Manually Remove AD LDS Service Principal Names From AD DS

  • Article

Applies To: Windows Server 2008

You can use this procedure to manually remove the Active Directory Lightweight Directory Services (AD LDS) principal names from Active Directory Domain Services (AD DS).

Membership in Domain Admins group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To manually remove AD LDS service principal names from AD DS

  1. To open an Active Directory Service Interfaces (ADSI) Edit, click Start, point to Administrative Tools, and then click ADSI Edit.

  2. Connect and bind to the domain directory partition of the Active Directory domain in which the AD LDS instance resides. For more information, see Manage an AD LDS Instance Using ADSI Edit.

  3. Do one of the following:

    • If the Network Service account is specified as the AD LDS service account, navigate to the computer object on the computer on which AD LDS is installed.

    • If a domain user account is specified as the AD LDS service account, navigate to the domain user object of the domain user account.

  4. Right-click the computer object or the domain user object, and then click Properties.

  5. In Attributes, click ServicePrincipalName, and then click Edit.

  6. For each AD LDS value that is listed in Values, click the value, and then click Remove.

Note

If service principal names (SPN) in AD DS exist for the AD LDS instance that is being uninstalled, and adamuninstall cannot remove the SPNs automatically, adamuninstall creates a .bat file that can be used to remove the SPNs manually. This .bat file is located at %windir%\Debug<EM>domain-servicename.bat, where domain represents the Active Directory domain in which the AD LDS instance resides, and servicename represents the service name of the AD LDS instance that is being removed. (By default, the service name of an AD LDS instance is AD LDS_instancename, where instancename is the instance name that you provide during AD LDS setup.)