Event ID 132 — Active Directory Domain Services Availability
Applies To: Windows Server 2008
Active Directory Rights Management Services (AD RMS) uses Active Directory Domain Services (AD DS) to regulate access to rights-protected content for all AD RMS users in the AD DS forest. If AD DS is not available, AD RMS cannot grant licenses to publish and consume rights-protected content.
Event Details
Product: | Windows Operating System |
ID: | 132 |
Source: | Active Directory Rights Management Services |
Version: | 6.0 |
Symbolic Name: | LightweightDirectoryAccessProtocolUnableToConnectEvent |
Message: | The Active Directory Rights Management Services (AD RMS) service account could not establish a Lightweight Directory Address Protocol (LDAP) connection with Active Directory Domain Services (AD DS). Verify that this computer and the AD RMS service account have access to AD DS, that AD DS global catalog servers are available, and that this computer can communicate with AD DS by using LDAP. Parameter Reference Context: %1 RequestId: %2 %3 %4 |
Resolve
Fix Active Directory Domain Services issues
AD RMS uses Active Directory Domain Services (AD DS) to look up users that are publishing and consuming rights-protected content. If AD DS is not available, users will not be able to use AD RMS.
Use the following to fix Active Directory Domain Services issues:
- Ensure that the AD RMS service account has read access to AD DS
- Check network connectivity to the AD DS global catalog servers
- Open TCP port 3268 on global catalog servers
- Check if Lightweight Directory Address Protocol (LDAP) connection pool registry overrides are correct
- Restart the AD RMS server
Ensure that the AD RMS service account has read access to AD DS
To perform this procedure, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.
To ensure that the AD RMS service account has read access to AD DS:
- Log on to a domain controller in the AD RMS forest.
- Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
- Click Users.
- Right-click Domain Users, and then click Properties.
- Click the Members tab and verify that the AD RMS service account is a member of the Domain Users group.
- If the AD RMS service account is not a member of the Domain Users group, you should add it.
Note: If you had to add the AD RMS service account to the Domain Users group, you must restart IIS on each AD RMS server in the cluster by running iisreset at a command prompt.
Check network connectivity to AD DS global catalog servers
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To check network connectivity from AD RMS server to AD DS global catalog server:
- Type ipconfig /all at a command prompt on the AD RMS server. Make sure that the AD RMS server has an IP address in the correct IP address range, and does not have an Automatic Private IP Addressing (APIPA) address (an IP address in the 169.254.x.x range).
- Type ping localhost to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with the network adapter.
- Type ping ip_address, where ip_address is the IP address assigned to the computer. If you can ping the localhost address but not the local IP address, there may be an issue with the routing table or with the network adapter driver.
- Ping the AD DS global catalog server. If you cannot ping the AD DS global catalog server, this indicates a potential problem with the AD DS global catalog server, or the network in between the AD DS global catalog server and the AD RMS server in the cluster.
Open TCP port 3268 on AD DS global catalog servers
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To open TCP port 3268 on AD DS global catalog servers:
- Log on to the AD DS global catalog server.
- Click Start, and then click Control Panel.
- Click Allow a program through Windows Firewall.
- Click the Exceptions tab.
- Click Add Port.
- In the Name box, type AD DS Global Catalog.
- In the Port number box, type 3268.
- Click OK two times.
Check if Lightweight Directory Address Protocol (LDAP) connection pool registry overrides are correct
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To check if Lightweight Directory Address Protocol (LDAP) connection pool registry overrides are correct:
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
- Log on to a AD RMS server in the cluster.
- Click Start. In the Start Search box, type regedit, and then press ENTER.
- Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\DRMS\2.0.
- If a MinGC entry exists, make sure you have enough global catalog servers to fulfill this request and that the value in the registry is not NULL.
- If a ThreshHoldAlive entry exists, make sure that the value in the registry is greater than or equal to 1.
- If you change either of these registry settings, run iisreset from a command prompt.
Note: The value 1 for the MinGC registry entry is the default AD RMS installation value.
Restart the AD RMS server
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To restart the AD RMS server:
- Log on to the AD RMS server.
- Click Start, point to the right arrow, and then click Restart.
- On the Shutdown Event Tracker, in the Comment box, type Restarting AD RMS server to restore AD DS connectivity, and then click OK.
Note: Restarting the AD RMS server should only be done if the previous sections do not resolve the issue.
Verify
To perform this procedure, you must be a member of the local Users group, or you must have been delegated the appropriate authority.
Note: Microsoft Office Word 2007 is used as an example in this section. Any AD RMS-enabled application can be used in place of Word 2007.
To verify that AD RMS can access the Active Directory Domain Services forest:
- Log on to an AD RMS-enabled client computer.
- Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.
- In the new document type This is a test document.
- Click the Microsoft Office Start Button, point to Prepare, point to Restrict Permissions, and then click Restricted Access.
- Select the Restrict permissions to this document check box.
- Type another AD RMS user's e-mail address in the Read box, and then click OK.
- Send this file to the person who was granted access in step 6.
- Have this person open the document and verify that he or she cannot do anything else other than read the document, such as print it.