Active Directory Application Mode: Frequently Asked Questions

General

Q.	What is ADAM?

A.	For organizations that require a flexible directory service for use within applications, Microsoft has developed Active Directory Application Mode (ADAM), a Lightweight Directory Access Protocol (LDAP) directory service. You can run ADAM on servers running Microsoft Windows Server 2003 and also on clients running Microsoft Windows XP Professional. ADAM provides data storage and retrieval for directory-enabled applications, without the dependencies that are required for the Active Directory directory service. ADAM provides much of the same functionality as Active Directory, but it does not require the deployment of domains or domain controllers, and the directory schema for ADAM is completely independent of the enterprise schema you may be using in an Active Directory domain. You can run multiple instances of ADAM concurrently on a single computer, with an independently managed schema for each ADAM instance. For more information about ADAM, please see the Introduction to ADAM.
Q.	How scalable is ADAM?

A.	ADAM is based on the same code as the Active Directory directory service. Therefore, ADAM has scalability characteristics that are comparable to Active Directory, with regard to both the total number of supported objects and the total size of the replication topology and number of sites. ADAM running on Microsoft Windows XP Professional is intended for use as a personal directory data store. If you intend to use ADAM with distributed applications, run it on Microsoft Windows Server 2003 Standard Edition; Windows Server 2003 Enterprise Edition; or Windows Server 2003 Datacenter Edition.
Q.	What applications does ADAM support?

A.	ADAM is designed for use with directory-enabled applications that support Lightweight Directory Access Protocol (LDAP) v2 or LDAP v3. For information about ADAM, Active Directory, and Request for Comments (RFC) compliance, see the Active Directory LDAP Compliance white paper.
Q.	How can I deploy ADAM for high availability?

A.	ADAM supports Network Load Balancing (NLB) when ADAM runs on Windows Server 2003 Standard Edition; Windows Server 2003 Enterprise Edition; or Windows Server 2003 Datacenter Edition. In addition, ADAM supports NLB with LDAP over Secure Sockets Layer (SSL) (LDAPS). ADAM does not currently support server clusters.
Q.	How many objects does ADAM support?

A.	ADAM has been tested with up to 5 million objects. ADAM shares its core code with Active Directory in Windows Server 2003, which has been tested with up to 60 million objects.
Q.	What scenarios is ADAM designed for?

A.	A common scenario is one in which a portal application must store personalization data that is associated with users who are authenticated by Active Directory. Storing this personalization data in Active Directory itself would require schema changes to the user class, which is often expensive or complex to do in a large enterprise network. Instead of modifying the Active Directory schema, the application can use Active Directory for authentication and service publication, while using ADAM to store user personalization data. In effect, ADAM architecturally acts as an application-specific extension to Active Directory. ADAM can also be used for authentication in cases where the enterprise Active Directory does not store the user authentication information. This can be useful in public-facing e-commerce sites. ADAM is also useful for developers who are prototyping an application that will use Active Directory. In this case, the application in development can work against an instance of ADAM without disrupting the enterprise deployment of Active Directory. For more information about the scenarios for which ADAM is designed, including Microsoft Windows NT 4.0 scenarios, see the Introduction to Active Directory Application Mode white paper.
Q. A.

Security

This section contains answers to questions and troubleshooting problems that are related to security for Active Directory Application Mode (ADAM).

How should I set up my antivirus software to work with ADAM?

We recommend that you exclude the following ADAM files from antivirus software scans:

•	Adamntds.dit
•	ADAM .log files
•	Temp.edb
•	Edb.chk

For information about how to exclude these files from scanning, see the product documentation for your antivirus software.

Note: Running antivirus software against these files can cause problems with the Extensible Storage Engine (ESE) that require you to stop and restart the ADAM service.

By default, these files are located in:

\Program Files\Microsoft ADAM\instancename\Data

where instancename is the ADAM instance name that you specify during installation.

Why are some failed bind attempts to ADAM reported as successful?

If the Guest account on a computer on which ADAM is running is enabled, unsuccessful bind attempts to ADAM may be reported as successful, even though the bind attempts actually failed. To prevent these unsuccessful binds from being reported as successful, you can disable the Guest account on computers running ADAM. For information about disabling the Guest account, search for "guest account" in Help and Support Center in Windows Server 2003.

Why can't I bind to ADAM on a computer that is joined to a workgroup?

When the computer running ADAM is joined to a workgroup, you must set the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\forceguest to 0. (The default is 1.) Otherwise, users connecting to ADAM over the network are forced into a security context of Guest, and binds to ADAM fail.

