How to Migrate an AD LDS Instance

How to Migrate an AD LDS Instance

AD LDS stands for “Active Directory Lightweight Directory Services.” If you’re not familiar with this, it’s basically a simple way to provide an authentication system for an application via LDAP, but without all the bells and whistles of a full blown Active Directory configuration.

In the past 6 months, I’ve had to migrate three different AD LDS instances as part of a Windows Server upgrade project I’ve been part of.

Let me tell you — what a pain.

The majority of the internet will tell you, “Just use LDIFDE or CSVDE. Export. Re-import. Piece of cake.”

I wonder if the people who recommend this technique have ever actually attempted to follow their own advice. It is horrific, and never goes as planned. During re-import, you get all sorts of strange weird encoding errors, requiring you to change from UTF-8 to Unicode, then you have to go through your export file and delete weird spaces and random characters, all the while sacrificing your first-born child to the Microsoft gods before your offering will be accepted in the form of a successful import.

And the worst part of all? Password hashes don’t get included in your file export. So any user who could successfully authenticate against of old AD LDS Instance will be required to reset their password before they can authenticate to the new instance. If you have a small user base, that’s one thing. But many of the AD LDS instances I’ve been playing with had upwards of 8,000 users.

Requiring 8,000 people to reset passwords is no small task.

After the third migration, I was absolutely fed up. It was a convoluted mess of exporting OU structures first, then exporting just the users, while excluding specific user attributes. I was done.

And then I realized — I’ve been doing it wrong this entire time.

Rather than spending hours doing a dump and re-import, what I should’ve been doing this entire time is setting up an AD LDS replica. Doing this in the first place could have literally saved me hours of time and headache.

And the best part? Doing it in this manner retains password hashes. No user password resets required!

How to Build an AD LDS Replica Server

In order to do this, we actually have very little to do with the old server. On the new server, which will house the AD LDS instance, start by installing the AD LDS role:

 

how to migrate an ad lds instance

Once done, open the “Active Directory Lightweight Directory Services Setup Wizard” from the “Tools” menu of Server Manager.how to migrate an ad lds instance

how to migrate an ad lds instance

This is where all the magic happens. Make sure select “A replica of an existing instance.”

how to migrate an ad lds instance

Enter the new instance name. You’re welcome to name it exactly the same as the existing instance if you’d like.

how to migrate an ad lds instance

Ports 389 and 636 are the default LDAP ports. If you’re running this AD LDS instance on an existing server already running AD/AD LDS, you’ll want to choose different port numbers, or you’ll run into conflicts.

how to migrate an ad lds instance

Select the old server name where the existing AD LDS instance resides, along with the port number. Again, 389 is default. If you’re not sure, stick with this. I had issues simply typing in the server name manually. For some reason, I wasn’t able to proceed unless I hit the “Browse” button and had Windows search for the server name for me. Once it was verified, I could continue.

how to migrate an ad lds instance

The user I was logged in with was a Domain Admin, so I’m choosing here to use the currently logged on user. Obviously, tweak this if you need. Domain Admin isn’t required.

how to migrate an ad lds instance

If you selected the correct permissions, it’ll show you the distinguished name of the AD LDS instance on the old server. This is a good sign that everything is running correctly. Select the checkbox next to the name, and hit “Next.”how to migrate an ad lds instance

Change file location if you’d like. For me, default was fine.

how to migrate an ad lds instance

how to migrate an ad lds instance

how to migrate an ad lds instance

Verify that everything looks good.

how to migrate an ad lds instance

The copy process will start. This was very quick for me. Didn’t take longer than 30 seconds to replicate all the information over to the new instance.

how to migrate an ad lds instance

how to migrate an ad lds instance

Once done, you can verify that the instance is actually installed by looking at the Programs listing in Control Panel.

how to migrate an ad lds instance

Now, at this point, you should be good to go. Try connecting to your newly-migrated instance using ADSI Edit. Once you’ve successfully connected and can verify that everything is where it should be, I’d test that you’re able to successfully authenticate as a user, using a tool such as LDP.exe from a DIFFERENT server. If everything works there, you can turn off your oldĀ  AD LDSinstance, and you can have confidence that everything is migrated.

You see, this is much easier than trying to use LDIFDE, CSVDE, or ADMT tools to migrate everything. I was just doing it wrong the entire time.


Leave a Reply

Your email address will not be published. Required fields are marked *