How to Set Up Active Directory Lightweight Directory Services (AD LDS) on Windows Server 2012 R2

Active Directory Lightweight Directory Services (AD LDS), formerly known as ADAM (Active Directory Application Mode), is a standalone LDAP directory service that provides directory functionality for applications that do not require the full infrastructure of Active Directory Domain Services. AD LDS is ideal for scenarios where you need a dedicated directory for application-specific data, want to avoid extending the AD DS schema, need to run multiple independent directory instances on a single server, or need to provide directory services for extranet applications that shouldn’t store data in your production AD. This guide covers installing and configuring AD LDS on Windows Server 2012 R2.

Prerequisites

AD LDS can be installed on any Windows Server 2012 R2 member server, workstation (Windows 8), or standalone server — it does not require domain membership. The account performing the installation needs local Administrator rights. You should plan the following before installation: the instance name, the LDAP port (default 389, but choose another if AD DS is also installed), the SSL port (default 636), whether to import any LDIF schema files, and the distinguished name of the application directory partition.

Installing the AD LDS Role

# Install the AD LDS role
Install-WindowsFeature ADLDS -IncludeManagementTools

# Verify installation
Get-WindowsFeature ADLDS

Creating an AD LDS Instance

After installing the role, create an AD LDS instance using the Active Directory Lightweight Directory Services Setup Wizard (adaminstall.exe) or an answer file for unattended setup. Creating via an answer file provides repeatable, scriptable deployments:

# Create an answer file for unattended AD LDS installation
$answerFile = @"
[ADAMInstall]
InstallType=Unique
InstanceName=AppDirectory
LocalLDAPPortToListenOn=50000
LocalSSLPortToListenOn=50001
NewApplicationPartitionToCreate=CN=AppData,DC=appdir,DC=local
DataFilesPath=C:WindowsADAMAppDirectorydata
LogFilesPath=C:WindowsADAMAppDirectorylogs
ServiceAccount=NT AUTHORITYNetworkService
ServicePassword=
Administrator=CONTOSOAppDirAdmins
ImportLDIFFiles=MS-User.LDF MS-InetOrgPerson.LDF
"@
$answerFile | Out-File "C:tempadlds-answer.txt" -Encoding ASCII
# Install AD LDS using the answer file
adaminstall.exe /answer:"C:tempadlds-answer.txt"

If using the GUI wizard, run adaminstall.exe from the command line or from the Server Manager Administrative Tools menu. The wizard will prompt for all the parameters above. Choose a unique port (above 1024) that does not conflict with AD DS or other services. Common choices are 50000 for LDAP and 50001 for LDAPS.

Verifying the AD LDS Instance

# Verify the AD LDS service is running
Get-Service ADAM_AppDirectory

# Check which port the instance is listening on
Get-ADDSServicePort -InstanceName "AppDirectory"

# List all installed AD LDS instances
Get-ADLDSInstance
# Test LDAP connectivity to the AD LDS instance
Test-NetConnection -ComputerName localhost -Port 50000

# Connect using ldp.exe (run from command line)
ldp.exe
# In LDP: Connection > Connect > Server: localhost, Port: 50000, check "Connectionless" = No

Extending the AD LDS Schema

AD LDS schemas can be extended independently from AD DS. Use ldifde to import LDIF schema files. Several useful schema extensions ship with AD LDS:

# Import additional schema extensions
# Available LDF files are in %systemroot%ADAM

# Import the MS-User.LDF schema to add user classes
ldifde -i -f "%SystemRoot%ADAMMS-User.LDF" `
    -s localhost:50000 `
    -j "C:temp" `
    -c "CN=Configuration,CN={GUID}" "#configurationNamingContext"

# Import InetOrgPerson support
ldifde -i -f "%SystemRoot%ADAMMS-InetOrgPerson.LDF" `
    -s localhost:50000 `
    -j "C:temp" `
    -c "CN=Configuration,CN={GUID}" "#configurationNamingContext"

