Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. AD LDS service start fails with error "setup could not start the service..." + error code 8007041d

AD LDS service start fails with error "setup could not start the service..." + error code 8007041d

Source: Microsoft Support

↑ Back to the top

RAPID PUBLISHING

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

↑ Back to the top

Symptom

 

Windows Server 2008 R2

After you start AD LDS service for a particular instance, you may receive the following warning message in the event logs. If your AD LDS instance uses UDP for communication, this issue will block LDAP traffic over UDP on the port that is listed in the event message. However, unlike in Windows Server 2008, this issue will not prevent the service from starting, and LDAP traffic over TCP will still flow through this port.

Windows Server 2008

After you successfully install AD LDS, you may be unable to start the service, and an error message may be displayed. You may also receive following error message in the event logs:

↑ Back to the top

Cause

After security update 951746 is installed on Windows Server 2008 R2-based and Windows Server 2008-based computers, this issue occurs because the DNS server’s method of port allocation changes, and this change could prevent AD LDS from obtaining the port that it requires to function correctly.


By default, after security update 951746 is installed, the DNS server randomly allocates 2,500 UDP ports in the ephemeral port range. A conflict may occur if one of these randomly allocated ports is a port that an AD LDS instance has to use.


Because these ports are randomly allocated, these failures can be intermittent and are likely to occur in the following scenarios:
  • Windows Server 2008 and Windows Server 2008 R2: The AD LDS service is stopped during the installation of a DNS server that has security update 951746 installed or during the installation of the update itself, and then a restart of the AD LDS service is tried. As long as the AD LDS service is in a stopped state, the DNS service can randomly allocate ports that the instances are using.
  • Windows Server 2008 and Windows Server 2008 R2: AD LDS and DNS server that has security update 951746 installed are running on a server that is restarted. As the system restarts, the DNS service will start before AD LDS instance services, and the DNS service might allocate ports that AD LDS instances are using.
  • Windows Server 2008 only: An AD LDS instance is installed after security update 951746 is installed, and the AD LDS instance tries to use a port that was randomly allocated by DNS. The service startup fails and logs an error message in the event logs.


    Unlike Windows Server 2008, in Windows Server 2008 R2, if the port that was selected for a new AD LDS instance is not available for use (And this includes the case in which DNS allocates the port), AD LDS setup prevents the user from using the port and blocks the user from proceeding with installation. In this scenario, the user receives the following error message:
    The LDAP port you have chosen is in use. Type the number of an unused LDAP port.

For Windows Server 2008 and Windows Server 2008 R2, if DNS service is installed after an AD LDS instance was installed, and the AD LDS service is running, DNS will not grab ports that are currently being used.

↑ Back to the top

To work around this issue for Windows Server 2008 R2 and for Windows Server 2008, follow these steps:
  1. Find the LDAP and SSL ports that are being used by the AD LDS instances. Because, the port failures can affect all AD LDS instances intermittently, we recommend that users reserve all ports that are used by every AD LDS instance, not just those instances that are currently experiencing a failure, to avoid future failures. To do this, follow these steps:
    1. Open a command prompt, type the following command, and then press ENTER:
      dsdbutil
    2. At the dsdbutil prompt, type the following command, and then press ENTER:
      list instances
      Note: The list instances command will display the values of the LDAP and SSL ports that are used by the instances that are installed on the computer.
  2. Reserve the two UDP ports that you noted in step 1.



    For more information about how to reserve ephemeral ports, click the following article number to view the article in the Microsoft Knowledge Base:

    812873 How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server

  3. After you reserve the ports, restart the computer.
This procedure will prevent the DNS server from taking ports that are needed for the AD LDS instances to function and will avoid any port conflicts between the two ports.

↑ Back to the top

More Information



Microsoft has confirmed that this is a problem in the Active Directory Lightweight Directory Services.



For more information, click the following article number to view the article in the Microsoft Knowledge Base:

956188 You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037)

If the Active Directory domain controller role is not installed on a computer, ADAM setup will auto-fill the LDAP and SSL port fields by using the values 389 and 636, respectively. If the Active Directory domain controller role is installed, ADAM auto fills the LDAP and SSL port fields by using 50000 for LDAP and with 50001 for SSL. Because the MS08-037 version of DNS server grabs 2,500 ports in the high-port range and typically starts before the AD LDS service starts, in Windows Server 2008, that AD LDS installation will not prevent you from using these ports, and the AD LDS service start fails.

In Windows Server 2008 R2, AD LDS installation will recognize ports that are unavailable (And this includes those ports that DNS allocates), and the AD LDS installation will auto fill appropriate ports that are currently not being used. The AD LDS installation will not let you choose a port that is taken by another service for an AD LDS instance.

Multiple instances of AD LDS (ADAM) can be installed on one computer. Therefore, if you have more than 2 AD LDS instances on your computer, you will be covering more ports than the defaults (389, 636 and 50000, 50001).

↑ Back to the top

DISCLAIMER

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.


TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.

↑ Back to the top

Keywords: kbnoloc, kbnomt, kbrapidpub, kb

↑ Back to the top

Article Info
Article ID : 959215
Revision : 3
Created on : 11/7/2019
Published on : 11/8/2019
Exists online : False
Views : 288