Does Active Directory Lightweight Directory Services (AD LDS) support DirSync?

Question

I am writing code to track changes in an AD instance using Active Directory DirSync .

I want to be able to write automated tests for this code. Rather than setting up a full AD instance, with all the accompanying complexity, it seemed like a good idea to me to run my tests against Active Directory Lightweight Directory Services . From that page:

Because AD LDS uses the same programming model and provides virtually the same administration experience as AD DS, it can be a good fit for developers who are staging and testing various Active Directory-integrated applications.

I have run my code against our real AD instance, and it does indeed track changes. However, when I run it against the AD LDS instance I created, the DirSync search always returns 0 results.

What I want to know, but have failed to find out so far from documentation, is whether ADLDS actually supports DirSync. If it does, then it will be worth me investing time to figure out what I am doing wrong. But if it simply doesn't support DirSync that will be a waste of time.

Citing sources for your answer either way would be much appreciated, but at the end of the day I'd rather have an answer with no sources that no answer at all.

Answer 1

ADAM did. I haven't been able to verify if AD LDS does.

If you're doing a lot of work in the System.DirectoryServices space, I recommend The .NET Developer's Guide to Directory Services Programming . It's worth every penny and is even available on Kindle. If you check out pp.172-173 , there are some possible issues, including what client you're using and your access rights, where they note that "By default [..] no ADAM security principal will have the DS-Replication-Get-Changes control access right by default. This will have to be added to a group or user using a tool such as ADAM's version of dsacls.exe. (Note, you should've had the same issue against AD but there you would just have used the UI to grant the access right. Or more likely, your domain admins did it for you?). There is sample code on p.174.

Answer 2

Yes, ADAM should support the DirSync protocol...unless a change was made more recently I am not aware of or my memory is just off (which would be weird but not the first time :)).

What kind of errors are you getting? Have you confirmed you have perms for DirSync? A network sniff might yield more clues...

Answer 3

It doesn't seem to. AD LDS has it's own simple sync tool:

" ADAMSync provides a simple out-of-the-box DirSync solution to copy AD data into LDS. It doesn't handle complex data transformations like ILM/FIM do, nor does it sync schema. "