HOWTO: Create an LDAP Connector account in AD LDS for Azure AD Connect

Azure AD Connect

Recently, I showed you how to synchronize an Active Directory Lightweight Directory Services (AD LDS) or an LDAP v3-compatible directory to Azure AD using Azure AD Connect.

In that blogpost, I listed as one of the requirements that you need a service account that is part of the LDAP tree and has sufficient permissions to enumerate the attributes for the objects in scope.

In this blogpost, I’ll show you how to create this account in an existing Active Directory Lightweight Directory Services (AD LDS) implementation.

 

Creating the Azure AD Connect service account

Creating the Azure AD Connect service account, consists of five steps:

  1. Creating the account
  2. Provisioning a password
  3. Enabling the account
  4. Setting the userPrincipalName
  5. Adding the account to the Administrators role

Note:
If the Active Directory Module for Windows PowerShell is not installed on the Windows installation, install the Remote Server Administration Tools (RSAT) for the Windows version. On Windows Server, install it with the following line of Windows PowerShell:

Install-WindowsFeature RSAT-AD-PowerShell

 

Creating the account

First, we need to create the LDAP Connector account in Active Directory Lightweight Directory Services (AD LDS). To this purpose we use the following line of Windows PowerShell on a Windows (Server) installation with the Active Directory module installed:

New-ADUser -Name SA_AADC -Path 'CN=users,dc=domain,dc=tld' -GivenName Service -Surname Account -SamAccountName SA_AADConnect -Server 'server:389'

 

Provisioning a password

Next, we’ll provision a password for the service account with the following line of Windows PowerShell:

Set-ADAccountPassword -Identity 'cn=SA_AADC,CN=users,dc=domain,dc=tld' -NewPassword (ConvertTo-SecureString -AsPlainText 'P@ssw0rd' -Force) -Server 'server:389'

 

Enabling the account

Now, that the account has a password, we can successfully enable the account with the following line of Windows PowerShell:

Enable-ADAccount -Identity 'cn=SA_AADC,CN=users,dc=domain,dc=tld' -Server 'server:389'

 

Setting the userPrincipalName

Let’s set the userPrincipalName attribute for the service account. To this purpose, we’ll use ADSI Edit (adsiedit.msc). Follow the below steps:

  • Press Start and start typing adsiedit.msc.
  • In the search results, click on ADSI Edit to start it.
    The ADSI Edit window appears.
  • From the Action menu, choose the Connect to… option.
    The Connection Settings pop-up window appears.
  • In the Connection Point area, select the Select or type a Distinguished Name or Naming Context: option. Type the distinguished name, like CN=users,DC=domain,DC=tld.
  • In the Computer area, select the Select or type a domain or server: (Server | Domain [:port]) option. In the field below, type the information to connect to the Active Directory Lightweight Directory Services (AD LDS) instance:

  • Click OK.
  • The structure of the AD LDS implementation is now available in the left navigation window of the ADSI Edit window. Dig down until you get to the service account you created earlier.
  • Right-click the service account and select Properties from the context menu.
    The Properties window opens.
  • In the list with Attributes: scroll down to the userPrincipalName attribute.
  • Select the attribute and click the Edit button.
    The String Attribute Editor pop-up opens.
  • In the Value: field, type a userPrincipalName, like sa_aadc@dirteam.com.
  • Click OK to save the userPrincipalName value and close the pop-up window.
  • Click OK in the Properties window to close it.

 

Adding the account to the Administrators role

We’re almost done. We only configure the service account as a member of the Administrators role in Active Directory Lightweight Directory Services (AD LDS). Perform these steps, while still connected in ADSI Edit:

  • In the left navigation pane of the ADSI Edit windows, navigate to the CN=Roles container.
  • In the main pane, select the CN=Administrator role and right-click it.
  • Select Properties from the context menu.
    The Properties window appears.
  • In the list with Attributes: scroll down to the member attribute.
  • Select the attribute and click the Edit button.\
  • The Multi-valued Distinguished Name With Security Principal Editor window appears.
  • In the Multi-valued Distinguished Name With Security Principal Editor window, click the Add DN… button.
    The Add Distinguished Name (DN) pop-up window appears.
  • In the field enter the distinguished name (DN) for the service account, like CN=SA_AADC,CN=users,DC=domain,DC=tld.
  • Click OK.
  • Click OK in the Multi-valued Distinguished Name With Security Principal Editor window to add the service account to the Administrators role and close the window.
  • Click OK to save the changes and close the Properties window.
  • Close ADSI Edit.

 

Concluding

Creating a service account in Active Directory Lightweight Directory Services (AD LDS) is slightly different than creating one in Active Directory Domain Services (AD DS), but the process is more or less the same, as are the tools to do so.

Now, you can specify the distinguished name of the service account in Azure AD Connect.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.