Make User objects work like userProxy objects

If, for some reason, your application can only lookup objects with ObjectClass equal to “user” you can change the user class so that it’s more like the userProxy class.

First install ADLDS on the machine that will host the instance:

1

Install-WindowsFeature -Name ADLDS, RSAT-AD-Tools, RSAT-ADLDS

Now you can create a modified version of the MS-User.LDF that is included with AD-LDS:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

$SamAccountNameAttribute = @"
dn: cn=SAM-Account-Name,cn=Schema,cn=Configuration,dc=X
changetype: add
objectClass: attributeSchema
attributeId: 1.2.840.113556.1.4.221
ldapDisplayName: sAMAccountName
attributeSyntax: 2.5.5.12
adminDescription: SAM-Account-Name
adminDisplayName: SAM-Account-Name
# schemaIDGUID: 7b5c0dee-43f3-45fe-a746-80a0a0d66409
schemaIDGUID:: 7g1ce/ND/kWnRoCgoNZkCQ==
oMSyntax: 64
searchFlags: 5
isMemberOfPartialAttributeSet: TRUE
isSingleValued: TRUE
systemOnly: FALSE
rangeLower: 0
rangeUpper: 256
"@

Get-Content $env:windir\ADAM\MS-User.LDF | ForEach-Object {
    if ( $_ -eq '# Attributes' ) {
    	$_
        ""
        $SamAccountNameAttribute
	}
    elseif ( $_ -eq 'mayContain: audio' ) {
    	$_
        "mayContain: sAMAccountName"
    }
    elseif ( $_ -eq 'systemAuxiliaryClass: securityPrincipal' ) {
        "#$_"
    }
    elseif ( $_ -eq 'systemAuxiliaryClass: msDS-BindableObject' ) {
        "#$_"
        "systemAuxiliaryClass: msDS-BindProxy"
    }
    else {
        $_
    }
} | Set-Content $env:windir\ADAM\MS-User-BindProxy.LDF

When you run the AD-LDS installer choose the new MS-User-BindProxy.LDF instead of the MS-User.LDF:

AD-LDS Install Screen

Move AD-LDS FSMO Roles

Source Article

First validate that replication is healthy on the AD-LDS server:

1

repadmin /showreps servername:port

Find the FSMO role holder using dsmgmt:

PS C:\> dsmgmt
dsmgmt: roles
fsmo maintenance: connections
server connections: connect to server localhost:389
Binding to localhost:389 ...
Connected to localhost:389 using credentials of locally logged on user.
server connections: quit
fsmo maintenance: select operation target
select operation target: list roles for connected server
Server "localhost:389" knows about 2 roles
Schema - CN=NTDS Settings,CN=SERVERNAME$InstanceName,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={00000000-0000-0000-0000-000000000000}
Naming Master - CN=NTDS Settings,CN=SERVERNAME$InstanceName,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={00000000-0000-0000-0000-000000000000}
select operation target: quit
fsmo maintenance: quit
dsmgmt: quit

Change the FSMO role holder (input shown in red):

PS C:\> dsmgmt
dsmgmt: roles
fsmo maintenance: connections
server connections: connect to server targetserver:389
Binding to targetserver:389 ...
Connected to targetserver:389 using credentials of locally logged on user.
server connections: quit
fsmo maintenance: transfer naming master
Server "targetserver:389" knows about 2 roles
Schema - CN=NTDS Settings,CN=SERVERNAME$InstanceName,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={00000000-0000-0000-0000-000000000000}
Naming Master - CN=NTDS Settings,CN=SERVERNAME$InstanceName,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={00000000-0000-0000-0000-000000000000}
fsmo maintenance: transfer shema master
Server "targetserver:389" knows about 2 roles
Schema - CN=NTDS Settings,CN=SERVERNAME$InstanceName,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={00000000-0000-0000-0000-000000000000}
Naming Master - CN=NTDS Settings,CN=SERVERNAME$InstanceName,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={00000000-0000-0000-0000-000000000000}
fsmo maintenance: quit
dsmgmt: quit