Error while importing Default Policy Store Objects using AD LDS as policy store
Article ID: 142082
Updated On:
Products
Issue/Introduction
EventID : 2537
MachineName : <SERVER FQDN>
Data : {}
Index : 978
Category : Internal Processing
CategoryNumber : 9
EntryType : Warning
Message : The directory server has failed to create the AD LDS serviceConnectionPoint object in Active
Directory Lightweight Directory Services.
This operation will be retried.
Additional Data
SCP object DN:
CN={<UUID>},CN=<SERVER>,CN=Computers,DC=<DOMAIN>,DC=<DOMAINEXT>
Error value:
5 Access is denied.
Server error:
00000005: SecErr: DSID-03152870, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Internal ID:
33903ab
AD LDS service account:
<ACCOUNT RUNNING AD LDS>
User Action
If AD LDS is running under a local service account, it will be unable to update the data in
Active Directory Lightweight Directory Services.
Consider changing the AD LDS service account to either NetworkService or a domain account.
If AD LDS is running under a domain user account, make sure this account has sufficient rights to
create the serviceConnectionPoint object.
Environment
Release : 12.8.03
Component : SITEMINDER -POLICY SERVER
Resolution
This is a permissions issue.
The following part of the error indicates the user you are using is <ACCOUNT RUNNING AD LDS>:
AD LDS service account:
<ACCOUNT RUNNING AD LDS>
Please also note the following other received message:
"If AD LDS is running under a domain user account, make sure this account has sufficient rights to create the serviceConnectionPoint object."
Is <ACCOUNT RUNNING AD LDS> a domain account? Does it have sufficient rights to create the serviceConnectionPoint object? If not give the user these rights.
If it is not a domain account, please see:
"If AD LDS is running under a local service account, it will be unable to update the data in Active Directory Lightweight Directory Services. Consider changing the AD LDS service account to either NetworkService or a domain account."
Feedback
