AD LDS service start fails with error "setup could not start the service..." + error code 8007041d
Windows Server 2008 R2After you start AD LDS service for a particular instance, you may receive the following warning message in the event logs. If your AD LDS instance uses UDP for communication, this issue will block LDAP traffic over UDP on the port that is listed in the event message. However, unlike in Windows Server 2008, this issue will not prevent the service from starting, and LDAP traffic over TCP will still flow through this port.
Event ID: 2920
Active Directory Lightweight Directory Services was unable to open a UDP port for exclusive use. This can be caused by the UDP port being reserved by another service. For information on how to reserve a port for Active Directory Lightweight Directory Services use, please refer to KB Article 959215 at http://go.microsoft.com/fwlink/?LinkId=145140.
Port number:<The number of the port for which the conflict exists>
Error Value:10013 An attempt was made to access a socket in a way forbidden by its access permissions.
IP Address:<The IP address of the interface that is affected by the port conflict>
Windows Server 2008After you successfully install AD LDS, you may be unable to start the service, and an error message may be displayed. You may also receive following error message in the event logs:
Event ID: 1238
Source: ADAM [<instance name>] LDAP
Internal error: Active Directory Lightweight Directory Services was unable to initialize network connections for incoming LDAP requests.
Error value: 10013 An attempt was made to access a socket in a way forbidden by its access permissions.
By default, after security update 951746 is installed, the DNS server randomly allocates 2,500 UDP ports in the ephemeral port range. A conflict may occur if one of these randomly allocated ports is a port that an AD LDS instance has to use.
Because these ports are randomly allocated, these failures can be intermittent and are likely to occur in the following scenarios:
- Windows Server 2008 and Windows Server 2008 R2: The AD LDS service is stopped during the installation of a DNS server that has security update 951746 installed or during the installation of the update itself, and then a restart of the AD LDS service is tried. As long as the AD LDS service is in a stopped state, the DNS service can randomly allocate ports that the instances are using.
- Windows Server 2008 and Windows Server 2008 R2: AD LDS and DNS server that has security update 951746 installed are running on a server that is restarted. As the system restarts, the DNS service will start before AD LDS instance services, and the DNS service might allocate ports that AD LDS instances are using.
- Windows Server 2008 only: An AD LDS instance is installed after security update 951746 is installed, and the AD LDS instance tries to use a port that was randomly allocated by DNS. The service startup fails and logs an error message in the event logs.
Unlike Windows Server 2008, in Windows Server 2008 R2, if the port that was selected for a new AD LDS instance is not available for use (And this includes the case in which DNS allocates the port), AD LDS setup prevents the user from using the port and blocks the user from proceeding with installation. In this scenario, the user receives the following error message:The LDAP port you have chosen is in use. Type the number of an unused LDAP port.
- Find the LDAP and SSL ports that are being used by the AD LDS instances. Because, the port failures can affect all AD LDS instances intermittently, we recommend that users reserve all ports that are used by every AD LDS instance, not just those instances that are currently experiencing a failure, to avoid future failures. To do this, follow these steps:
- Open a command prompt, type the following command, and then press ENTER: dsdbutil
- At the dsdbutil prompt, type the following command, and then press ENTER:list instancesNote: The list instances command will display the values of the LDAP and SSL ports that are used by the instances that are installed on the computer.
- Open a command prompt, type the following command, and then press ENTER:
- Reserve the two UDP ports that you noted in step 1.
For more information about how to reserve ephemeral ports, click the following article number to view the article in the Microsoft Knowledge Base:812873 How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server
- After you reserve the ports, restart the computer.
Microsoft has confirmed that this is a problem in the Active Directory Lightweight Directory Services.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
In Windows Server 2008 R2, AD LDS installation will recognize ports that are unavailable (And this includes those ports that DNS allocates), and the AD LDS installation will auto fill appropriate ports that are currently not being used. The AD LDS installation will not let you choose a port that is taken by another service for an AD LDS instance.
Multiple instances of AD LDS (ADAM) can be installed on one computer. Therefore, if you have more than 2 AD LDS instances on your computer, you will be covering more ports than the defaults (389, 636 and 50000, 50001).
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.
Article ID: 959215 - Last Review: 05/06/2009 22:40:52 - Revision: 2.0
- kbnomt kbrapidpub KB959215