Administering AD LDS Service Principal Names

Applies To: Windows Server 2008

When they run in an Active Directory domain or forest, Active Directory Lightweight Directory Services (AD LDS) instances attempt to register service principal names (SPNs) in Active Directory Domain Services (AD DS) for use in Kerberos authentication during replication. Each AD LDS instance — the first time that the instance starts — attempts to register values to the Service-Principal-Name attribute on the account object that represents the service account in use by the AD LDS instance. Or, if the AD LDS instance uses the Network Service account as the AD LDS service account, the AD LDS instance attempts to register values to the Service-Principal-Name attribute on the computer object that represents the computer on which the AD LDS instance is running. The values that the AD LDS instance attempts to register include the following:

• E3514235-4B06-11D1-AB04-00C04FC2DCD2-AD LDS\netbiosname:port

• E3514235-4B06-11D1-AB04-00C04FC2DCD2-AD LDS\dnshostname:port

• Ldap\netbiosname:port

• Ldap\dnshostname:port

In addition, if the AD LDS instance uses a reserved communications port (LDAP_PORT, LDAP_GC_PORT, LDAP_SSL_PORT, or LDAP_SSL_GC_PORT), the instance attempts the following SPN registrations:

• Ldap\netbiosname

• Ldap\dnshostname

Wldap32.dll does not use a port-formatted SPN to establish a connection to an AD LDS instance by using a reserved port. For example, if AD LDS instance1 on machine1 uses port 3268 for LDAP, the SPN that Wldap32.dll creates for the connection is ldap\machine1. However, if AD LDS instance2 on machine2 uses port 1026 for LDAP, the SPN that Wldap32.dll creates for the connection is ldap\machine2:1026.

SPN registration attempts occur in the security context of the AD LDS service account. If the AD LDS service account that you specify is not the Network Service account, or if it is a domain user account that does not belong to the Domain Admins group, this SPN registration fails. AD LDS reports this failure as event ID 2516 in the event log for the AD LDS instance. If the SPN registration fails, a dnsdomainname.bat script is created in the data directory of the AD LDS instance (Program Files\Microsoft AD LDS\instancename\data), where dnsdomainname represents the name of the DNS domain in which the AD LDS instance resides. You can use this script to manually register SPNs for AD LDS in AD DS.

The *.bat file contains repadmin /writespn commands, similar to the following:

repadmin.exe /writespn hostname.microsoft.com 
ADD "CN=AD LDS,CN=Users,DC=microsoft,DC=com"
E3514235-4B06-11D1-AB04-00C04FC2DCD2-AD LDS/netbioshostname:389

repadmin.exe /writespn hostname.microsoft.com 
ADD "CN=AD LDS,CN=Users,DC=microsoft,DC=com"
E3514235-4B06-11D1-AB04-00C04FC2DCD2-AD LDS/dnshostname:389

repadmin.exe /writespn hostname.microsoft.com 
ADD "CN=AD LDS,CN=Users,DC=microsoft,DC=com" ldap/netbioshostname:389

repadmin.exe /writespn hostname.microsoft.com 
ADD "CN=AD LDS,CN=Users,DC=microsoft,DC=com" ldap/dnshostname:389

This script registers the appropriate SPNs in AD DS, and it must be run by a member of the Domain Admins group in the domain.

Removing AD LDS SPNs from AD DS

When you remove an AD LDS instance, make sure that its associated SPNs are also removed from AD DS. These SPNs reside on the computer object of the computer where the AD LDS instance is installed (if the Network Service account is specified for the AD LDS service account) or on the domain user object (if a domain user account is specified for the AD LDS service account).

Forcing the use of SPNs in an Active Directory environment

To force the use of SPNs and Kerberos for replication authentication in a configuration set, you can modify the replication security level of the configuration set to equal two (2). For more information, see Modify the Replication Security Level of a Configuration Set.

In this guide

• Manually Register AD LDS Service Principal Names in AD DS

• Manually Remove AD LDS Service Principal Names From AD DS