How to Set Up Active Directory Lightweight Directory Services (AD LDS) on Windows Server 2016

How to Set Up Windows Server 2016 Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Services (AD LDS) is a role in Windows Server 2016 that provides directory services for applications without requiring a full Active Directory domain deployment. AD LDS uses the same LDAP-based directory technology as Active Directory Domain Services (AD DS), but operates as an independent instance that does not require a domain controller. This makes it ideal for application-specific directories, extranet portals, software-as-a-service applications, and scenarios where you need a directory store that is isolated from your production AD DS environment.

Each AD LDS instance has its own schema, configuration, and data partitions, and multiple instances can run on the same server. AD LDS instances can also replicate data to other AD LDS instances for high availability.

Step 1: Install the AD LDS Role

AD LDS is available as a server role in Windows Server 2016. Install it using Server Manager or PowerShell:

Install-WindowsFeature -Name ADLDS -IncludeManagementTools

Verify the role was installed successfully:

Get-WindowsFeature -Name ADLDS

Step 2: Create a New AD LDS Instance

After installing the role, use the Active Directory Lightweight Directory Services Setup Wizard to create a new instance. Launch it from the Start menu or run:

adaminstall

During the wizard, you will configure:

Instance Name: AppDirectory
LDAP Port: 50000
LDAPS Port: 50001
Application Directory Partition DN: CN=AppData,DC=appdir,DC=local
Service Account: Network Service (or a dedicated service account)
AD LDS Administrators: DomainAdminGroup

Use non-default ports (not 389/636) to avoid conflicts with AD DS on domain controllers.

Step 3: Verify the AD LDS Instance is Running

After setup completes, verify that the AD LDS service is running. The service name follows the pattern ADAM_InstanceName:

Get-Service -Name "ADAM_AppDirectory"

Check that the instance is listening on the configured ports:

netstat -an | findstr ":50000 |:50001 "

Step 4: Connect to the AD LDS Instance with ADSI Edit

Open ADSI Edit (adsiedit.msc) and connect to the AD LDS instance by specifying the server name and port:

Server: localhost:50000
Connection Point: CN=AppData,DC=appdir,DC=local

Alternatively, use PowerShell to connect and query the instance:

$root = New-Object System.DirectoryServices.DirectoryEntry(
    "LDAP://localhost:50000/CN=AppData,DC=appdir,DC=local"
)
$searcher = New-Object System.DirectoryServices.DirectorySearcher($root)
$searcher.Filter = "(objectClass=*)"
$searcher.FindAll() | Select-Object -ExpandProperty Path

Step 5: Extend the AD LDS Schema

AD LDS includes a reduced schema by default. You can extend it with additional object classes and attributes from the LDF files included with Windows Server 2016. Import a schema extension using ldifde:

ldifde -i -f "C:WindowsADAMMS-InetOrgPerson.ldf" `
    -s "localhost:50000" `
    -k -j "C:Logs" `
    -c "CN=Schema,CN=Configuration,DC=X" "#schemaNamingContext"

Common schema LDF files available in Windows Server 2016 include:

MS-InetOrgPerson.ldf
MS-User.ldf
MS-UserProxy.ldf
MS-UserProxyFull.ldf
MS-ADLDS-DisplaySpecifiers.ldf

Step 6: Create Users in AD LDS

AD LDS uses its own user objects that are separate from AD DS users. Create a user in the AD LDS partition using ldifde or ADSI Edit. Create a text file with the user definition:

dn: CN=JohnDoe,CN=AppData,DC=appdir,DC=local
changetype: add
objectClass: user
cn: JohnDoe
sAMAccountName: johndoe
userPrincipalName: [email protected]
displayName: John Doe

Import it with ldifde:

ldifde -i -f C:NewUser.ldf -s localhost:50000

Step 7: Configure Replication Between AD LDS Instances

For high availability, configure replication between two AD LDS instances on different servers. First, install AD LDS on the second server and create an instance. Then, join the second instance to the replication set:

adaminstall /instance:AppDirectory `
    /replica:server01.yourdomain.com:50000 `
    /partition:CN=AppData,DC=appdir,DC=local

Step 8: Backup and Restore AD LDS

Use the ntdsutil command to back up the AD LDS database:

ntdsutil "activate instance AppDirectory" "ifm" "create full C:ADLDSBackup" quit quit

AD LDS provides a flexible, lightweight directory solution for Windows Server 2016 applications that need directory services without the overhead of a full domain. Its compatibility with standard LDAP makes it suitable for integration with virtually any LDAP-aware application or service.