Home > Blogs > barry

Active Directory Application Mode

Posted: Tuesday, February 03, 2004 5:23 PM by Barry Gervin
Filed under: , , , ,

I haven't had much chance to use many of the cool things in Windows 2003 to date, but one of the new things (that incidentally also runs on XP Pro) is a new mode of Active Directory called Application Mode - in total ADAM. I'm finally getting to do some real playing around with this for a large application I've just started working on for a client.

It's basically a standalone active directory that is ideal for storing your own users and roles etc. to be used by your application in an active directory style - even if your company isn't using active directory. If you do go to AD down the road - it's a simple migration for your app. ADAM also acts as an LDAP server as well which makes it a bit more open. You can really put whatever you want into ADAM as it's schema is extensible (not unlike Active Directory). The idea though is that you can have multiple instances of ADAM installed on your server - each containing data specific to a unique application - while AD would store more globally required data throughout the enterprise.

It's pretty typical to store this type of application specific data historically into a SQL database. While that's possible, ADAM - and more specifically the underlying AD is more geared to this type of data. A relational DB remains an ideal choice for transactionally updated data, but ADAM is a great place to store any kind of administrative data that is, for the most part, written to once, and then read frequently by your application.

I'm going to be playing more with this, and specifically doing some performance testing and seeing what kind of improvements can be made by using it in the middle tier, caching some of the data in a wrapper object that is hosted in COM+ and pooled.

As an aside, I find it kind of strange that Whidbey - and specifically the new ASP.NET membership/roles stuff that is built in doesn't use ADAM - but instead opts for the classic database solution. Fortunately the membership/role model in ASP.NET Whidbey is an extensible provider model so I may just take a crack at creating my own provider that uses ADAM.

I should probably google that now as someone has probably already been there and done that.

Comments

  • Barry Gervin February 23, 2004 10:16 AM

    Any thoughts on how you'd integrate data between ADAM and a database ? What would replace the infamous CustomerId ?

  • Barry Gervin February 27, 2004 4:39 PM

    I'm not fully sure what you mean? Can you elaborate? I wouldn't store customers in an ADAM - but really just user preferences. So I'm not sure where or why a CustomerId would need to be stored in ADAM.

    But having said that, it's certainly possibly to store this kind of data in ADAM and having your own schema for it.

    But lets say that you want to store the last customer a user was working on? It would think it's reasonable to store that in ADAM. Of course you have no RI between ADAM and the DB. But it doesn't really matter. You wouldn't prevent the deletion of a customer simply because somebody had been working on it. Rather you'd write your preference gathering code to handle the case where the last customer you were working on has been deleted...and handle that gracefully.

    If however you wanted to store the account manager of each customer - this might be a little different. Is an account manager always a user? Maybe not. You may want to have some kind of correlating map of employee's in an Employee table with userid's in an ADAM.

  • Barry Gervin February 28, 2004 9:19 AM

    Why do you see ADAM primarily as a vehicle for preference management ?

    I haven't tried it yet, but I think that using it to store user data could be quite useful in internet scenarios. THat way I wouldn't be mucking up my enterprise AD with customer junk. Also, ADAM would sit on the web server, in the DMZ, while my main AD would be behind the corporate intranet.

    I'm itching to try it out, just haven't found the time. There is a way to expand the schema of AD or ADAM to include a customer id to be used in the DB. RI isn't much of a concern, since I'd be doing application managed deletion and updates.

    What do you think ?

  • Barry Gervin March 2, 2004 10:15 AM

    Preference, or User Data - both good examples. But I draw the line on data that you need to query relationally or do set based operations on. An RDb is the way to go for that.

  • Barry Gervin May 7, 2004 4:14 PM

    How does ADAM compare to other LDAP implementations (like netscape)? Any thoughts or experience on this? Of course it has the special API, but other than that...?

  • Barry Gervin May 11, 2004 2:53 PM

    Any suggestions for implementing user roles? Do you perfer any online tutorials on how to communicate with ADAM through an ASP.net page, or on the implemntation of user roles?

