-->
-->
Applies To: Windows Server 2016
Jun 27, 2009 Note that MCRInstaller.exe and MCRInstaller.exe are two different files. MCRInstaller.exe extracts the MCRInstaller.exe file at some point during the installation. Be sure that the unzip command is used on the MCRInstaller.exe file in the target installation directory.
This topic covers detailed methodology on troubleshooting domain controller configuration and deployment.
Introduction to Troubleshooting
Built-in logs for troubleshooting
The built-in logs are the most important instrument for troubleshooting issues with domain controller promotion and demotion. All of these logs are enabled and configured for maximum verbosity by default.
Phase | Log |
---|---|
Server Manager or ADDSDeployment Windows PowerShell operations | - %systemroot%debugdcpromoui.log - %systemroot%debugdcpromoui*.log |
Installation/Promotion of the domain controller | - %systemroot%debugdcpromo.log - %systemroot%debugdcpromo*.log - Event viewerWindows logsSystem - Event viewerWindows logsApplication - Event viewerApplications and services logsDirectory Service - Event viewerApplications and services logsFile Replication Service - Event viewerApplications and services logsDFS Replication |
Forest or domain upgrade | - %systemroot%debugadprep - %systemroot%debugadprep - %systemroot%debugadprep - %systemroot%debugadprep |
Server Manager ADDSDeployment Windows PowerShell deployment engine | - Event viewerApplications and services logsMicrosoftWindowsDirectoryServices-DeploymentOperational |
Windows Servicing | - %systemroot%LogsCBS* - %systemroot%servicingsessionssessions.xml - %systemroot%winsxspoqexec.log - %systemroot%winsxspending.xml |
Tools and Commands for Troubleshooting Domain Controller Configuration
To troubleshoot issues not explained by the logs, use the following tools as a starting point:
- Dcdiag.exe
- Repadmin.exe
- AutoRuns.exe, Task Manager, and MSInfo32.exe
- Network Monitor 3.4 (or a third party network capture and analysis tool)
General Methodology for Troubleshooting Domain Controller Configuration
- Did a simple syntax issue cause the error?
- Did you mistype or forget to provide an argument to ADDSDeployment Windows PowerShell? For example, if using ADDSDeployment Windows PowerShell, did you forget to add required argument -domainname with a valid name?
- Examine the Windows PowerShell console output carefully to see exactly why it is failing to parse the command-line provided.
- Is the error a prerequisite failure?
- Many errors that used to appear as fatal promotion results are now prevented by the prerequisite checker.
- Examine the text of the prerequisite errors carefully, they provide the necessary guidance to resolve most issues, as they are controlled scenarios.
- Is the error in promotion and therefore fatal?
- Examine the results carefully: many errors have simple explanations such as bad passwords, network name resolution, or critical offline domain controllers.
- Examine the Dcpromoui.log and dcpromo.log for the errors shown in the output, then work backwards from them to see indications of why the failure occurred.
- Always compare to a working sample log
- Examine the ADPrep logs for errors only if the results indicate a problem extending the schema or preparing the forest or domain.
- Examine the DirectoryServices-Deployment event log for errors only if the Dcpromoui.log lacks detail or ends arbitrarily due to an unhandled exception in the configuration process.
- Examine the Directory Services, System, and Application event logs for other indicators of a configuration issue. Often times, the domain controller promotion is just a symptom of other network misconfiguration that would affect all distributed systems.
- Use dcdiag.exe and repadmin.exe to validate the overall forest health and indicate subtle misconfigurations that may prevent further domain controller promotion.
- Use AutoRuns.exe, Task Manager, or MSinfo32.exe to examine the computer for third party software that may be interfering.
- Remove third party software (do not simply disable the software; that does not prevent drivers loading).
- Install NetMon 3.4 on the computer that fails to promote as well the replication partner domain controller and analyze the promotion process with double-sided network captures.
- Compare this to your working lab environment to understand what a healthy promotion looks like and where it is failing.
- At this point, the errors are likely with the forest objects, non-default security changes, or the network, and this new domain controller is a victim of misconfigurations in DNS, firewalls, host intrusion protection software, or other outside factors.
Troubleshooting Events and Error Messages
Domain controller promotion and demotion always returns a code at the end of operation and unlike most programs, do not return zero for success. To see the code at the end of a domain controller configuration, you have several options:
- When using Server Manager, examine the promotion results in the ten seconds prior to automatic reboot.
