account to the Administrators role |
| 219 | +Get-ADGroup -Server "APP3:389" -SearchBase "CN=Administrators,CN=Roles,CN=App,DC=contoso,DC=lab" -Filter "name -like 'Administrators'" | Add-ADGroupMember -Members "CN=svcAccount,CN=ServiceAccounts,CN=App,DC=contoso,DC=lab" |
| 220 | +Write-Output "Adding service accounnt to Administrators role" |
| 221 | +
|
| 222 | +
|
| 223 | + ``` |
| 224 | + |
| 225 | +## Next steps |
| 226 | + |
| 227 | +- [Tutorial: ECMA Connector Host generic LDAP connector](on-premises-ldap-connector-configure.md) |
0 commit comments