  • Barry Gervin May 20, 2004 10:19 PM

    do you know how to invoke a password to a new user?the following is my sourcecode,
    DirectoryEntry newEntry = entry.Children.Add("cn=" + this.TextBoxNewUser.Text, "user");
    newEntry.Properties["Name"].Value = this.TextBoxNewUser.Text;
    newEntry.Properties["userPrincipalName"].Value=this.TextBoxNewUser.Text;
    newEntry.CommitChanges();
    //this invoke is wrong
    newEntry.Invoke("SetPassword", strPsw);

  • Barry Gervin May 25, 2004 9:52 PM

    Hi Henry, I would guess your problem is probably in the way you are binding to the server. Try this article for help:
    http://www.dotnet247.com/247reference/msgs/48/242008.aspx

  • Barry Gervin June 3, 2004 11:13 AM

    Maybe you'll find this useful!:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/bucupro.asp

  • Barry Gervin June 10, 2004 4:46 AM

    Hi there, Can we install ADAM on a cluster server on both nodes? Cluster Server requires a domain and domain login, can ADAM be installed in this scenario?

    Thanks and regards,

    Kiran

  • Barry Gervin June 10, 2004 9:19 AM

    I don't see why you couldn't do this. Adam can even have multiple instances installed on the same box. It's not very intrusive on the operating system in general.

  • Barry Gervin April 7, 2005 11:00 AM

    System.Web.Security.ActiveDirectoryMembershipProvider

  • Barry Gervin April 27, 2005 2:27 AM

    hi henry
    to invoke SetPassword you need to ensure that ADSI is installed on your win2X server i come with optional configuration in win 2X server cd.

    you can try this insted.
    newEntry.Properties["userPassword"].Add("forgot");

    if you need any thing more you can mail me at

    shashikumar@arcadix.com

  • Barry Gervin August 31, 2005 8:24 PM

    Hi Henry,

    I am having a problem setting up ssl for use with ADAM. I am running Server 2003 and have tried using certificates from our own CA and also from VeriSign. The Microsoft FAQ for ADAM is not very helpful. Do you have any suggestions or know of any resources I can use?

  • Barry Gervin October 12, 2005 12:01 AM

    I'm trying to replicate an instance over the network, but I failed to do so. And it said "Active Directory cannot connect to port xxx on xxx(server name). Verify that the server name and port are correct, and try again". Anyone there can help me?I have use IP and PC name, both also failed.

  • Barry Gervin November 16, 2005 6:28 PM

    I am trying to have an app in VB/ASP to pass AD user name and password to the AD and AD would then authenticate the user, is user is autheticated then the page is displayed/or user is allowed to enter the form and submit. If you are aware of such resources that will be of help.

  • Barry Gervin November 18, 2005 6:41 PM

    Hi Eric,

    In order to enable SSL-based encrypted connections to ADAM, you need to specify a fully qualified domain name (FDQN, sometimes you see FQDN) of your 2003 server. Microsoft's documents forgot one important step which is you must give your server the FDQN before you installl your Certificate Services. I had the exactly same issue as yours before. Hope this will help.

  • Barry Gervin June 12, 2006 1:51 PM

    I also am having problems getting ssl to work with ADAM. I am running ADAM on a 2003 standalone server. The server is my CA server and is running IIS. I created a cert for IIS and I can get HTTPS working in IIS. But ssl won't work for ADAM? I keep getting end point connection failure messages when I try to test with dsdiag? I am not running DNS on my network. I have given the network service user full control permissions to the security dirctory in the all user folder as the ADAM documents suggest. Help?

  • Barry Gervin November 27, 2006 10:22 AM

    Being new to AD and ADAM my question may seem stupid. What I would like to do is use ADAM as our Authencation server for our Webservers in the DMZ, instead of the DC server. Is this possible and if so how would ADAM talk to the DC and the WebServers

New Comments to this post are disabled