So if you need a snapshot of your AD LDS instance using IFM is the way to go and providesyou with a supported way to backup ( -us/library/cc816727(WS.10).aspx)and restore ( -us/library/cc770886(WS.10).aspx) your AD LDS instances.

Hi, Do you mean it failed when you use dsdbutil to backup AD LDS instance? If there is any misunderstanding, please feel free to let me know. Please change the "Log On" account for the service from "Local System account" to a domain administrator account. Please make sure that your server is fully patched. If you use WSB to backup the AD LDS, will it work?

Schedule backups of your AD LDS instance using Dsdbutil [2]

By default, each instance of AD LDS running on an AD LDS server stores its database file, Adamntds.dit, and the associated log files in %program files%Microsoft ADAMinstance_namedata, where instance_name is the AD LDS instance name. Include these files as part of the regular backup plan of your organization. You back up data for an AD LDS instance by backing up these files.

You cannot use Windows Server Backup to restore an existing AD LDS instance with a backup that was created with the Dsdbutil.exe tool. To restore your existing AD LDS instance with a backup that was created with Dsdbutil.exe, see Appendix B: Restore an AD LDS Instance with a Backup Taken with Dsdbutil.exe.

To restore a retired AD LDS instance (or to move a specific AD LDS instance from one server to another), you must begin the recovery process by creating a new AD LDS instance using the same settings that were specified during the installation of the AD LDS instance that you want to recover or move.

1. Using the Active Directory Lightweight Directory Services Setup Wizard, create an AD LDS instance, specifying the same settings that you used during your original (uninstalled) AD LDS installation. However, do not create an application directory partition during setup. For more information about creating AD LDS instances, see the Step-by-Step Guide for Getting Started with Active Directory Lightweight Directory Services ( =98679).

You cannot use Windows Server Backup to restore a retired AD LDS instance with a backup that was created with Dsdbutil.exe. To restore your existing AD LDS instance with a backup that was created with Dsdbutil.exe, see Appendix B: Restore an AD LDS Instance with a Backup Taken with Dsdbutil.exe.

To authoritatively restore directory data, run the dsdbutil tool after you restore the data but before you restart the AD LDS instance. With dsdbutil, you can mark directory objects for authoritative restore. When an object is marked for authoritative restore, its update sequence number is changed so that the number is higher than any other update sequence number in the configuration set. This ensures that any data you restore is properly replicated throughout the configuration set.

You cannot use Windows Server Backup to restore an AD LDS instance with a backup that was created with Dsdbutil.exe. To restore your existing AD LDS instance with a backup that was created with Dsdbutil.exe, see Appendix B: Restore an AD LDS Instance with a Backup Taken with Dsdbutil.exe.

You create AD LDS instances by using the Active Directory Lightweight Directory Services SetupWizard. However, you need to prepare several items before you createthe instance. Make note of the values you choose as you prepare eachitem because you will need these values to create and manage theinstance. These items include:

If you are creating AD LDS instances within a domain, donot use ports 389 or 636 even if you are not creating thefirst instance on a domain controller. AD DS uses these portsby default, and, because of this, some consoles, such as thoseusing the Active Directory Schema snap-in, will not bindto local instances because they bind to the AD DS directory bydefault. As a best practice, always use ports beyond the50,000 range for your AD LDS instances.

The Active Directory application partition name thatyou intend to use for the instance. You must use a distinguishedname (DN) to create the partition. For example, you could useCN=AppPartition1,DC=Contoso,DC=com. Depending on how you intendto use the instance, you might or might not need the applicationpartition. Application partitions control the replication scopefor a directory store. For example, when you integrate DNS datawithin the directory, AD DS creates an application partition tomake DNS data available to appropriate DCs. Applicationpartitions for AD LDS can be created in one of three ways: whenyou create the instance, when you install the application thatwill be tied to the instance, or when you create the partitionmanually through the LDP.exe tool. If your application will notcreate application partitions automatically, create them withthe wizard.

A service account to run the instance. You can use theNetwork Service account, but if you intend to run multipleinstances, it might be best to use named service accounts foreach instance. If you choose not to use a managed serviceaccount and decide to set up your service accounts manually,remember to follow the service accounts guidelines andrequirements as listed here. Create a domain account if you arein a domain; otherwise, use a local account (for example, in aperimeter network).

Any additional LDIF files you need for the instance. Place thesefiles in the %SystemRoot%\ADAM folder. These files are importedduring the creation of the instance. Importing LDIF filesextends the schema of the instance you are creating to support additional operations. Forexample, to synchronize AD DS with AD LDS, you would import theMS-AdamSyncMetadata.ldf file. If your application requirescustom schema modifications, create the LDIF file ahead of timeand import it as you create the instance. Note that you canalways import LDIF files after the instance is created. DefaultLDIF files are listed in Table 2.

After you have all these items in hand, you are ready tocreate your instance. Make sure the account you use has localadministrative rights. You can create instances in one of two ways. The first is through theActive Directory Lightweight Services Setup Wizard,and the second is through the command line. You use the wizardduring the practice in this lesson. Using the command line isexplained in the next section.

All advice, installation/configuration how to guides, troubleshooting and other information on this website are provided as-is with no warranty or guarantee. Whilst the information provided is correct to the best of my knowledge, I am not reponsible for any issues that may arise using this information, and you do so at your own risk. As always before performing anything; check, double check, test and always ensure you have a backup.

If you cannot get it to work on your current server using the registry keys you might want to try the DSInternals New-ADDBRestoreFromMediaScript to which i linked. It automates all steps to restore the database to a new server. Good luck!

For most of the dsdbutil commands, you only need to type the first few characters of the command name instead than the entire command. For example, you can type either of the following commands to activate an AD LDS instance named instance1:

Aids in modifying the time to live (TTL) of dynamic data that is stored in Active Directory Domain Services (AD DS). At the configurable setting: prompt, type any of the parameters listed in the syntax below. Before you can run other configurable settings subcommand parameters, you need to connect to a specific AD DS or AD LDS instance by using the connections parameter.

Aids in modifying the time to live (TTL) of dynamic data that is stored in Active Directory Domain Services (AD DS). At the configurable setting: prompt, type any of the parameters listed under Syntax. Before you can run other configurable settings subcommand parameters, you need to connect to a specific AD DS or AD LDS instance by using the connections parameter.

Manages password operations over unsecured connections. You can allow or deny password operations over unsecured connections and list the current setting. Before you can run the DS behavior subcommand, you need to connect to a specific AD Ds or AD LDS instance by using the connections parameter.

Though optional, deploying an ECP extension is a recommended step. If you are using Shibboleth as your STS, make sure to install such an extension in order for single sign-on to work with a smart phone, Microsoft Outlook (without modern authentication) or other clients.

The first step consists in enabling in the "captive" Tomcat server the HTTP Basic authentication using accounts in our LDAP AD LDS instance. Please note that the Shibboleth ECP extension authentication is currently limited to HTTP Basic authentication.

The next step is to open the Windows PowerShell from Windows Azure Active Directory for Windows PowerShell and connect the Windows PowerShell to the online domain using your Online Administrator Credentials.

Beyond the above verification (and additional configuration), and depending on your on-premises environment and the identity directories used, you may test the following sign-in scenarios to ensure that single sign-on (SSO) using the Shibboleth 2 IdP is correctly configured and worked as expected. 2ff7e9595c