Share via


Event ID 2533 — Port and Host Name Configuration

Applies To: Windows Server 2008

If there is a change to the host name or network communication ports of an Active Directory Lightweight Directory Services (AD LDS) instance, the change must be registered with the instance's internal database as well as with the databases of any replication partners that are configured. Such updates are especially important when replication partners exist, because a local instance cannot receive any updates from its replication partners until the change is registered by the replication partners in their respective AD LDS databases.

Event Details

Product: Windows Operating System
ID: 2533
Source: Microsoft-Windows-ActiveDirectory_DomainService
Version: 6.0
Symbolic Name: DIRLOG_ADAM_DNSNAME_PORT_LOCAL_UPDATE_FAILURE
Message: The directory server has failed to update the host name and/or ports information for this service in the local database. This operation will be retried.

Additional Data
Error value:
%2 %3
Internal ID:
%4

Resolve

Ensure the success of the configuration update

Active Directory Lightweight Directory Services (AD LDS) retries this operation periodically (every 60 minutes by default). If the retry succeeds, Event 2532 is added to Event Viewer, and no further action is necessary.

If the update is unsuccessful for several hours, there should be additional information concerning the error in the Event Viewer message. Resolve the underlying issue as reported in the Event Viewer events.

Verify

To verify the configuration of an Active Directory Lightweight Directory Services (AD LDS) instance, you must first know the appropriate host name of the computer that hosts the instance, as well as the appropriate Lightweight Directory Access Protocol (LDAP) and LDAP over Secure Sockets Layer (LDAPS) TCP port numbers. By default, the LDAP and LDAPS port numbers are 389 and 636, respectively. You can quickly determine the host name of a computer by running the command hostname at a command prompt. You must also know the site name in Active Directory Domain Services (AD DS) where the computer that hosts the AD LDS instance is located. If your network does not use Active Directory sites, all computer objects are created in the Default-First-Site-Name object. You must also know the user account name and security identifier (SID) of the account under which AD LDS is configured to run.

To resolve a user account name to its respective SID, you must have a utility that can translate account names to SIDs. PsTools from Microsoft includes the PsGetSid utility, which translates account names to SIDs and SIDs to account names.

To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

Obtain and extract PsTools

To obtain and extract PsTools:

  1. Download PsTools (https://go.microsoft.com/fwlink/?LinkId=87333).
  2. Extract PsTools.zip from your download folder to a new folder named PsTools. For example, to extract PsTools.zip to a PsTools folder on the C: drive, right-click the PsTools.zip file, and then click Extract All. In the Extraction Wizard, click Next. In Files will be extracted to this directory, type C:\PsTools, and then click Extract.
  3. Close the extraction destination folder (C:\PsTools), which automatically opens in a new window when the extraction is complete.

Determine the service account security identifier

To determine the service account security identifier:

  1. Open a command prompt as an administrator on the computer that hosts the AD LDS instance. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start Menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Type wmic service list control, and then press ENTER. In the output, locate the AD LDS instance name that you want to verify. You must locate the name of the AD LDS instance and determine which user account it is configured to use:
    • If there is too much output on the screen, you can redirect the output to a text file. For example, type wmic service list control > c:\pstools\services.txt, and then press ENTER. This command redirects the list of services to a folder named pstools on the C: drive.
    • To open the text file, type notepad c:\pstools\services.txt, and then press ENTER.
  3. Record the user account name that the AD LDS instance is using as a service account.
  4. Change the directory path to the folder where you extracted PsTools. For example, if you extracted PsTools to the C:\PsTools folder, type cd /d c:\pstools, and then press ENTER.
  5. At the command prompt, type net config rdr, and then press ENTER. In the resulting command output, note the Workstation domain name, which is used in the following command.
  6. Type psgetsid domainName**\**serviceAccount, and then press ENTER, where domainName is the Workstation domain name in the output from the previous command and serviceAccount is the name of the user account that the AD LDS instance is configured to use:
    • If this is the first time that you are running psgetsid on this computer, the PsGetSid License Agreement appears. Read the license agreement. If you agree to the terms, click Agree. If you do not agree to the terms, you cannot verify lookup using PsGetSid or continue with the following directions.
    • If the name has spaces in it, use quotation marks around the domainName/serviceAccount, for example "Contoso/Domain Administrator".
    • If the account name is networkservice, type "NT Authority/networkservice" with the quotation marks for the domainName/serviceAccount.
  7. Record the SID in the output of the psgetsid command.

Verify that the appropriate values are set on AD LDS configuration attributes

To verify the values on the AD LDS configuration attributes:

  1. Open ADSI Edit. To open ADSI Edit, click Start. In Start Search, type adsiedit.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. In the left pane, right-click ADSI Edit, and then click Connect to.
  3. In the Connection Settings dialog box, under Connection Point, ensure that Select a well known Naming Context is selected, and then select Configuration as the container.
  4. In Computer, select Select or type a domain or server, and then type the name of the server that hosts the AD LDS instance, followed by a colon and the port number on which the instance is hosted. If the server name is Server1, it is a member of the Contoso.com domain, and the AD LDS instance is running on port 389, the connection string is server1.contoso.com:389. Click OK.
  5. In the console pane, expand the Configuration container. Expand the container directly below that, which is named CN=Configuration,CN={GUID}, where GUID is a globally unique identifier (GUID) for the instance.
  6. Expand the Sites object, and then expand the object that represents the Active Directory site of the server that hosts the AD LDS instance.
  7. Expand the Servers object. You should see an object named **CN=serverName$**instanceName, where serverName is the computer name of the server that hosts the AD LDS instance and instanceName is the name of the AD LDS instance. Right-click the object, and then click Properties.
  8. On the Attribute Editor tab, locate the dNSHostname and nETBIOSName attributes. Ensure that the values accurately reflect the name of the computer that hosts the AD LDS instance. Click Cancel.
  9. Expand the serverName object. Right-click the CN=NTDS Settings object, and then click Properties.
  10. Locate the msDS-PortLDAP and msDS-PortSSL attributes, and ensure that the values accurately reflect the LDAP and LDAPS ports on which the AD LDS instance should be available.
  11. Select the msDS-ServiceAccount attribute, and then click View. Ensure that the service account name and corresponding SID are listed correctly in Values.
  12. Click Cancel twice to close the open dialog boxes.
  13. Expand the CN=Roles container that is directly below the CN=Configuration,CN={GUID} container that was previously expanded.
  14. Under CN=Roles, right-click CN=Instances, and then click Properties.
  15. Select the member attribute, and then click View.
  16. Ensure that the service account and SID are listed correctly in Values.
  17. Click Cancel in the open dialog boxes, and then close ADSI Edit.

Complete all the previous procedures to verify the configuration of a single instance on a single server. To verify the configuration of an instance on the other servers in the configuration set, you must connect to the Configuration container of each server and verify the configuration settings for that instance. For each additional instance that you want to verify, connect to the appropriate Configuration container on each server in the configuration set, and then verify the configuration.

To learn more about AD LDS, formerly known as Active Directory Application Mode (ADAM), see Microsoft TechNet (https://go.microsoft.com/fwlink/?LinkID=92814).

Port and Host Name Configuration

Active Directory