ADAM troubleshooting and frequently asked questions (FAQs)

  • Article

Applies To: Windows Server 2003 R2

Troubleshooting and frequently asked questions (FAQs)

The installation or removal of Active Directory Application Mode (ADAM) fails to complete successfully.

If no screen message appears and ADAM setup fails to complete successfully, you can view the setup log at:

  • %windir%\Debug\adamsetup.log

If no screen message appears and ADAM removal fails to complete successfully, you can view the uninstall log at:

  • %windir%\Debug\adamuninstall.log

A directory-enabled application cannot find an ADAM instance.

Be sure to reference the correct communications port number (that is, 389 or 636) when specifying an ADAM instance.

The ADAM service will not start.

If the service account that is specified for ADAM is a workstation or a domain user account, make sure that the account possesses the Run as a service right.

In an attempt to connect to an ADAM instance using the ADAM Schema snap-in, the following error message appears: "The schema FSMO holder could not be found. Schema modifications can only be made on the schema FSMO holder."

You can only modify the schema on the ADAM instance that holds the schema master role. To determine the holder of the schema master role for a configuration set, see Identify or transfer the schema master role.

How do I set or modify the password of an ADAM user?

For information about modifying passwords, see Set or modify the password of an ADAM user.

I can't bind to an ADAM instance that runs on a computer running Windows XP Professional.

When the computer that runs ADAM is joined to a workgroup, you must set the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\forceguest to 0. (The default is 1.) Otherwise, users connecting to ADAM over the network are forced to a security context of Guest, and binds to ADAM fail. For more information, see Enable binding to ADAM instances running on Windows XP Professional computers joined to a workgroup.

For information about other functional considerations when running ADAM on Windows XP Professional, see Running ADAM on Windows XP Professional.

I can't connect to an ADAM instance over an SSL connection.

To enable SSL connections, you must first install certificates on the computer running ADAM and on all client computers. For information about setting up and using certificate services, see "Certificate Services" on the Microsoft TechNet Web site.

On computers running Windows XP Professional that need to establish SSL connections to an ADAM instance, you must install the hotfix that is described in article 817583 in the Microsoft Knowledge Base Web site.

For information about other functional considerations when running ADAM on Windows XP Professional, see Running ADAM on Windows XP Professional.

I can't create an organizational unit (OU) in my application directory partition.

OUs can only be created under the following objects:

  • OU (ou=)

  • country/region (c=)

  • organization (o=)

  • domain (dc=)

For example, you can create an OU in an application partition named O=Microsoft,C=US, but you cannot create an OU in an application partition named l=Microsoft,C=US.

I can't locate the security IDs (SIDs) for an ADAM or Windows security principal.

You can retrieve an active user's individual and group SIDs by explicitly querying the tokenGroups attribute on the rootDSE.

Do multivalued attributes in ADAM have a limit to the number of values that they can hold?

ADAM (as with Active Directory running at Windows Server 2003 forest functional level) places no limits on the number of linked attribute values that a multivalued attribute can hold. For nonlinked values, it is recommended that a multivalued attribute contain no more than 1,500 values.

For information about linked attributes, see "Linked Attributes" on the Microsoft MSDN Web site. For information about member as an example of a multivalued attribute in Active Directory, see "Enumerating Groups That Contain Many Members" on the Microsoft MSDN Web site.

How can ADAM be configured to support anonymous LDAP binds?

ADAM does not accept anonymous bind requests by default. To enable anonymous LDAP operations in ADAM, you must set the seventh character of the dsHeuristics value to 2.

You can find the dsHeuristics attribute on the Directory Service object in the configuration directory partition (CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN={GUID}).

Modify the attribute to the following value:

0000002001000

In addition, assign permissions so that anonymous users have access to the appropriate objects in the directory. To grant the Read permission on all objects in a given directory partition to anonymous users, you can simply add the built-in security principal Anonymous (from the local computer) to the Readers group on that directory partition.