Configure an ISAM directory partition

By default, Security Verify Access maintains its metadata information in a specific Active Directory Lightweight Directory Service (AD LDS) directory partition that is also known as a naming context or suffix. This default Security Verify Access metadata directory partition is called secAuthority=Default. To create the default Security Verify Access metadata directory partition, use the AD LDS administration tool ldp.exe.

Create the partition after the ISAM schema extensions are added to AD LDS and before the ISAM Policy Server is configured. For information about adding schema extensions, see Configure the ISAM schema.

The ldp.exe tool is installed as part of the AD LDS administration tool set. To use theldp.exe tool, we must connect and bind to the AD LDS instance using the following procedure.

Alternatively, we can choose a non-default Management Domain name and location DN. The Management Domain name must be unique within the LDAP server and the location DN must exist. Choose a location DN within the same directory partition where you store user and group information. This step is required because AD LDS requires the policy server must exist in the same directory partition in which user and group information is maintained. The policy server cannot maintain user and group information outside the directory partition in which the policy server itself is defined.

Steps

  1. Connect to the AD LDS instance:

    1. At a command prompt, type ldp and then press ENTER. The ldp window is displayed.

    2. On the Connection menu, click Connect….

    3. In the Server field, type the host or DNS name of the system that runs AD LDS. When the AD LDS instance is running locally, we can also type localhost for this field value.

    4. In the Port field, type the LDAP or SSL port number for the AD LDS instance to which we want to connect. Then, click OK. The ldp tool connects to the AD LDS instance and displays progress information that is obtained from the root DSE in the pane on the right side of the window.

  2. Bind to the AD LDS instance:

    1. From the Connection menu, select Bind…

    2. To bind using the credentials that we are logged on with, click Bind as currently logged on user.
    3. When we are finished specifying bind options, click OK. The ldp tool binds the AD LDS instance using the method and credentials specified.

  3. Add the children.

    1. From the Browse menu, select Add child.

    2. In the Dn field, type secAuthority=Default as the distinguished name for the new directory partition.

    3. In the Edit Entry field, type the following and then click ENTER.

      • In the Attribute field, type ObjectClass.
      • In the Values field, type secAuthorityInfo.

    4. In the Edit Entry field, type the following and then click ENTER.

      • In the Attribute field, type secAuthority.

      • In the Values field, type Default.

    5. In the Edit Entry field, type the following and then click ENTER.

      • In the Attribute field, type version.

      • In the Values field, type 8.0.

    6. In the Edit Entry field, type the following and then click ENTER.

      • In the Attribute field, type cn

      • In the Values field, type secAuthority

    7. In the Edit Entry field, type the following and then click ENTER.

      • In the Attribute field, type instanceType.

      • In the Values field, type 5.

      The set of attributes and values appear in the Entry List pane.

    8. Ensure the Synchronous option is selected and click Run. This step adds the ISAM metadata directory partition to the AD LDS instance. To verify the partition is properly added, we can use the AD LDS ADSI Edit tool to connect to and view the partition.

Parent topic: Microsoft Active Directory Lightweight Directory Service (AD LDS) installation