Event ID 2537 — SCP Creation
Applies To: Windows Server 2008
When Active Directory Lightweight Directory Services (AD LDS) is running on a computer that is joined to a domain, the AD LDS instance attempts to create a serviceConnectionPoint (SCP) object in the domain so that other computers in the domain can locate the AD LDS instance. As an option, an administrator can specify the container in which to create this object. The container must exist in the domain before it can be used as an SCP.
Event Details
Product: | Windows Operating System |
ID: | 2537 |
Source: | Microsoft-Windows-ActiveDirectory_DomainService |
Version: | 6.0 |
Symbolic Name: | DIRLOG_ADAM_SCP_CREATE_FAILURE |
Message: | The directory server has failed to create the AD_TERM_ABBR serviceConnectionPoint object in AD_TERM. This operation will be retried. Additional Data SCP object DN: %1 Error value: %2 %3 Server error: %4 Internal ID: %5 AD_TERM_ABBR service account: %6 User Action If AD_TERM_ABBR is running under a local service account, it will be unable to update the data in AD_TERM. Consider changing the AD_TERM_ABBR service account to either NetworkService or a domain account. If AD_TERM_ABBR is running under a domain user account, make sure this account has sufficient rights to create the serviceConnectionPoint object. ServiceConnectionPoint object publication can be disabled for this instance by setting msDS-DisableForInstances attribute on the SCP publication configuration object. |
Resolve
Configure access or disable SCP creation
You have two options:
- If you do not want other computers in the domain to be able to locate the Active Directory Lightweight Directory Services (AD LDS) instances, you can disable the creation of the serviceConnectionPoint (SCP) objects in the domain.
- If you want other computers to be able to locate the AD LDS instance, ensure that the service account type is correct and that it has the appropriate permissions to create the SCP.
Perform the following procedures using a domain member computer that has domain administrative tools installed.
To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.
Disabling SCP Creation
To disable the creation of SCP for all AD LDS instances in a configuration set:
Open ADSI Edit. To open ADSI Edit, click Start, in Start Search, type adsiedit.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
In the console tree, right-click the ADSI Edit object, and then click Connect to.
Ensure that Select a well known Naming Context is selected and that the option is set to Configuration.
Ensure that Select or type a domain or server is selected, and then type the name of the server followed by a colon and the network port on which the AD LDS service is available, for example, server1:389. If you are working locally on the server that hosts the AD LDS instance, you can type localhost:389, assuming that the AD LDS instance is offered over port 389.
Navigate to the following location under the Configuration container: **CN=Configuration,CN=GUID\CN=Services\CN=Windows NT\CN=Directory Service\CN=SCP Publication Service, where GUID is the globally unique identifier (GUID) for the AD LDS instance.
Note: Objects in ADSI Edit are opened in the reverse order in which they are written in Lightweight Directory Access Protocol (LDAP) format. For example, given the path CN=Server1,CN=Computers,DC=contoso,DC=com in the event text, expand the DC=contoso,DC=com object first, next expand CN=Computers, and then select CN=Server1.
Right-click the CN=SCP Publication Service entry, and then locate the attribute Enabled.
Double-click the Enabled value, select False, and then click OK twice.
Configuring permissions to allow SCP creation
To ensure that the service account type is correct:
- Open Services. To open Services, click Start, in Start Search, type services.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Locate the AD LDS instance name in the list of services, right-click it, and then click Properties.
- Select Log On, and ensure that Local System account is not selected. If it is selected, click This account, and then enter Network Service or the name of a domain user account that you want the AD LDS instance to use:
- If you are using Network Service, clear the Password and Confirm password boxes.
- If you are using a domain user account, enter and then confirm the password for that account.
- Click OK to confirm the changes to the service account.
- Click OK if you are prompted to confirm that the account should be given the right to log on as a service and that a restart of the service is required.
- Do not close the Services snap-in because you will use it to restart the AD LDS instance at the end of these procedures.
To confirm that the service account has the appropriate permissions:
- Open ADSI Edit. To open ADSI Edit, click Start, in Start Search, type adsiedit.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- In the console tree, right-click the ADSI Edit object, and then click Connect to.
- Ensure that Select a well known Naming Context is selected and that the option is set to Default naming context.
- Ensure that Select or type a domain or server is selected, and then type the name of a domain controller followed by the port number on which Active Directory Domain Services (AD DS) is hosted (by default, 389). For example, to connect to a domain controller named ContosoDC1 on port 389, type ContosoDC1:389. The distinguished name of the SCP is identified in the Event Viewer event text.
- Locate the parent object of the identified SCP (the SCP parent object):
- By default, the parent object is the computer account of the computer that hosts the AD LDS instance.
- To determine the name of the parent object, use the path from the event text, without the CN={GUID} portion (which is the name of the SCP that was to be created).
- You must also expand objects in ADSI Edit in the reverse order in which they appear in the event text. For example, given the path CN=GUID},CN=Server1,CN=Computers,DC=Contoso,DC=com in the event text, expand the object DC=Contoso,DC=com first, expand CN=Computers, and then select the Server1 object, because it is the parent location of the SCP.
- Right-click the SCP parent object, and then click Properties.
- Click Security.
- Click Add to add a domain user or group account. Ensure that the account that you designate as the service account has the Create All Child Objects and Delete All Child Objects permissions set to Allow.
- To confirm these changes, click OK.
- Return to the Services snap-in, and then restart the AD LDS instance. To restart the AD LDS instance, right-click the instance name, and then click Restart.
Verify
When an Active Directory Lightweight Directory Services (AD LDS) instance successfully creates a serviceConnectionPoint (SCP), Event ID 2535 is logged in Event Viewer. Check for the existence of this event in the ADAM_instanceName log of Event Viewer, where instanceName is the name of the AD LDS instance.
To learn more about AD LDS, formerly known as Active Directory Application Mode (ADAM), see Microsoft TechNet (https://go.microsoft.com/fwlink/?LinkID=92820).