Administering ADAM service principal names
Applies To: Windows Server 2003 R2
Administering ADAM service principal names
When they run in an Active Directory domain or forest, Active Directory Application Mode (ADAM) instances attempt to register service principal names (SPNs) in Active Directory for use in Kerberos authentication during replication. Each ADAM instance—the first time that the instance starts—attempts to register values to the Service-Principal-Name attribute on the account object that represents the service account in use by the ADAM instance. Or, if the ADAM instance uses the Network Service account as the ADAM service account, the ADAM instance attempts to register values to the Service-Principal-Name attribute on the computer object that represents the computer on which the ADAM instance is running. The values that the ADAM instance attempts to register include the following:
In addition, if the ADAM instance uses a reserved communications port (LDAP_PORT, LDAP_GC_PORT, LDAP_SSL_PORT, or LDAP_SSL_GC_PORT), the instance attempts the following SPN registrations:
Wldap32.dll does not use a port-formatted SPN to establish a connection to an ADAM instance using a reserved port. For example, if ADAM instance1 on machine1 uses port 3268 for LDAP, the SPN that Wldap32.dll creates for the connection is ldap\machine1. However, if ADAM instance2 on machine2 uses port 1026 for LDAP, the SPN that Wldap32.dll creates for the connection is ldap\machine2:1026.
When multiple ADAM instances are running on a single computer, and two or more of the instances each use a reserved port, those ADAM instances must run under the same ADAM service account for the SPNs to be registered correctly.
SPN registration attempts occur in the security context of the ADAM service account. If the ADAM service account that you specify is not the Network Service account, or if it is a domain user account that does not belong to the Domain Administrators group, this SPN registration fails. ADAM reports this failure as event ID 2516 in the event log for the ADAM instance. If this failure occurs, ADAM setup also reports event ID 2535, which describes how to register the SPNs for ADAM manually.
To register SPNs for ADAM manually in Active Directory, use the dnsdomainname.bat script file that ADAM setup creates in the data directory of the ADAM instance (Program Files\Microsoft ADAM\instancename\data), where dnsdomainname represents the name of the DNS domain in which the ADAM instance resides.
The *.bat file shows up in the directory about one minute after ADAM installation completes.
The *.bat file contains repadmin /writespn commands, similar to the following:
repadmin.exe /writespn hostname.microsoft.com ADD "CN=adam,CN=Users,DC=microsoft,DC=com" E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/netbioshostname:389 repadmin.exe /writespn hostname.microsoft.com ADD "CN=adam,CN=Users,DC=microsoft,DC=com" E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/dnshostname:389 repadmin.exe /writespn hostname.microsoft.com ADD "CN=adam,CN=Users,DC=microsoft,DC=com" ldap/netbioshostname:389 repadmin.exe /writespn hostname.microsoft.com ADD "CN=adam,CN=Users,DC=microsoft,DC=com" ldap/dnshostname:389
This script registers the appropriate SPNs in Active Directory, and it must be run by a member of the Domain Administrators group in the domain.
When SPNs for ADAM instances in a configuration are registered in Active Directory, ADAM replication authentication uses Kerberos. Otherwise, ADAM uses negotiated replication authentication. For more information about replication authentication, see Understanding ADAM replication and configuration sets.
Removing ADAM SPNs from Active Directory
When you remove an ADAM instance, make sure that its associated SPNs are also removed from Active Directory. These SPNs reside on the computer object of the computer where the ADAM instance is installed (if the Network Service account is specified for the ADAM service account) or on the domain user object (if a domain user account is specified for the ADAM service account).
Forcing the use of SPNs in an Active Directory environment
To force the use of SPNs and Kerberos for replication authentication in a a configuration set, you can modify the replication security level of the configuration set to equal 2. For more information, see Modify the replication security level of a configuration set.
If you set replication security level equal to 2, and SPNs are not registered or properly configured, replication will fail.