How do I install certificates for use with ADAM and SSL?

To enable SSL-based encrypted connections to ADAM, you must have a certification authority (CA) in place to issue and manage certificates. You can set up a CA on a computer running Microsoft Windows® 2000 Server or Windows Server 2003. For more information about installing and using a CA, see the Certificate Services topic in the Windows Server 2003 Help.

The general steps for setting up SSL for ADAM are as follows:

•	Install a certificate from a trusted CA onto the computer running ADAM. The certificate must be marked for server authentication. If you want to use the certificate for applications other than ADAM, you must store this certificate in the local computer certificate store. Otherwise, you can store the certificate in the ADAM service store. When you request the certificate, specify the fully qualified domain name (FDQN) of the computer on which ADAM is running as the identifying name for the certificate. Note: If Internet Information Services (IIS) is running on the same computer as ADAM, you can verify that the certificate is properly installed by attempting an SSL connection to IIS first, before attempting an SSL connection to ADAM.
•	Before you attempt to use the certificate with ADAM, you must ensure that the service account under which ADAM is running has Read access to the certificate that you installed. The certificate is located in the following directory: C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys Note: To determine the appropriate certificate on which to set permissions for the ADAM service account, run certutil -store my from a command prompt. The Key Container value that is shown for each certificate matches the file name of the certificate as it appears in the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys directory.
•	To test the certificate with ADAM, run Ldp.exe on the computer running ADAM and connect to the local ADAM instance using SSL. For information about LDP, see the ADAM Administrator's Guide. To open the ADAM Administrator's Guide, click Start, point to Programs, point to ADAM, and then click ADAM Help. Note: When you use LDP to make an SSL connection to ADAM, you must specify the FQDN of the computer running ADAM. FQDNs are required, according to the SSL standard.
•	To connect to ADAM from a client over SSL, the client must trust the certificate on the computer running ADAM. This trust can be achieved by adding a certificate from the CA to the Trusted Root Certification Authorities store on the client.
•	Use LDP from a client to make an SSL connection to the ADAM instance.

Notes:

•	When you use LDP to make an SSL connection to ADAM, you must specify the fully qualified domain name (FQDN) of the computer running ADAM. FQDNs are required, according to the SSL standard.
•	On a standalone ADAM server, add a primary DNS suffix under the computer name properties. This is done to enable SSL, as it requires a FQDN structure to function and this server is not a domain member.
•	On client computers running Windows XP Professional that need to establish SSL connections to an ADAM instance, you must install the hotfix that is described in article 817583, Active Directory Services Does Not Request Secure Authorization Over an SSL Connection, in the Microsoft Knowledge Base.

What authentication mechanisms does ADAM support?

The authentication mechanisms that ADAM supports depend on the type of security principal being authenticated. ADAM supports three types of security principals: local Windows security principals, Active Directory security principals, and ADAM security principals. (In addition, ADAM can be configured to support anonymous binding. For more information, see "How do I enable anonymous binding in ADAM?" later in this article.) The authentication methods that are supported for each of the three types of security principals are as follows:

•	Local Windows. Supports Simple Authentication and Security Layer (SASL) authentication, which is performed by the Local Security Authority (LSA) on the computer running ADAM.
•	Active Directory. Supports SASL authentication, which is performed by LSA on a domain controller.
•	ADAM. Supports simple bind authentication, which is performed by the ADAM instance.

When should I use ADAM bind redirection?

Bind redirection is designed for applications that cannot be rewritten to use Windows security principals. You should only use bind redirection if you cannot use Windows security principals with your application. Using Windows security principals directly from your application takes advantage of the Active Directory infrastructure. Also, when you use bind redirection, you must present Active Directory passwords to ADAM in plain text, which can be encrypted with SSL. By using Windows security principals, you do not need to present Active Directory credentials in plain text to ADAM.

How do I enable anonymous binding in ADAM?

Anonymous binding is not enabled by default in ADAM. (This is also true for Active Directory.) To allow anonymous LDAP binding to an ADAM instance, complete the following procedure.

To allow anonymous LDAP binding to an ADAM instance:

1.	Open ADAM ADSI Edit.
2.	Connect and bind to the configuration directory partition of the ADAM instance on which you want to allow anonymous LDAP binding.
3.	In the console tree, double-click the configuration directory partition (CN=Configuration,CN={GUID}), double-click the services container (CN=Services), double-click the Windows NT container (CN=Windows NT), right-click the directory service container (CN=Directory Service), and then click Properties.
4.	In Attributes, click dsHeuristics, and then click Edit.
5.	In Value, modify the value of the seventh character in the attribute (counting from the left) to 2 (do not change any other values), as follows: 0000002001001.
6.	Click OK twice.

