Share via


Administering an ADAM instance

Applies To: Windows Server 2003 R2

Administering an ADAM instance

Each ADAM instance runs as an independent, and separately administered, service on a computer. You can configure the account under which an ADAM instance runs, stop and restart an ADAM instance, and change the ADAM instance service display name and service description. In addition, you can enable Secure Sockets Layer (SSL) connections in ADAM by installing certificates. In Active Directory environments, each ADAM instance attempts to register a service principal name (SPN) in the directory on the account object that corresponds to the service account on which the ADAM instance is running (or, in the case of the ADAM instance running as the Network Service account, on the computer object corresponding to the computer on which the ADAM instance is running). This SPN is used for replication authentication. Depending on the network environment into which you install ADAM, you may have to create SPNs manually.

For information about tasks related to ADAM instances, see Manage an ADAM Instance. For information about SPNs, see Administering ADAM service principal names.

ADAM service account

The service account that is used by an ADAM instance determines the access that the ADAM instance has on the local computer and on other computers in the network. ADAM instances also use the service account to authenticate other ADAM instances in their configuration set, to ensure replication security. You determine the ADAM service account during ADAM installation. For information about ADAM service account requirements, see Selecting an ADAM service account.

To modify the ADAM service account for an ADAM instance, you can use the change service account command within the Dsdbutil command line tool. For more information, see Dsdbutil.

In addition, you may need to assign the Log on as a service right to the account that you specify as the ADAM service account. For more information, see Add the Log on as a service right to an account.

To enable auditing for an ADAM instance for which the service account is something other than the Network Service account, you must assign the Generate security audits right to the ADAM service account.

ADAM instance name

During setup, you assign a name to the ADAM instance, which is used in the creation of the file directory structure and registry keys for ADAM. In addition, the name that you assign is used to create the service name, service display name, and service description, as shown in the example in the following table.

Name supplied during setup Service name Service display name Service description

instance1

ADAM_instance1

instance1

Blank (No default description provided.)

The name that you specify for an ADAM instance during setup must meet the following requirements:

  • It must be unique with respect to other ADAM instances running on the same computer.

  • It must be no longer than 44 characters.

  • It must use characters only from the ranges of a through z, A through Z, or 0 through 9.

  • The name "ntds" cannot be used.

The service display name appears in Add or Remove Programs and in the Services snap-in. The service description appears in the Services snap-in. You can modify the service display name and the service description at any time after installation.

For information about modifying the service display name, see View or modify the service display name of an ADAM instance. For information about modifying the service description, see View or modify the service description of an ADAM instance.

Starting and stopping an ADAM instance

The service for an ADAM instance can be stopped and restarted independently, without restarting the computer on which ADAM is running. In addition, the service for an ADAM instance can be configured to start either automatically or manually, and it can also be disabled.

For information about stopping and starting ADAM, see Start, stop, pause, resume, or restart an ADAM instance. For information about assigning the Log on as a service right, see Add the Log on as a service right to an account.

Note

When you run ADAM on a computer running Windows XP Professional, you may need to wait up to two minutes after stopping an ADAM instance before restarting the instance. ADAM requires this time to close any existing connections.

Event logs and auditing

Each ADAM instance running on a computer writes events to a separate event log. The ADAM event log, which has a display name that matches the name of the ADAM instance, can be viewed in Event Viewer.

To enable auditing for an ADAM instance running under a service account other than the Network Service account, you must grant the Generate security audits right to the ADAM service account.

To enable replication auditing for an ADAM instance, you must modify the registry key:

HKLM\System\CurrentControlSet\Services\instance_name\Parameters

where instance_name represents the name of the ADAM instance on which you want to audit replication. The following table describes the values in the registry key that control replication auditing. To enable replication auditing, set one or both of the values to 1.

Registry key value Data type Meaning

Audit Access in Replication

DWORD

Provides a summary of the replication operations that are occurring.

Audit Objects in Replication

DWORD

Audits the changes to individual objects and attributes.

Note

ADAM also creates setup and uninstall logs in the %systemroot%\debug directory. These log files are called Adamsetup.log and Adamuninstall.log.

Using certificates with ADAM

To enable Secure Sockets Layer (SSL) connections to ADAM, you must have certificates installed on the computer running ADAM and also on the clients connecting to ADAM. You can obtain certificates from a trusted certification authority (CA). Or, for internal use, you can issue certificates from your own internal CA, by installing and using certificate services on Windows 2000 Server or Windows Server 2003.

For information about setting up and using certificate services, see "Certificate Services" on the Microsoft TechNet Web site.

In addition, on computers running Windows XP Professional that need to establish SSL connections to an ADAM instance, you must install the hotfix described in article 817583 in the Microsoft Knowledge Base Web site.

Note

When using certificates with ADAM, you must assign the ADAM service account read access to the certificates that are installed on the computer where the ADAM instance is running. The certificate store is located in the following directory: Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys.