Professional Documents
Culture Documents
1 of 4
https://technet.microsoft.com/en-in/library/jj592690.aspx
Ads by name
X | i
Introduction to Troubleshooting
Troubleshooting Options
Logging Options
The built-in logs are the most important instrument for troubleshooting issues with domain controller promotion and demotion. All of these logs are enabled and configured for maximum verbosity by default.
Phase
Log
%systemroot%\debug\dcpromoui.log
%systemroot%\debug\dcpromoui*.log
%systemroot%\debug\dcpromo.log
%systemroot%\debug\dcpromo*.log
Event viewer\Windows logs\System
Event viewer\Windows logs\Application
Event viewer\Applications and services logs\Directory Service
Event viewer\Applications and services logs\File Replication Service
Event viewer\Applications and services logs\DFS Replication
%systemroot%\debug\adprep\<datetime>\adprep.log
%systemroot%\debug\adprep\<datetime>\csv.log
%systemroot%\debug\adprep\<datetime>\dspecup.log
%systemroot%\debug\adprep\<datetime>\ldif.log*
Windows Servicing
%systemroot%\Logs\CBS\*
%systemroot%\servicing\sessions\sessions.xml
%systemroot%\winsxs\poqexec.log
%systemroot%\winsxs\pending.xml
Errors in prerequisite validation and verification do not continue on to a reboot, so they are visible in all cases. For example:
Error Code
Explanation
Note
Exit, success
You still must reboot, this just notes that the automatic restart flag was removed
Typically seen when returning the DNS Delegation warning. If not configuring DNS delegation, use:
-creatednsdelegation:$false
Typically seen when returning the DNS Delegation warning. If not configuring DNS delegation, use:
-creatednsdelegation:$false
Promotion and demotion return the following failure message codes. There is also likely to be an extended error message; always read the entire error carefully, not just the numeric portion.
12/31/2015 8:22 PM
2 of 4
https://technet.microsoft.com/en-in/library/jj592690.aspx
Ads by name
X | i
Error Code
Explanation
Suggested resolution
11
Do not run than one instance of domain controller promotion at the same time for the same target computer
12
Logon as a member of the built-in Administrators group and ensure you are elevating with UAC
13
You cannot demote this domain controller, as it is also a Certification Authority. Do not remove the CA before you carefully inventory its usage - if it is issuing certificates, removing the role will cause an outage. Running CAs on domain controllers is discouraged
14
15
You must restart the server (due to prior configuration changes) before promotion
16
17
This error is not possible in Windows Server 2012, which requires at least the %systemdrive% be formatted with NTFS
18
19
20
21
This domain controller holds FSMO roles, is a GC, and/or is a DNS server
22
23
Set a primary DNS server when adding a new domain controller to a domain
24
25
26
27
28
29
Verify the parent domain specified when creating a new child domain or tree domain
30
31
32
33
34
Use the correct Install From Media for this operating system and role (same operating system version, same type of domain controller - RODC versus RWDC)
35
Missing SYSKEY
The Install from Media is encrypted and you must provide a valid SYSKEY to use it
37
Change path of Database and Logs to a fixed NTFS volume, not a mapped drive or UNC path
38
Volume does not have enough space for NTDS database or logs
Free up space using cleanmgr.exe, add more disk space, manually clear space by moving unnecessary data elsewhere
39
Change path of SYSVOL folder to a fixed NTFS volume, not a mapped drive or UNC path
40
41
Provide a password for the DSRM account, it cannot be blank no matter how the password policy is configured
42
Provide a password for the DSRM account that meets the password policy's configured rules
43
Provide a password for the local administrator account that meets the password policy's configured rules
44
45
46
47
48
The tree name does not fit into the forest structure
49
50
During demote, last domain controller was detected even though it is not, or last domain controller was specified, but it is not
Do not specify Last Domain Controller in the Domain (-lastdomaincontrollerindomain) unless it is true. Use -ignorelastdcindomainmismatch to override if this is truly the last domain controller and there is phantom domain controller metadata
51
52
Required command-line argument is missing (that is, an answer file must be specified on the command-line)
53
54
55
56
The promotion/demotion was canceled by the user, machine must be rebooted to clean up
58
You must specify a site for an RODC, it will not automatically detect one like an RWDC
59
During demote, this domain controller is the last DNS server for one of its zones
Specify that this is the Last DNS Server in the Domain or use -ignorelastdnsserverfordomain
60
A domain controller running Windows Server 2008 or later must be present in the domain in order to promote RODC
Promote at least one Windows Server 2008 or later model writable domain controller
61
You cannot install Active Directory Domain Services with DNS in an existing domain that does not already host DNS
62
63
Raise the forest functional level to at least Windows Server 2003 Native. Windows 2000 and Windows NT 4.0 are no longer supported operating systems
64
65
66
Examine the extended error and logs; the server is failing to return its operating system version. It is likely that the computer will need to be re-installed, as its overall health is highly suspect
68
Use repadmin.exe or the Get-ADReplication* Windows PowerShell to validate partner domain controller health
69
Use netstat.exe -anob to locate processes that are incorrectly assigned to reserved AD DS ports
70
71
Do not specify to install DNS (-installDNS) if the DNS service is already installed
72
You cannot promote this domain controller, as it is also a RDS server configured for more than two admin users. Do not remove RDS before you carefully inventory its usage - if it is being used by applications or end-users, removal will cause an outage
73
74
75
Validate that the RODC password replication policy exists and is accessible
76
Validate that you have typed in valid domain and user accounts when specifying a password replication policy
77
78
79
Use Windows Server 2012 to prepare the forest or use adprep.exe /rodcprep
80
Use Windows Server 2012 to prepare the domain or use adprep.exe /domainprep
81
Use Windows Server 2012 to prepare the forest or use adprep.exe /forestprep
82
Use Windows Server 2012 to prepare the forest or use adprep.exe /forestprep
83
Unsupported SKU
84
Validate that existing domain controllers have correct user account control attribute set.