For a workgroup configuration, why can I only administer the ADAM instance that is installed on the local computer?

When ADAM runs in a workgroup environment (rather than in a domain environment), the ADAM administrator account on each of the ADAM instances in a configuration set is only recognized on the local computer, not on the remote ADAM instances. To resolve this issue, add the ADAM administrator account (or group) from each of the ADAM instances to the ADAM Administrators group in each of the other ADAM instances. You can also use one of the Windows built-in accounts or groups (such as BUILTIN\Administrators) as the ADAM administrator account. Such built-in accounts and groups will be recognized on each of the ADAM instances.

How can I enable directory object access auditing in ADAM?

To enable directory object access auditing in ADAM, complete the following tasks:

1.	Enable auditing in Group Policy and apply the Group policy to your ADAM server.

To enable auditing in Group Policy and apply the Group policy to the ADAM server:

NOTE: Complete this procedure on a stand-alone ADAM server.

1.	To open Local Computer Policy, click Start, click Run and type mmc. Under File menu, select Add/Remove Snap-in, select Group Policy Object Editor, click Add, then select Local Computer, and then click Finish. NOTE: If your ADAM server is joined to a domain, you can also enable directory service access auditing by using the default domain group policy object (GPO).
2.	In the console tree, click Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then select Audit Policy.
3.	In the details pane, right-click "Audit directory service access" and select Properties.
4.	In Audit object access Properties, under "Audit these attempts" select Success or Failure depending on the specifics of your configuration, and then click OK.

NOTE: To apply the new policy, you can either wait for the next GPO refresh interval to complete, or you can open a new command prompt (cmd) and then type gpupdate /force. You can verify in the Event Viewer if the new policy was applied.

Part 2: Enable access auditing for a particular ADAM directory object in ADAM:

To enable access auditing for a particular ADAM directory object:

1.	Click Start, click All Programs, and then click ADAM Tools Command prompt
2.	In ADAM Tools Command prompt, type: Ldp.exe
3.	Connect and bind to your ADAM instance with the account that has the right to modify System Access Control Lists (SACLs) (for example, an administrator account for your ADAM instance).
4.	In the console tree, navigate to the object for which you want to enable access auditing.
5.	Right-click the object, click Advanced, and then click Security Descriptor
6.	In Security Descriptor, select SACL and then click OK.
7.	Under Update, select SACL
8.	Select the desired ACEs from SACL list, and click Add ACE NOTE: If there are no ACEs in the SACL pane, click anywhere within SACL pane and select Add ACE.
9.	Select your desired trustee, ACE type, access mask, ACE flags, object type and inherited object type.
10.	Click OK to add the SACL.
11.	Click Update to update the SACL on the object.

NOTE: Access auditing changes applied to ADAM objects (event ID 566) are logged in the Event Viewer under Windows Logs/Security

How do I enable password changes on an unencrypted connection to ADAM?

As a best security practice, you should not disable strong encryption in a production environment. Strong encryption ensures that passwords are transmitted only across secure channels. For test environments only, you can disable strong encryption, as described in the following procedure.

To disable the requirement for strong encryption in ADAM:

1.	Open an ADAM Tools command prompt.
2.	At the command prompt, type dsmgmt.
3.	At the dsmgmt prompt, type ds behavior.
4.	At the ds behavior prompt, type connections.
5.	At the connections prompt, type connect to server *computername:portnumber, where computername:portnumber* represents the ADAM instance to which you want to connect.
6.	At the connections prompt, type q.
7.	At the ds behavior prompt, type allow passwd op on unsecured connection.
8.	To exit, type q twice.

Q.
A.

Users

This section contains answers to questions and troubleshooting problems that are related to Active Directory Application Mode (ADAM) and Windows users.

Q.	Why can't I log on to ADAM as a user that I just created?

A.	By default, an ADAM instance running on Windows Server 2003 automatically enforces any local or domain password policies that exist. If you create a new ADAM user and assign a password to that user that does not meet the requirements of the password policy that is in effect, the user will be disabled by default. To enable the user, you must assign a password that meets the password policy requirements and then enable the user. For information about enabling an ADAM user, see "To disable or enable an ADAM user" in the ADAM Administrator's Guide. To open the ADAM Administrator's Guide, click Start, point to All Programs, point to ADAM, and then click ADAM Help.
Q.	How do I change a user password in ADAM?

