Event ID 2527 — Service Account Configuration

  • Article

Applies To: Windows Server 2008

Active Directory Lightweight Directory Services (AD LDS) provides services by using the security credentials of a user account. A user account that is used by a service is commonly known as a service account. If the service account that AD LDS uses is changed, the AD LDS instance that uses that account detects the change and warns the administrator that additional configuration steps may be required. The change must be registered with the instance's internal database as well as with the databases of any replication partners that are configured. Such updates are especially important when replication partners exist, because the local instance cannot receive any updates from its replication partners until the change is registered by the replication partners in their respective AD LDS databases.

Event Details

Product: Windows Operating System
ID: 2527
Source: Microsoft-Windows-ActiveDirectory_DomainService
Version: 6.0
Symbolic Name: DIRLOG_ADAM_SERVER_INFO_UPDATE_FAILED
Message: The directory server failed to automatically update service account, dns name and/or port information.

This operation will be tried again at the following interval.

Interval (minutes):
%1

Additional Data
Error value:
%3 %4
Internal ID:
%2

Resolve

Ensure the success of the service account update

Active Directory Lightweight Directory Services (AD LDS) retries this operation periodically (every 60 minutes by default). If the update is unsuccessful for several hours, confirm that this instance has connectivity with the replication partners that are named in the event text.

For information about troubleshooting replication issues, see Troubleshooting Active Directory Replication Problems (https://go.microsoft.com/fwlink/?LinkId=92818).

Verify

To verify the configuration of an Active Directory Lightweight Directory Services (AD LDS) instance, you must first know the appropriate host name of the computer that hosts the instance, as well as the appropriate Lightweight Directory Access Protocol (LDAP) and LDAP over Secure Sockets Layer (LDAPS) TCP port numbers. By default, the LDAP and LDAPS port numbers are 389 and 636, respectively. You can quickly determine the host name of a computer by running the command hostname from a command prompt. You must also know the site name in Active Directory Domain Services (AD DS) where the computer that hosts the AD LDS instance is located. If your network does not use Active Directory sites, all computer objects are created in the Default-First-Site-Name object. You must also know the user account name and security identifier of the account under which AD LDS is configured to run.

To resolve a user account name to its respective security identifier (SID), you must have a utility that can translate account names to SIDs. PsTools from Microsoft includes the PsGetSid utility, which translates account names to SIDs and SIDs to account names.

To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

Obtain and extract PsTools

To obtain and extract PsTools:

  1. Download PsTools (https://go.microsoft.com/fwlink/?LinkId=87333).
  2. Extract PsTools.zip from your download folder to a new folder named PsTools. For example, to extract PsTools.zip to a PsTools folder on the C: drive, right-click the PsTools.zip file, and then click Extract All. In the Extraction Wizard, click Next. In Files will be extracted to this directory, type C:\PsTools, and then click Extract.
  3. Close the extraction destination folder (C:\PsTools), which automatically opens in a new window when the extraction is complete.

Determine the service account security identifier

To determine the service account security identifier:

  1. Open a command prompt as an administrator on the computer that hosts the AD LDS instance. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start Menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Type wmic service list control, and then press ENTER. In the output, locate the AD LDS instance name that you want to verify. You must locate the name of the AD LDS instance and determine which user account it is configured to use:
    • If there is too much output on the screen, you can redirect the output to a text file. For example, type wmic service list control > c:\pstools\services.txt, and then press ENTER. This command redirects the list of services to a folder named pstools on the C: drive.
    • To open the text file, type notepad c:\pstools\services.txt, and then press ENTER.
  3. Record the user account name that the AD LDS instance is using as a service account.
  4. Change the directory path to the folder where you extracted PsTools. For example, if you extracted PsTools to the C:\PsTools folder, type cd /d c:\pstools, and then press ENTER.
  5. At the command prompt, type net config rdr, and then press ENTER. In the resulting command output, note the Workstation domain name, which is used in the following command.
  6. Type psgetsid  domainName**\**serviceAccount, and then press ENTER, where domainName is the Workstation domain name in the output from the previous command and serviceAccount is the name of the user account that the AD LDS instance is configured to use:
    • If this is the first time that you are running psgetsid on this computer, the PsGetSid License Agreement appears. Read the license agreement. If you agree to the terms, click Agree. If you do not agree to the terms, you cannot verify lookup using PsGetSid or continue with the following directions.
    • If the name has spaces in it, use quotation marks around the domainName/serviceAccount, for example "Contoso/Domain Administrator".
    • If the account name is networkservice, type "NT Authority/networkservice" with the quotation marks for the domainName/serviceAccount.
  7. Record the SID in the output of the PsGetSid command.

Verify that the appropriate values are set on AD LDS configuration attributes

To verify the values that are set on the AD LDS configuration attributes:

  1. Open ADSI Edit. To open ADSI Edit, click Start. In Start Search, type adsiedit.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. In the left pane, right-click ADSI Edit, and then click Connect to.
  3. In the Connection Settings dialog box, under Connection Point, ensure that Select a well known Naming Context is selected, and then select Configuration as the container.
  4. In Computer, select Select or type a domain or server, and then type the name of the server that hosts the AD LDS instance, followed by a colon and the port number on which the instance is hosted. For example, if the server name is Server1, the server is a member of the Contoso.com domain, and the AD LDS instance is running on port 389, the connection string is server1.contoso.com:389.
  5. Expand the Configuration container. Expand the container directly below that, which is named CN=Configuration,CN={GUID}, where GUID is a unique identifier for the instance.
  6. Expand the Sites object, and then expand the object that represents the Active Directory site of the server that hosts the AD LDS instance.
  7. Expand the Servers object. You should see an object named **CN=serverName$**instanceName, where serverName is the computer name of the server hosting the AD LDS instance and instanceName is the name of the AD LDS instance. Right-click the object, and then click Properties.
  8. On the Attribute Editor tab, locate the dNSHostname and nETBIOSName attributes. Ensure that the values accurately reflect the name of the computer that hosts the AD LDS instance.
  9. Click Cancel.
  10. Expand the serverName object.
  11. Right-click the CN=NTDS Settings object, and then click Properties.
  12. Locate the msDS-PortLDAP and msDS-PortSSL attributes, and ensure that the values accurately reflect the LDAP and LDAPS ports on which the AD LDS instance should be available.
  13. Select the msDS-ServiceAccount attribute, and then click View. Ensure that the service account name and corresponding SID are listed correctly in Values.
  14. Click Cancel twice to close the open dialog boxes.
  15. Expand the CN=Roles container that is directly below the CN=Configuration,CN={GUID} container that was previously expanded.
  16. Under CN=Roles, right-click CN=Instances, and then click Properties.
  17. Select the member attribute, and then click View.
  18. Ensure that the service account and SID are listed correctly in Values.
  19. Click Cancel in the open dialog boxes, and then close ADSI Edit.

Complete all the previous procedures to verify the configuration of a single instance on a single server. To verify the configuration of an instance on the other servers in the configuration set, you must connect to the Configuration container of each server and then verify the configuration settings for that instance. For each additional instance that you want to verify, connect to the appropriate Configuration container on each server in the configuration set and verify the configuration.

To learn more about AD LDS, formerly known as Active Directory Application Mode (ADAM), see Microsoft TechNet (https://go.microsoft.com/fwlink/?LinkID=92814).

Service Account Configuration

Active Directory