Event ID 2536 — SCP Update

  • Article

Applies To: Windows Server 2008 R2

When Active DirectoryLightweight Directory Services (AD LDS) is running on a computer that is joined to a domain, the AD LDS instance attempts to update a serviceConnectionPoint (SCP) object in the domain whenever a change is made to the AD LDS configuration data that is published in the SCP.

Event Details

Product: Windows Operating System
ID: 2536
Source: Microsoft-Windows-ActiveDirectory_DomainService
Version: 6.0
Symbolic Name: DIRLOG_ADAM_SCP_UPDATE_FAILURE
Message: The directory server has failed to update the AD_TERM_ABBR serviceConnectionPoint object in AD_TERM. This operation will be retried.

Additional Data
SCP object DN:
%1
Error value:
%2 %3
Server error:
%4
Internal ID:
%5
AD_TERM_ABBR service account:
%6

User Action
If AD_TERM_ABBR is running under a local service account, it will be unable to update the data in AD_TERM. Consider changing the AD_TERM_ABBR service account to either NetworkService or a domain account.

If AD_TERM_ABBR is running under a domain user account, make sure this account has sufficient rights to update the serviceConnectionPoint object.

ServiceConnectionPoint object publication can be disabled for this instance by setting msDS-DisableForInstances attribute on the SCP publication configuration object.

Resolve

Ensure that the service account can update SCP information

If you want other computers to be able to locate the Active Directory Lightweight Directory Services (AD LDS) instance, ensure that permissions are configured appropriately to allow the serviceConnectionPoint (SCP) update to occur. To resolve this issue, you must ensure that the service account type is correct and that it has the appropriate permissions to update the SCP. Perform the following procedures on the computer that is logging the event to be resolved.

To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To ensure that the service account type is correct:

  1. Open Services. To open Services, click Start. In Start Search, type services.msc, and then press ENTER.
  2. Locate the AD LDS instance name in the list of services, right-click it, and then click Properties.
  3. Select Log On, and ensure that Local System account is not selected. If it is selected, select This account, and then enter Network Service or the name of a domain user account that you want the AD LDS instance to use:
    • If you are using Network Service, clear the Password and Confirm password boxes.
    • If you are using a domain user account, enter and then confirm the password for that account.
    • Click OK to confirm the changes to the service account.
  4. If you are prompted to confirm that the account should be given the right to log on as a service and that a restart of the service is required, click OK.
  5. Do not close the Services snap-in because you will use it to restart the AD LDS instance at the end of these procedures.

To verify that the service account has the appropriate permissions:

  1. Open ADSI Edit. To open ADSI Edit, click Start. In Start Search, type adsiedit.msc, and then press ENTER.

  2. In the console tree, right-click ADSI Edit, and then click Connect to.

  3. Ensure that Select a well known Naming Context is selected and that the option is set to Default naming context.

  4. Ensure that Select or type a domain or server is selected, and then type the name of a domain controller, followed by the port number on which Active Directory Domain Services (AD DS) is hosted (by default, port 389). For example, to connect to a domain controller named ContosoDC1 on port 389, type ContosoDC1:389.

  5. The distinguished name of the SCP is identified in the Event Viewer event text. Expand that location. By default, the location is an object that is subordinate to the computer object of the computer that hosts the AD LDS instance. The object is CN={GUID}, where GUID is the globally unique identifier (GUID) for the instance, which is listed in the event text.

    Note: You open objects in ADSI Edit in the reverse order in which they appear in the event text. For example, given the path CN={GUID},CN=Service Connect,DC=Contoso,DC=com in the event text, expand the DC=Contoso,DC=com object first, and then select CN=Service Connect.

  6. Right-click the SCP object, and then click Properties.

  7. Click Security. You may either select a domain account in the existing list of groups or user names to use or click Add to add a domain user or group account.

  8. Ensure that the account that you selected or added has the Full Control permission set to Allow.

  9. Return to Services, and then restart the AD LDS instance service. To restart the service, right-click the instance name, and then click Restart.

Verify

When an Active Directory Lightweight Directory Services (AD LDS) instance successfully updates a serviceConnectionPoint (SCP), Event ID 2534 is logged in Event Viewer. Check for the existence of this event in the ADAM_instanceName log of Event Viewer.

To learn more about AD LDS, formerly known as Active Directory Application Mode (ADAM), see Microsoft TechNet (https://go.microsoft.com/fwlink/?LinkID=92814).

SCP Update

Active Directory