A.	For information about how to change ADAM user passwords, see "To set or modify the password of an ADAM user" in the How To section of the ADAM Administrator's Guide. To open the ADAM Administrator's Guide, click Start, point to All Programs, point to ADAM, and then click ADAM Help. Note: You cannot change the password of an Active Directory security principal through ADAM. You can only change the password of ADAM security principals.
Q.	Why can't I create a proxy object for one of my Active Directory domain accounts?

A.	You cannot create a userproxy object for a domain user in an ADAM directory partition that already contains a foreign principal object (FPO) for that same domain user.
Q. A.

Partitions and Organizational Units

This section contains answers to questions and troubleshooting problems that are related to Active Directory Application Mode (ADAM) partitions and organizational units (OU).

Can ADAM host Active Directory partitions?

No, ADAM cannot host Active Directory partitions. In addition, application directory partitions that are hosted in Active Directory cannot be replicated to ADAM. For information about how to synchronize data between Active Directory and ADAM, see "How do I synchronize data between Active Directory and ADAM?" later in this article.

Why can't I create OUs in ADAM?

By default, you can only create OUs under the following objects:

•	OU (ou=)
•	Country/region (c=)
•	Organization (o=)
•	Domain (dc=)

For example, you can create an OU in an application partition named o=Microsoft,c=US, but you cannot create an OU in an application partition named l=Microsoft,c=US.

Note: You can modify the possiblesuperiors attribute of the OU object class in the schema to modify the types of objects that can contain OUs.

How do I add an application directory partition to ADAM?

You can use dsmgmt to add an application directory partition to an ADAM instance, as described in the following procedure.

To add an ADAM directory partition using dsmgmt:

Open an ADAM tools command prompt.

At the command prompt, type dsmgmt.

At the dsmgmt prompt, type partition management.

At the partition management prompt, type connections.

At the server connections prompt, type connect to server computername:portnumber, where computername:portnumber represents the ADAM instance to which you want to connect.

At the server connections prompt, type quit.

At the partition management prompt, type create nc app_dn objectclass computername:portnumber, where app_dn is the distinguished name of the application directory partition that you want to create, objectclass is the object class (for example, organization or container) that you want to use for the application directory partition, and computername:portnumber represents the ADAM instance on which you want to create the application directory partition.

For example, to create the application directory partition o=Microsoft,c=US, at the partition management prompt type:

create nc o=Microsoft,c=US organization localhost:389

Note: The attribute value assertion (for example, "o=" or "cn=") that you specify at the beginning of the distinguished name for the new application directory partition must match the object class that you specify in objectclass.

The following lists shows the container types and matching object classes that can be used with dsmgmt to create application directory partitions in ADAM:

•	o= Organization
•	cn= Container
•	dc= domainDNS
•	ou= Organizationalunit

Why can't I create any objects in a new ADAM partition?

After you create a partition, you must unbind and rebind to ADAM. When you rebind, you will get the Administrator security IDs (SID) for the partition in your access token, and you will be able to create objects in the partition. ADAM performs token evaluation only on bind.

Q.
A.

Data

This section contains answers to questions and troubleshooting problems that are related to Active Directory Application Mode (ADAM) data.

Q.	When I try to import an .ldf file, why do I receive an error message?

A.	Make sure that you are using the version of Ldifde.exe that is provided with ADAM. The easiest way to ensure that you are using the correct version of Ldifde.exe is to start Ldifde.exe from an ADAM Tools command prompt. To open an ADAM Tools command prompt, click Start, point to All Programs, point to ADAM, and then click ADAM Tools Command Prompt.
Q.	Do Ldifde.exe and Csvde.exe provide switches for ignoring errors?

A.	In the versions of Ldifde.exe and Csvde.exe that are provided with ADAM, the -z switch forces the command to ignore errors during import. As an alternative, you can use the -k switch, which ignores only Constraint Violation and Object Already Exists errors.
Q.	How do I synchronize data between Active Directory and ADAM?

A.	You can use the Identity Integration Feature Pack for Microsoft Windows Server Active Directory—or a non–Microsoft synchronizing solution—to synchronize data between Active Directory and ADAM. For information about obtaining the Identity Integration Feature Pack for Microsoft Windows Server Active Directory, see the Microsoft Identity Integration Server 2003 Web site.
Q. A.

Top of page