Administering AD LDS Service Principal Names
Applies To: Windows Server 2008
When they run in an Active Directory domain or forest, Active Directory Lightweight Directory Services (AD LDS) instances attempt to register service principal names (SPNs) in Active Directory Domain Services (AD DS) for use in Kerberos authentication during replication. Each AD LDS instance — the first time that the instance starts — attempts to register values to the Service-Principal-Name attribute on the account object that represents the service account in use by the AD LDS instance. Or, if the AD LDS instance uses the Network Service account as the AD LDS service account, the AD LDS instance attempts to register values to the Service-Principal-Name attribute on the computer object that represents the computer on which the AD LDS instance is running. The values that the AD LDS instance attempts to register include the following:
E3514235-4B06-11D1-AB04-00C04FC2DCD2-AD LDS\netbiosname:port
E3514235-4B06-11D1-AB04-00C04FC2DCD2-AD LDS\dnshostname:port
Ldap\netbiosname:port
Ldap\dnshostname:port
In addition, if the AD LDS instance uses a reserved communications port (LDAP_PORT, LDAP_GC_PORT, LDAP_SSL_PORT, or LDAP_SSL_GC_PORT), the instance attempts the following SPN registrations:
Ldap\netbiosname
Ldap\dnshostname
Wldap32.dll does not use a port-formatted SPN to establish a connection to an AD LDS instance by using a reserved port. For example, if AD LDS instance1 on machine1 uses port 3268 for LDAP, the SPN that Wldap32.dll creates for the connection is ldap\machine1. However, if AD LDS instance2 on machine2 uses port 1026 for LDAP, the SPN that Wldap32.dll creates for the connection is ldap\machine2:1026.
Note
When multiple AD LDS instances that are running on a single computer, and two or more of the instances each use a reserved port, those AD LDS instances must run under the same AD LDS service account for the SPNs to be registered correctly.
SPN registration attempts occur in the security context of the AD LDS service account. If the AD LDS service account that you specify is not the Network Service account, or if it is a domain user account that does not belong to the Domain Admins group, this SPN registration fails. AD LDS reports this failure as event ID 2516 in the event log for the AD LDS instance. If the SPN registration fails, a dnsdomainname.bat script is created in the data directory of the AD LDS instance (Program Files\Microsoft AD LDS\instancename\data), where dnsdomainname represents the name of the DNS domain in which the AD LDS instance resides. You can use this script to manually register SPNs for AD LDS in AD DS.
The *.bat file contains repadmin /writespn commands, similar to the following:
repadmin.exe /writespn hostname.microsoft.com
ADD "CN=AD LDS,CN=Users,DC=microsoft,DC=com"
E3514235-4B06-11D1-AB04-00C04FC2DCD2-AD LDS/netbioshostname:389
repadmin.exe /writespn hostname.microsoft.com
ADD "CN=AD LDS,CN=Users,DC=microsoft,DC=com"
E3514235-4B06-11D1-AB04-00C04FC2DCD2-AD LDS/dnshostname:389
repadmin.exe /writespn hostname.microsoft.com
ADD "CN=AD LDS,CN=Users,DC=microsoft,DC=com" ldap/netbioshostname:389
repadmin.exe /writespn hostname.microsoft.com
ADD "CN=AD LDS,CN=Users,DC=microsoft,DC=com" ldap/dnshostname:389
This script registers the appropriate SPNs in AD DS, and it must be run by a member of the Domain Admins group in the domain.
Note
When SPNs for AD LDS instances in a configuration set are registered in AD DS, AD LDS replication authentication uses Kerberos. Otherwise, AD LDS uses negotiated replication authentication. For more information about replication authentication, see Introduction to Administering AD LDS Replication and Configuration Sets.
Removing AD LDS SPNs from AD DS
When you remove an AD LDS instance, make sure that its associated SPNs are also removed from AD DS. These SPNs reside on the computer object of the computer where the AD LDS instance is installed (if the Network Service account is specified for the AD LDS service account) or on the domain user object (if a domain user account is specified for the AD LDS service account).
Forcing the use of SPNs in an Active Directory environment
To force the use of SPNs and Kerberos for replication authentication in a configuration set, you can modify the replication security level of the configuration set to equal two (2). For more information, see Modify the Replication Security Level of a Configuration Set.
Warning
If you set replication security level equal to two (2), and SPNs are not registered or properly configured, replication will fail.