Administering ADAM service publication
Updated: August 22, 2005
Applies To: Windows Server 2003 R2
Administering ADAM service publication
In Active Directory environments, Active Directory Application Mode (ADAM) uses service connection point (SCP) objects to publish ADAM service information in the Active Directory directory store. Considerations for administering ADAM SCP objects include the following:
Manually creating SCPs when necessary
Removing SCP objects when necessary
Modifying permissions on SCP objects when necessary
Checking the ADAM event log for SCP errors
By default in Active Directory environments, the ADAM service creates SCPs in Active Directory when the ADAM service starts. To successfully create SCPs, the ADAM service account must have sufficient rights in Active Directory. If SCP creation fails, ADAM writes an event to the ADAM event log regarding the failure.
The default location for the ADAM SCP object is under the computer object that represents the computer on which ADAM is running. This default location can be altered by specifying a different location on the SCPPublishingService object.
When it is used as the ADAM service account on a computer that is joined to a domain, the Network Service account usually has sufficient rights to create SCPs in Active Directory. However, when it is used on an ADAM instance running on a domain controller, the Network Service account does not have sufficient rights to create SCPs in Active Directory.
An ADAM instance deletes its SCP from Active Directory when you remove the ADAM instance from the computer. Removing the SCP requires sufficient administrative privileges. If SCP removal fails, client applications may be directed to a nonexistent ADAM instance.
An ADAM instance checks and updates, if necessary, its SCP each time the ADAM instance starts. At startup, the ADAM instance searches the global catalog for its own globally unique identifier (GUID) and retrieves the distinguished name of the SCP object. The ADAM instance then binds to that distinguished name and updates the SCP object as necessary. In addition, the ADAM instance reviews the SCP object on an hourly basis by default to confirm its validity, particularly regarding any directory partitions that have been added to or removed from the ADAM instance since the SCP object was last updated.
|You can modify the default time interval at which ADAM reviews the SCP object, by adding a value named Server information update interval (mins) to the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\instancename\Parameters, and setting this value to the time interval (in minutes) that you want to use.|
For more information about publishing and using SCPs, see "About Service Publication" on the MSDN Web site at http://go.microsoft.com/fwlink/?LinkId=48288.
Managing ADAM SCPs
One efficient way to manage SCPs for ADAM is to create an SCP container for your ADAM configuration set in Active Directory. In this container, place the computer objects of the computers on which ADAM instances are running. In addition, create a group called, for example, "ADAM instances," and assign permissions on the SCP container to the group. Also, delegate control of the group to the assigned ADAM administrator. Then, each time the ADAM administrator installs a new ADAM instance under a new service account, the ADAM administrator can simply add the new service account to the "ADAM instances" group, and the ADAM instance creates and maintains its SCPs transparently.
Checking the ADAM event log
SCP-related errors do not prevent an ADAM instance from functioning properly. ADAM does, however, report SCP-related errors in the ADAM event log so that errors can be resolved. ADAM reports SCP-related errors as follows:
When an SCP creation or update fails, the ADAM instance reports the error and points to a .ldf file that can be used to manually resolve the problem. Using this .ldf file to create or update the SCPs requires administrator privileges in Active Directory.
When ADAM fails to remove an SCP object, ADAM reports this failure both in the audit log of the appropriate domain controller and in the ADAM event log.