85
Returned if you specify "Use Existing Account" but either no account found or there is an error during account lookup. Ensure you provided the correct RODC staged account
86
Returned if you promote an additional domain controller but an existing account exists and "Allow Reinstall" was not specified
87
Rename the computer before promoting, if not trying to attach to an unoccupied domain controller. You must attach to the unoccupied domain controller account using -useexistingaccount and the correct read-only or writable argument, depending on account type
88
You specified an invalid account for RODC admin delegation. Verify that the account specified is a valid user or group
89
Use netdom.exe query fsmo to detect the RID master. Bring it online and make it accessible to the domain controller you are promoting
90
Use netdom.exe query fsmo to detect the domain naming master. Bring it online and make it accessible to the domain controller you are promoting
91
92
93
94
Local admin password does not meet requirement: either blank or not required
Provide a non-blank password and ensure that the local password policy requires a password
95
Cannot demote last Windows Server 2008 or later domain controller in the domain where live RODCs exist
You must first demote all RODCs before you can demote all Windows Server 2008 or later writable domain controllers
96
97
Forest functional level version higher than that of the child domain operating system
98
99
Forest functional level is too low (error is Windows Server 2012 only)
Raise the forest functional level to at least Windows Server 2003 native. Windows 2000 and Windows NT 4.0 are no longer supported operating systems
100
Domain functional level is too low (error is Windows Server 2012 only)
Raise the domain functional level to at least Windows Server 2003 native. Windows 2000 and Windows NT 4.0 are no longer supported operating systems
Only seen with dcpromo /unattend, which is deprecated. See older documentation
Only seen with dcpromo /unattend, which is deprecated. See older documentation
Not possible to get this error anymore, the operating system is 64-bit
Not possible to get this error anymore, the operating system is 64-bit
Only seen with dcpromo /unattend, which is deprecated. See older documentation
Provide a child domain functional the same or higher than the forest functional level
Only seen with dcpromo /unattend, which is deprecated. See older documentation
Issue
Symptoms
When removing the AD DS role, also remove the DNS Server role or set the DNS Server service to disabled. Remember to point the DNS client to another server than itself. If using Windows PowerShell, run the following after you demote the server:
uninstall-windowsfeature dns
or
Issue
Promoting a Windows Server 2012 into an existing single-label domain does not configure updatetopleveldomain=1 or allowsinglelabeldnsdomain=1
Symptoms
Set these values using the Netlogon and DNS group policies. Microsoft began blocking single-label domain creation in Windows Server 2008; you can use ADMT or the Domain Rename Tool to change to an approved DNS domain structure.
12/31/2015 8:22 PM
3 of 4
https://technet.microsoft.com/en-in/library/jj592690.aspx
Ads by name
X | i
Issue
Demotion of last domain controller in a domain fails if there are pre-created, unoccupied RODC accounts
Symptoms
Active Directory Domain Services could not find another Active Directory Domain Controller to transfer the remaining data in directory partition CN=Schema,CN=Configuration,DC=corp,DC=contoso,DC=com.
"The format of the specified domain name is invalid."
Resolution and Notes
Remove any remaining pre-created RODC accounts before demoting a domain, using Dsa.msc or Ntdsutil.exe metadata cleanup.
