Assume that the service account that's running the Active Directory Lightweight Directory Services (AD LDS) instance in Windows Server 2012 R2 is not the built-in Network Service account or any other user account that has local administrator rights. In this situation, the following event may be written to the ADAM log:
Log Name: ADAM (InstanceName) Source: ADAM [InstanceName] General Date: Date Event ID: 1168 Task Category: Internal Processing Level: Error Keywords: Classic User: UserName Computer: ComputerName Description: Internal error: An Active Directory Lightweight Directory Services error has occurred.
Additional Data Error value (decimal): -1073741790 Error value (hex): c0000022 Internal ID: 3000715
This ADAM event is logged because AD LDS has to respond to auditing policy changes and tries to register a notification that uses a call to LSA. The event reports the failure of this subscription call if the service account is not either Network Service or a local admin account. In this situation, the account has no POLICY_NOTIFICATION rights. Despite this failure, AD LDS should work as expected. However, AD LDS requires a service restart to respond to auditing policy changes.
Note If the event stops appearing as soon as you change the service account to a local admin user account and restart the service, you're probably experiencing the issue that's described in the "Symptoms" section.
Local admin users have POLICY_NOTIFICATION rights. Additionally, LSA explicitly grants NetworkService/LocalService the same rights. Therefore, when LDS runs under a local admin user account or the NetworkService/LocalService account, this issue does not occur.