RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.
Windows Server 2008 R2
After you start AD LDS service for a particular instance, you may receive the following warning message in the event logs. If your AD LDS instance uses UDP for communication, this issue will block LDAP traffic over UDP on the port that is listed in the event message. However, unlike in Windows Server 2008, this issue will not prevent the service from starting, and LDAP traffic over TCP will still flow through this port.
Event ID: 2920 Source: ActiveDirectory_DomainService Active Directory Lightweight Directory Services was unable to open a UDP port for exclusive use. This can be caused by the UDP port being reserved by another service. For information on how to reserve a port for Active Directory Lightweight Directory Services use, please refer to KB Article 959215 at http://go.microsoft.com/fwlink/?LinkId=145140. Additional Data: Port number:<The number of the port for which the conflict exists> Error Value:10013 An attempt was made to access a socket in a way forbidden by its access permissions. IP Address:<The IP address of the interface that is affected by the port conflict>
Windows Server 2008
After you successfully install AD LDS, you may be unable to start the service, and an error message may be displayed. You may also receive following error message in the event logs:
Event ID: 1238 Source: ADAM [<instance name>] LDAP Internal error: Active Directory Lightweight Directory Services was unable to initialize network connections for incoming LDAP requests. Additional Data Error value: 10013 An attempt was made to access a socket in a way forbidden by its access permissions.
After security update 951746 is installed on Windows Server 2008 R2-based and Windows Server 2008-based computers, this issue occurs because the DNS server’s method of port allocation changes, and this change could prevent AD LDS from obtaining the port that it requires to function correctly.
By default, after security update 951746 is installed, the DNS server randomly allocates 2,500 UDP ports in the ephemeral port range. A conflict may occur if one of these randomly allocated ports is a port that an AD LDS instance has to use.
Because these ports are randomly allocated, these failures can be intermittent and are likely to occur in the following scenarios:
Windows Server 2008 and Windows Server 2008 R2: The AD LDS service is stopped during the installation of a DNS server that has security update 951746 installed or during the installation of the update itself, and then a restart of the AD LDS service is tried. As long as the AD LDS service is in a stopped state, the DNS service can randomly allocate ports that the instances are using.
Windows Server 2008 and Windows Server 2008 R2: AD LDS and DNS server that has security update 951746 installed are running on a server that is restarted. As the system restarts, the DNS service will start before AD LDS instance services, and the DNS service might allocate ports that AD LDS instances are using.
Windows Server 2008 only: An AD LDS instance is installed after security update 951746 is installed, and the AD LDS instance tries to use a port that was randomly allocated by DNS. The service startup fails and logs an error message in the event logs.
Unlike Windows Server 2008, in Windows Server 2008 R2, if the port that was selected for a new AD LDS instance is not available for use (And this includes the case in which DNS allocates the port), AD LDS setup prevents the user from using the port and blocks the user from proceeding with installation. In this scenario, the user receives the following error message:
The LDAP port you have chosen is in use. Type the number of an unused LDAP port.
For Windows Server 2008 and Windows Server 2008 R2, if DNS service is installed after an AD LDS instance was installed, and the AD LDS service is running, DNS will not grab ports that are currently being used.
To work around this issue for Windows Server 2008 R2 and for Windows Server 2008, follow these steps:
Find the LDAP and SSL ports that are being used by the AD LDS instances. Because, the port failures can affect all AD LDS instances intermittently, we recommend that users reserve all ports that are used by every AD LDS instance, not just those instances that are currently experiencing a failure, to avoid future failures. To do this, follow these steps:
Open a command prompt, type the following command, and then press ENTER:
At the dsdbutil prompt, type the following command, and then press ENTER:
Note: The list instances command will display the values of the LDAP and SSL ports that are used by the instances that are installed on the computer.
Reserve the two UDP ports that you noted in step 1.
For more information about how to reserve ephemeral ports, click the following article number to view the article in the Microsoft Knowledge Base:
812873 How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server
After you reserve the ports, restart the computer.
This procedure will prevent the DNS server from taking ports that are needed for the AD LDS instances to function and will avoid any port conflicts between the two ports.
Microsoft has confirmed that this is a problem in the Active Directory Lightweight Directory Services.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
956188 You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037)
If the Active Directory domain controller role is not installed on a computer, ADAM setup will auto-fill the LDAP and SSL port fields by using the values 389 and 636, respectively. If the Active Directory domain controller role is installed, ADAM auto fills the LDAP and SSL port fields by using 50000 for LDAP and with 50001 for SSL. Because the MS08-037 version of DNS server grabs 2,500 ports in the high-port range and typically starts before the AD LDS service starts, in Windows Server 2008, that AD LDS installation will not prevent you from using these ports, and the AD LDS service start fails.
In Windows Server 2008 R2, AD LDS installation will recognize ports that are unavailable (And this includes those ports that DNS allocates), and the AD LDS installation will auto fill appropriate ports that are currently not being used. The AD LDS installation will not let you choose a port that is taken by another service for an AD LDS instance.
Multiple instances of AD LDS (ADAM) can be installed on one computer. Therefore, if you have more than 2 AD LDS instances on your computer, you will be covering more ports than the defaults (389, 636 and 50000, 50001).
MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.