Issue
Symptoms
Cross-domain planning functionality for Group Policy, Resultant Set of Policy (RSOP) Planning Mode, requires updated file system and Active Directory permissions for existing GP. Without Gpprep, you cannot use RSOP Planning across domains.
Run adprep.exe /gpprep manually for all domains that were not previously prepared for Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. Administrators should run GPPrep only once in the history of a domain, not with every upgrade. It is not run by automatic adprep because if you have already set adequate custom permissions, it would cause all SYSVOL contents to re-replicate on all domain controllers.
Issue
Symptoms
Error returned:
You must store IFM files on a local disk, not a remote UNC path. This intentional block prevents partial server promotion due to a network interruption.
Could not validate media path. Exception calling "GetDatabaseInfo" with "2" arguments. The folder is not valid.
Issue
Symptoms
Resolution and
Notes
Ignore. ADDSDeployment Windows PowerShell shows the warning first during prerequisite checking, then again during configuration of the domain controller. If you do not wish to configure DNS delegation, use argument:
"A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain. Otherwise, no action is required."
-creatednsdelegation:$false
Issue
Symptoms
Verification of user permissions failed. You must supply the name of the domain to which this user account belongs.
Ensure you are providing valid domain credentials in the form of domain\user.
Issue
Symptoms
If using Dism.exe to remove the AD DS role before demoting a domain controller gracefully, the server no longer boots normally and shows error:
Status: 0x000000000
Info: An unexpected error has occurred.
Boot into Directory Services Repair Mode using Shift+F8. Add the AD DS role back, and then forcibly demote the domain controller. Alternatively, restore the System State from backup. Do not use Dism.exe for AD DS role removal; the utility has no knowledge of domain controllers.
Issue
Symptoms
Test.VerifyDcPromoCore.DCPromo.General.74
Verification of prerequisites for Domain Controller promotion failed. The specified domain functional level is invalid
Do not specify a forest functional mode of Win2012 without also specifying a domain functional mode of Win2012. Here is an example that will work without errors:
Issue
Clicking Verify in the Install from Media selection area appears to do nothing
Symptoms
When you specify a path to an IFM folder, clicking the Verify button never returns a message or appears to do anything.
The Verify button only returns errors if there are issues. Otherwise, it makes the Next button selectable if you have provided an IFM path. You must click Verify to proceed if you have selected IFM.
Issue
Demoting with Server Manager does not provide feedback until completed.
Symptoms
When using Server Manager to remove the AD DS role and demote a domain controller, there is no ongoing feedback given until the demotion completes or fails.
This is a limitation of Server Manager. For feedback, use ADDSDeployment Windows PowerShell cmdlet:
Uninstall-addsdomaincontroller
Issue
Install from Media Verify does not detect that RODC media provided for writable domain controller, or vice versa.
Symptoms
When promoting a new domain controller using IFM and providing incorrect media to IFM - such as RODC media for a writable domain controller, or RWDC media for an RODC - the Verify button does not return an error. Later, promotion fails with error:
Verify only validates the overall integrity of IFM. Do not provide the wrong IFM type to a server. Restart the server before you attempt promotion again with the correct media.
Issue
Symptoms
When using ADDSDeployment Windows PowerShell to promote a new RODC with a staged computer account, receive error:
Do not provide parameters already defined already on a pre-created RODC account. These include:
-readonlyreplica
-installdns
-donotconfigureglobalcatalog
-sitename
-installdns
Issue
Symptoms
If selecting (or not selecting) the Server Manager option Restart each destination server automatically if required when demoting a domain controller through role removal, the server always restarts, regardless of choice.
This is intentional. The demotion process restarts the server regardless of this setting.
Issue
Dcpromo.log shows "[error] setting security on server files failed with 2"
Symptoms
Demotion of a domain controller completes without issues, but examination of the dcpromo log shows error:
Issue
Prerequisite adprep check fails with error "Unable to perform Exchange schema conflict check"
Symptoms
When attempting to promote a Windows Server 2012 domain controller into an existing Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 forest, prerequisite check fails with error:
Verification of prerequisites for AD prep failed. Unable to perform Exchange schema conflict check for domain
<domain name>
(Exception: the RPC server is unavailable)
The new domain controller cannot access WMI through DCOM/RPC protocols against the existing domain controllers. To date, there have been three causes for this:
A firewall rule blocks access to the existing domain controllers
The NETWORK SERVICE account is missing from the "Logon as a service" (SeServiceLogonRight) privilege on the existing domain controllers
NTLM is disabled on domain controllers, using security policies described in Introducing the Restriction of NTLM Authentication
Issue
Symptoms
When creating a new AD DS forest and creating the DNS zone on the new domain controller for itself, you always receive warning message:
12/31/2015 8:22 PM
4 of 4
https://technet.microsoft.com/en-in/library/jj592690.aspx
Ads by name
X | i
Ignore. This warning is intentional on the first domain controller in the root domain of a new forest, in case you intended to point to an existing DNS server and zone.