Creating Objects in AD LDS

Use ldifde or dsadd to create objects in an AD LDS instance, or use the .NET DirectoryServices classes from PowerShell:

# Create an organizational unit in AD LDS using LDIFDE
$ldif = @"
dn: CN=AppUsers,CN=AppData,DC=appdir,DC=local
changetype: add
objectClass: container
cn: AppUsers
"@
$ldif | Out-File "C:tempcreate-ou.ldf" -Encoding ASCII
ldifde -i -f "C:tempcreate-ou.ldf" -s localhost:50000
# Create a user in AD LDS using PowerShell .NET
$ldapPath = "LDAP://localhost:50000/CN=AppUsers,CN=AppData,DC=appdir,DC=local"
$container = [ADSI]$ldapPath
$newUser = $container.Create("user", "CN=TestAppUser")
$newUser.Put("sAMAccountName", "testappuser")
$newUser.Put("displayName", "Test Application User")
$newUser.Put("mail", "[email protected]")
$newUser.SetInfo()

# Enable the account and set a password
$newUser.SetPassword("AppUser@Pass2024!")
$newUser.Put("msDS-UserAccountDisabled", $false)
$newUser.SetInfo()
Write-Host "AD LDS user created successfully"

Configuring AD LDS Replication

AD LDS supports multi-instance replication for high availability. Additional instances on other servers form a replica set. Create a replica by adding a server to an existing configuration set:

# Create a replica of an existing AD LDS instance
# Answer file for replica installation
$replicaAnswer = @"
[ADAMInstall]
InstallType=Replica
InstanceName=AppDirectory
LocalLDAPPortToListenOn=50000
LocalSSLPortToListenOn=50001
SourceServer=APPSERVER01:50000
SourceUserName=CONTOSOAppDirAdmins
ReplicationDataFilesPath=C:WindowsADAMAppDirectorydata
ReplicationLogFilesPath=C:WindowsADAMAppDirectorylogs
"@
$replicaAnswer | Out-File "C:tempadlds-replica.txt" -Encoding ASCII
adaminstall.exe /answer:"C:tempadlds-replica.txt"

Managing AD LDS with AdamInstall and Tools

# Export objects from AD LDS
ldifde -f "C:tempexport-appusers.ldf" `
    -s localhost:50000 `
    -b AppAdmin AppDir.local Password `
    -d "CN=AppUsers,CN=AppData,DC=appdir,DC=local" `
    -r "(objectClass=*)"

# Search AD LDS
$searcher = New-Object System.DirectoryServices.DirectorySearcher(
    [ADSI]"LDAP://localhost:50000/CN=AppData,DC=appdir,DC=local"
)
$searcher.Filter = "(objectClass=user)"
$searcher.FindAll() | ForEach-Object {
    Write-Host $_.Properties["cn"][0]
}

Backing Up and Restoring AD LDS

# Stop the AD LDS instance before backup
Stop-Service ADAM_AppDirectory

# Backup the database files
Copy-Item "C:WindowsADAMAppDirectorydata*" `
    "D:BackupsADLDS$(Get-Date -Format 'yyyy-MM-dd')" -Recurse

# Restart the service
Start-Service ADAM_AppDirectory

# Use Windows Server Backup for VSS-consistent backup (preferred)
wbadmin start backup -backupTarget:D: -include:C:WindowsADAM -quiet

Summary

Active Directory Lightweight Directory Services on Windows Server 2012 R2 provides a flexible, standalone LDAP directory service for application-specific needs. Unlike AD DS, AD LDS can run multiple instances on a single server, does not require domain membership, and maintains schema independence from the production directory. The installation is straightforward via the wizard or an answer file, and objects are managed using standard LDAP tools including ldifde and the .NET DirectoryServices classes. AD LDS replication provides high availability for critical directory-dependent applications. It is the ideal solution for web applications, extranet portals, and any scenario where application directory data should be isolated from the core Active Directory infrastructure.