Event ID 2541 — SCP Creation

  • Article

Applies To: Windows Server 2008 R2

When Active Directory Lightweight Directory Services (AD LDS) is running on a computer that is joined to a domain, the AD LDS instance attempts to create a serviceConnectionPoint (SCP) object in the domain so that other computers in the domain can locate the AD LDS instance. As an option, an administrator can specify the container in which to create this object. The container must exist in the domain before it can be used as an SCP.

Event Details

Product: Windows Operating System
ID: 2541
Source: Microsoft-Windows-ActiveDirectory_DomainService
Version: 6.0
Symbolic Name: DIRLOG_ADAM_SCP_CONTAINER_NOT_FOUND
Message: The custom ServiceConnectionPoint registration container is not found in AD_TERM.

Additional Data
SCP container DN:
%1
SCP configuration object:
%2
Error value:
%3 %4

User Action:
Verify that msDS-SCPContainer attribute stored on the msDS-ServiceConnectionPoint is pointing to an existing container in AD_TERM, or remove the value to create the SCP object in its default location under the computer object.

Resolve

Provide an appropriate location for the SCP object

An administrator specified that the Active Directory Lightweight Directory Services (AD LDS) instance should create its serviceConnectionPoint (SCP) object in a specific container in the domain. The AD LDS instance could not locate that container. The distinguished name of the container is included in the event text.

To resolve this issue, you may have to correct the configuration of the following:

  • Service account type
  • SCP parent object
  • Service account permissions

Perform the following procedures on the computer that is logging the event to be resolved, unless otherwise noted.

To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

Service account type

To ensure that the service account type is correct:

  1. Open Services. To open Services, click Start, in Start Search, type services.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Locate the AD LDS instance name in the list of services, right-click it, and then click Properties.
  3. Select Log On, and ensure that Local System account is not selected. If it is selected, select This account, and then enter Network Service or the name of a domain user account that you want the AD LDS instance to use:
    • If you are using Network Service, clear the Password and Confirm password boxes.
    • If you are using a domain user account, enter and then confirm the password for that account.
    • Click to confirm the changes to the service account.
  4. Click OK if you are prompted to confirm that the account should be given the right to log on as a service and that a restart of the service is required.
  5. Do not close the Services snap-in because you will use it to restart the AD LDS instance at the end of these procedures.

SCP parent object

The distinguished name of the SCP is identified in the Event Viewer event text. Determine the name of parent object of the SCP for the AD LDS instance. To determine the name of the SCP parent object, use the path from the event text, without the CN={GUID} portion (which is the name of the SCP). The location is a Lightweight Directory Access Protocol (LDAP) path, such as CN=SCPs,DC=contoso,DC=com. If the location that is shown in the event text is not correct, you can correct it by modifying the SCP Publication Service properties.

To modify the SCP Publication Service properties:

  1. Open ADSI Edit. To open ADSI Edit, click Start, in Start Search, type adsiedit.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  2. In the console tree, right-click the ADSI Edit object, and then click Connect to.

  3. Ensure that Select a well known Naming Context is selected and that the option is set to Configuration.

  4. Ensure that Select or type a domain or server is selected, and then type the name of a server that hosts the AD LDS instance, followed by a colon and the network port number on which the instance is available, for example server1:50000. If you are working locally on the server that hosts the instance, you can type localhost:50000, assuming that the Configuration container for the instance is available on port 50000.

  5. Expand the path CN=Configuration,CN={GUID}, where GUID is the globally unique identifier (GUID) of the AD LDS instance: CN=Services\CN=Windows NT\CN=Directory Service\CN=SCP Publication Service.

    Note: Objects in ADSI Edit are opened in the reverse order in which they are written in LDAP format. For example, given the path CN=Server1,CN=Computers,DC=contoso,DC=com in the event text, expand the DC=contoso,DC=com object first, next expand CN=Computers, and then select CN=Server1.

  6. Right-click SCP Publication Service, and then click Properties.

  7. In Attribute Editor, under Attributes, select msDS-SCPContainer, and then click Edit:

    • If the path to the parent object is not correct, type the correct path.
    • If you want to use the default path, which is the computer object that hosts the AD LDS instance, click Clear.

  8. Click OK.

Navigate the ADSI Edit path from the event text (or the location that you specified for msDS-SCPContainer) to determine if the SCP parent object exists. If the parent object does not exist, create it.

To create the SCP parent object:

  1. Connect to the default naming context of a domain controller using ADSI Edit. The previous steps describe how to use ADSI Edit to connect. The difference is that you must select Default naming context, and then specify the name and port (usually port 389) of a domain controller.
  2. Navigate to the ADSI Edit structure in the hierarchy under which you want to create the parent object of the SCP.
  3. Right-click the object, click New, and then click Object.
  4. You may select either container, computer, or organizational unit. However, unless you have a reason to select something different, select container, and then click Next.
  5. In Value, type the name of the parent object as it appears in the event text. For example, if the parent object is shown as CN=Service Connect, type Service Connect), and then click Next.

Service account permissions

To ensure that the service account permissions to the parent object of the SCP are correct:

  1. In ADSI Edit, right-click the SCP parent object, and then click Properties.
  2. Click Security.
  3. In Group or user names, select the service account or a group to which the service account is a member. If you do not see the service account or appropriate group, click Add, and then type the domain\username of the service account or domain\groupname of a group to which the service account belongs.
  4. Click Check Names. Confirm that the appropriate account appears. If the appropriate account does not appear, make changes to identify the account, and then click Check Names again. Click OK.
  5. Ensure that the service account or a group to which the service account belongs has Create All Child Objects and Delete All Child Objects permissions. If the service account does not have those permissions (directly or by group membership), click Add, type the service account name or the name of a group to which the service account belongs, and then press ENTER.
  6. Return to the Services snap-in, and restart the AD LDS instance service. To restart the service, right-click the instance name, and then click Restart.

Verify

When an Active Directory Lightweight Directory Services (AD LDS) instance successfully creates a serviceConnectionPoint (SCP), Event ID 2535 is logged in Event Viewer. Check for the existence of this event in the ADAM_instanceName log of Event Viewer, where instanceName is the name of the AD LDS instance.

To learn more about AD LDS, formerly known as Active Directory Application Mode (ADAM), see Microsoft TechNet (https://go.microsoft.com/fwlink/?LinkID=92820).

SCP Creation

Active Directory