Issue
Symptoms
If you use the -whatif argument when configuring a domain controller with implicit or explicit -installdns:$true, the resulting output shows:
Issue
After promotion, logon fails with " Not enough storage is available to process this command"
Symptoms
After you promote a new domain controller and then log off and attempt to log on interactively, you receive error:
The domain controller was not rebooted after promotion, either due to an error or because you specified the ADDSDeployment Windows PowerShell argument -norebootoncompletion. Restart the domain controller.
Issue
The Next button is not available on the Domain Controller Options page
Symptoms
Even though you have set a password, the Next button on the Domain Controller Options page in Server Manager is not available. There is no site listed in the Site name menu.
You have multiple AD DS sites and at least one is missing subnets; this future domain controller belongs to one of those subnets. You must manually select the subnet from the Site name dropdown menu. You should also review all AD sites using DSSITE.MSC or use the following Windows PowerShell command to find all sites missing subnets:
get-adreplicationsite -filter * -property subnets | where-object {!$_.subnets -eq "*"} | format-table name
Issue
Symptoms
If you attempt promotion, demotion, or cloning of a domain controller you receive error:
The service cannot be started, either because it is disabled or it has no enabled devices associated with it" (0x80070422)
The error may be interactive, an event, or written to a log like dcpromoui.log or dcpromo.log
Resolution and Notes
The DS Role Server service (DsRoleSvc) is disabled. By default, this service is installed during AD DS role installation and set to a Manual start type. Do not disable this service. Set it back to Manual and allow the DS role operations to start and stop it on demand. This behavior is by design.
Issue
Symptoms
If you promote a domain controller using the deprecated dcpromo.exe /unattend or upgrade an existing Windows Server 2008 R2 domain controller in place to Windows Server 2012, Server Manager still shows the post-deployment configuration task Promote this server to a domain controller.
Click the post-deployment warning link and the message will disappear for good. This behavior is cosmetic and expected.
Issue
Symptoms
If you promote a domain controller using Server Manager and save the Windows PowerShell deployment script, it does not include the role installation cmdlet and arguments (install-windowsfeature -name ad-domain-services -includemanagementtools). Without the role, the DC cannot be configured.
Manually add that cmdlet and arguments to any scripts. This behavior is expected and by design.
Issue
Symptoms
If you promote a domain controller using Server Manager and save the Windows PowerShell deployment script, the file is named with a random temporary name and not as a PS1 file.
Issue
Symptoms
If you promote a domain controller using dcpromo /unattend with the following sample answer file:
[DCInstall]
NewDomain=Forest
ReplicaOrNewDomain=Domain
NewDomainDNSName=corp.contoso.com
SafeModeAdminPassword=Safepassword@6
DomainNetbiosName=corp
DNSOnNetwork=Yes
AutoConfigDNS=Yes
RebootOnSuccess=NoAndNoPromptEither
RebootOnCompletion=No
DomainLevel=0ForestLevel=0
dcpromoui
dcpromoui
dcpromoui
dcpromoui
dcpromoui
dcpromoui
EA4.5B8
EA4.5B8
EA4.5B8
EA4.5B8
EA4.5B8
EA4.5B8
0089
008A
008B
008C
008D
0032
13:31:50.783
Enter CArgumentsSpec::ValidateArgument DomainLevel
13:31:50.783
Value for DomainLevel is 0
13:31:50.783
Exit code is 77
13:31:50.783
The specified argument is invalid.
13:31:50.783 closing log
13:31:50.830
Exit code is 77
Do not use the deprecated dcpromo /unattend and understand that it allows you to specify invalid settings that later fail. This behavior is expected and by design.
Issue
Symptoms
If you promote a replica DC or RODC, the promotion reaches creating NTDS settings object and never proceeds or completes. The logs stop updating as well.
This is a known issue caused by providing credentials of the built-in local Administrator account with a matching password to the built-in domain Administrator account. This causes a failure down in the core setup engine that does not error, but instead waits indefinitely (quasi-loop). This is expected albeit undesirable behavior.
To fix the server:
1. Reboot it.
1. In AD, delete that servers member computer account (it will not yet be a DC account)
1. On that server, forcibly disjoin it from the domain
1. On that server, remove the AD DS role.
1. Reboot
1. Re-add the AD DS role and reattempt promotion, ensuring that you always provide the domain\admin formatted credentials to DC promotion and not just the built-in local administrator account
2015 Microsoft
12/31/2015 8:22 PM