Service Connection Points (SCPs) and ADAM/AD LDS

  • Article

Introduction

Hello, it’s LaNae again. A major issue I see when customers call in regarding ADAM/AD LDS is around the creation of Service Connection Points and why they are needed. Let’s take a further look into this topic and uncover the mystery of this object.

What are Service Connection Points?

Service Connection Points (SCPs) are objects in Active Directory that hold information about services. Services can publish information about their existence by creating serviceConnectionPoint objects in Active Directory. Client applications use this information to find and connect to instances of the service. ADAM/AD LDS is no exception to this. The serviceConnectionPoint object class is derived from the connectionPoint class. ServiceConnectionPoints in ADAM/AD LDS will contain some key attribute information that is needed for client application discovery. The table below lists the contents of the serviceConnectionPoint object attributes. You can also find this information by using ADSIEDIT.MSC and viewing the properties of the child object of the computer that the ADAM/AD LDS instance is installed.

For example, Exchange 2007 uses SCPs to advertise autodiscover service information. The serviceBindingInformation attribute of this object is updated during setup with the autodiscover service URL. For more information on how Exchange 2007 uses Service Connection Points see Doug Gowans blog : https://blogs.msdn.com/douggowans/archive/2007/06/28/serviceconnectionpoints.aspx

image

This image was taken from the Understanding ADAM service publication TechNet article.

Discovering ADAM/AD LDS with Service Connection Points

If ADAM/AD LDS is installed in a domain and the ADAM/AD LDS service account has the Create Child right on the computer object where the serviceConnectionPoint object will be created it will attempt to create a serviceConnectionPoint object in Active Directory. By default global catalogs in Active Directory contain the same information that can be found in the Keywords attribute of a SCP object. Client applications will search the SCP attributes located in the global catalog to find an ADAM/AD LDS instance. Client applications can search for:

  • The ADAM/AD LDS object identifier
  • Configuration partition GUID
  • ADAM/AD LDS instance GUID
  • ADAM/AD LDS instance name, or any directory partition.
  • Client applications may perform load balancing by choosing an ADAM/AD LDS instance randomly when a search returns more than one applicable instance.

Discovering ADAM/AD LDS without Service Connection Points

Understand that ADAM/AD LDS do not need SCPs to be published in order to function properly. ADAM/AD LDS can run with or without SCPs. If ADAM/AD LDS is installed in a workgroup environment or if the service account that ADAM/AD LDS is running under does not have the proper permissions to create SCPs then it will not create an SCP. Under these circumstances client applications will use DNS to resolve the host name of a computer that has ADAM/AD LDS installed.

Creating Service Connection Point Objects

Service Connection Point objects can be created automatically or manually. When ADAM/AD LDS is installed on a machine that is part of a domain it will attempt to create a service connection point object. This object will appear as a child object of the computer object where the ADAM/AD LDS instance is installed. If the service account that is used to run ADAM/AD LDS does not have the “Create Child Right on the computer object where the ADAM/AD LDS instance is installed it will fail to create the service connection point object. ADAM/AD LDS will then log an Event ID 2537 in the ADAM/AD LDS event log stating that it could not create the SCP due to insufficient rights.

How are SCP Objects updated?

ADAM/AD LDS checks the SCP object for changes when the instance is started and then it will review the SCP object every hour after that to make sure it is still valid. When the instance starts it will search the Global Catalog for its GUID and then use that to find the distinguished name of the SCP object. The ADAM/AD LDS instance will bind to the distinguished name of the SCP object and updates it if needed. The interval that the ADAM/AD LDS instance reviews the SCP object can be modified by adding the Server information update interval (mins) dword value to the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\instancename\parameters. The value data will be set to the time interval in minutes that is desired.

Managing SCP Objects

You can manage the ADAM/AD LDS by creating an OU that contains the computer objects that host ADAM/AD LDS instances. Doing this will place all SCP objects in the same location and allow for ease of administration.

Modifying the SCP Object Creation Location

Earlier in this blog I stated that the SCP object is created as a child object of the computer object that holds the ADAM/AD LDS instance. This location can be changed by modifying the SCPContainer attribute located on the SCP Publication Service object . This can be done to make administration of SCP objects easier. The following steps are identical for ADAM and AD LDS with a few exceptions: in the AD LDS schema you do not have to make any modification to the msDs-SCPContainer attribute. Also, there is no separate ADSIEDIT snapin for AD LDS.

You will connect to the AD LDS instance using the ADSIEDIT.msc that is used to manage AD DS and connect to the instance on its respective port.

1. You must first open the ADAM Schema (ADAM-adsiedit.msc) and navigate to the msDS-SCPContainer attribute.

image

2. Right click on the attribute and select properties. Check the box next to “Allow this attribute to be shown in advanced view” and “Index this attribute in the Active Directory” and click “OK”.

image

3. Launch ADAM ADSIEDIT or AD DS ADIEDIT

4. Connect to the configuration container of the ADAM/AD LDS instance and navigate to “CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration, CN=GUID of Instance”.

image

5. In the right pane double click on the CN=SC Publication Service object.

6. Locate the msDS-SPContainer attribute and click edit.

image

7. Enter the DN of the location where you would like the SCP object to be created.

Note: you will need to give the ADAM/AD LDS service account the create child object right on the object you put in the Value. This can be done by right-clicking on the DN of the SCP object and going to properties. Click on the security tab and add the ADAM/AD LDS service account to the “Create Child Object” right.

Once you have completed these steps all ADAM/AD LDS instances will create the SCP in the specified location.

Summary

I hope this blog post has given you a better understanding of what Service Connection Point objects are. You should hopefully now know why we use service connection point objects and how to administer them.

- LaNae Wade