[ActiveDir] LDAP Server Request

[Edwin]

My job is requesting that a LDAP server be built that would be able to communicate with the existing corporate Active Directory environment.  I do not have much experience with LDAP so this will be a learning adventure for me.   The reason for the LDAP Server is because of a massive project the company is working on.  The project will be the backbone of the company and will require username and password authentication.   The goal of the project is to have one centralized management solution for all different area needs instead of the disparate solutions that we have today.  One immediate concern that I had with the project and the use of the corporate DC’s was for any potential reports that are generated.  I believe that if you are no longer with the company, then there is not need to keep your credentials or personal data on the network.  Therefore, I delete this information.  By deleting the users, these reports may become corrupt.   This of course is a problem for management.  Deleting the users is not a problem but any errors in reporting information is.  Has anyone come across this problem before?  Does this make sense?   Another concern of mine was performance.  The project design calls for a number of servers, each of them having their specific goals.  It is very possible that any one server can hit the DC’s for their information at any given time.  My concern is that while this is happening an uncontrolled amount of times at any given time of day may cause the domain environment to suffer.   Security is also a concern.  The machines built as part of the project will be in a secure well protected environment.  But things do happen unfortunately.  I would rather see that the machines built as part of the project call one server that has access to the domain to query the information that it needs.  That machine will be a read-only client of the AD environment.   My initial thought is to investigate Microsoft ADAM.  If ADAM can query the domain only checking for new entries while ignoring those that are deleted, I think that I can accomplish the task of addressing all of the concerns outlined above.   What do you think?  Is this solution possible?  Is there an easier solution?  One that is preferable to this?   Thank you in advance for your responses, Edwin