Manually Register AD LDS Service Principal Names in AD DS

Applies To: Windows Server 2008

Active Directory Lightweight Directory Services (AD LDS) service principal name (SPN) registration attempts occur in the security context of the AD LDS service account. If the AD LDS service account that you specify is not the Network Service account, or if it is a domain user account that does not belong to the Domain Admins group, this SPN registration fails. When an SPN registration attempt fails, a dnsdomainname.bat script is created in the data directory of the instance (Program Files\Microsoft AD LDS\instancename\data), where dnsdomainname represents the name of the Domain Name System (DNS) domain in which the AD LDS instance resides. You can use this script to manually register SPNs for AD LDS in AD DS.

Membership in Domain Admins group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

To manually register AD LDS service principal names in AD DS

  1. To open a command prompt, click Start, click Run, and then type cmd.

  2. Change the current directory to:

    Program Files\Microsoft ADAM\instancename\data

    where instancename represents the name of the AD LDS instance.

  3. At the command prompt, type the following and then press ENTER:


    where dnsdomainname represents the name of the dnsdomainname.bat script file.


SPN registration does not apply to AD LDS instances that are running on computers that are joined to a workgroup, rather than to a domain.
If you do not register the SPNs for an AD LDS instance that is running on a computer that is joined to a domain, you can still run the AD LDS instance, but you cannot run the AD LDS instance as part of a configuration set for which the replication security level has been set to two (2). For more information about replication security levels, see Modify the Replication Security Level of a Configuration Set.