Export (0) Print
Expand All
0 out of 1 rated this helpful - Rate this topic

Directory Services API Element Differences

When using Directory Services API elements to program for AD LDS, there are several important differences from programming for Active Directory.

The following table lists the differences in the Directory Services programming elements when used with AD LDS.

Programming elementDifference
DsBindWithSpnEx Added the NTDSAPI_BIND_FORCE_KERBEROS flag.
DsBindByInstance New function.
ADAM_SCP_SITE_NAME_STRINGString constant used by AD LDS for constructing keyword values for SCP publication for a site name, for example: "site:Default-First-Site-Name".
ADAM_SCP_PARTITION_STRINGString constant used by AD LDS for constructing keyword values for SCP publication for a partition distinguished name, for example: "partition:O=FABRIKAM,L=WA,C=US".
ADAM_SCP_INSTANCE_NAME_STRINGString constant used by AD LDS for constructing keyword values for SCP publication for an instance name, for example: "instance:someinstance".
ADAM_SCP_FSMO_STRINGString constant used by AD LDS for constructing keyword values for SCP publication for an FSMO name prefix, for example: "fsmo:naming".
ADAM_SCP_FSMO_NAMING_STRINGString constant used by AD LDS for constructing keyword values for SCP publication for an FSMO name suffix, for example: "fsmo:naming".
ADAM_SCP_FSMO_SCHEMA_STRINGString constant used by AD LDS for constructing keyword values for SCP publication for an FSMO name suffix, for example: "fsmo:schema".
ADAM_REPL_AUTHENTICATION_MODE_NEGOTIATE_PASS_THROUGHNegotiate with pass-through authentication. All instances must run using service accounts with the same name and password.

Used with the ms-DS-Repl-Authentication-Mode attribute of the configuration partition for an AD LDS instance.

ADAM_REPL_AUTHENTICATION_MODE_NEGOTIATENegotiate authentication. If Kerberos is available, it will be used. Otherwise, authentication will fall back to NTLM unless machine policy forbids this.

Used with the ms-DS-Repl-Authentication-Mode attribute of the configuration partition for an AD LDS instance.

ADAM_REPL_AUTHENTICATION_MODE_MUTUAL_AUTH_REQUIREDAD LDS will require Kerberos mutual authentication.

Used with the ms-DS-Repl-Authentication-Mode attribute of the configuration partition for an AD LDS instance.

NTDSDSA_OPT_DISABLE_SPN_REGISTRATIONNew value for nTDSDSA objects.

 

AD LDS does not support the userAccountControl attribute. Instead, AD LDS uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute. The following table lists the userAccountControl flags and their corresponding AD LDS attributes. Any userAccountControl flags that are not listed below are not supported by AD LDS.

AD LDS attributeuserAccountControl flag (defined in iads.h) Hexadecimal value
ms-DS-UserAccountAutoLocked ADS_UF_LOCKOUT 0x00000010
msDS-UserAccountDisabled ADS_UF_ACCOUNTDISABLE 0x00000002
msDS-UserDontExpirePassword ADS_UF_DONT_EXPIRE_PASSWD 0x00010000
ms-DS-UserEncryptedTextPasswordAllowed ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED 0x00000080
msDS-UserPasswordExpired ADS_UF_PASSWORD_EXPIRED 0x00800000
ms-DS-UserPasswordNotRequired ADS_UF_PASSWD_NOTREQD 0x00000020

 

 

 

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.