- When using ADDSDeployment Windows PowerShell, examine the promotion results in the ten seconds prior to automatic reboot. Alternatively, choose not to restart automatically on completion. You should add the Format-List pipeline to make the output easier to read. For example:Errors in prerequisite validation and verification do not continue on to a reboot, so they are visible in all cases. For example:
- In any scenario, examine the dcpromo.log and dcpromoui.log.NoteSome of the errors listed below are no longer possible due to operating system and domain controller configuration changes in later operating systems. The new ADDSDeployment Windows PowerShell codes also prevents certain errors, but the dcpromo.exe /unattend does not; this is another compelling reason to switch all of your current automation from the deprecated DCPromo to ADDSDeployment Windows PowerShell.
Promotion and demotion success codes
Error Code | Explanation | Note |
---|---|---|
1 | Exit, success | You still must reboot, this just notes that the automatic restart flag was removed |
2 | Exit, success, need to reboot | |
3 | Exit, success, with a non-critical failure | Typically seen when returning the DNS Delegation warning. If not configuring DNS delegation, use: -creatednsdelegation:$false |
4 | Exit, success, with a non-critical failure, need to reboot | Typically seen when returning the DNS Delegation warning. If not configuring DNS delegation, use: -creatednsdelegation:$false |
Promotion and demotion failure codes
Promotion and demotion return the following failure message codes. There is also likely to be an extended error message; always read the entire error carefully, not just the numeric portion.
Error Code | Explanation | Suggested resolution |
---|---|---|
11 | Domain controller promotion is already running | Do not run than one instance of domain controller promotion at the same time for the same target computer |
12 | User must be administrator | Logon as a member of the built-in Administrators group and ensure you are elevating with UAC |
13 | Certification Authority is installed | You cannot demote this domain controller, as it is also a Certification Authority. Do not remove the CA before you carefully inventory its usage - if it is issuing certificates, removing the role will cause an outage. Running CAs on domain controllers is discouraged |
14 | Running in safe-boot mode | Boot the server into normal mode |
15 | Role change is in progress or needs reboot | You must restart the server (due to prior configuration changes) before promotion |
16 | Running on wrong platform | Not likely to get this error |
17 | No NTFS 5 drives exist | This error is not possible in Windows Server 2012, which requires at least the %systemdrive% be formatted with NTFS |
18 | Not enough space in windir | Free up space on the %systemdrive% volume using cleanmgr.exe |
19 | Name change pending, needs reboot | Reboot the server |
20 | Computer name is invalid syntax | Rename the computer with a valid name |
21 | This domain controller holds FSMO roles, is a GC, and/or is a DNS server | Add -demoteoperationmasterrole when using -forceremoval. |
22 | TCP/IP needs to be installed or isn't functioning | Verify computer has TCP/IP configured, bound, and working correctly |
23 | DNS client needs to be configured first | Set a primary DNS server when adding a new domain controller to a domain |
24 | Supplied credentials are invalid or missing required elements | Verify your user name and password is correct |
25 | Domain controller for the specified domain could not be located | Validate DNS client settings, firewall rules |
26 | List of domains could not be read from the forest | Validate DNS client settings, LDAP functionality, firewall rules |
27 | Missing domain name | Specify a domain when promoting or demoting |
28 | Bad domain name | Choose a different, valid DNS domain name when promoting |
29 | Parent domain does not exist | Verify the parent domain specified when creating a new child domain or tree domain |
30 | Domain not in forest | Verify the domain name provided |
31 | Child Domain already exists | Specify a different domain name |
32 | Bad NetBIOS domain name | Specify a valid NetBIOS domain name |
33 | Path to the IFM files is invalid | Validate your path to the Install From Media folder |
34 | The IFM database is bad | Use the correct Install From Media for this operating system and role (same operating system version, same type of domain controller - RODC versus RWDC) |
35 | Missing SYSKEY | The Install from Media is encrypted and you must provide a valid SYSKEY to use it |
37 | Path for NTDS Database or its logs is invalid | Change path of Database and Logs to a fixed NTFS volume, not a mapped drive or UNC path |
38 | Volume does not have enough space for NTDS database or logs | Free up space using cleanmgr.exe, add more disk space, manually clear space by moving unnecessary data elsewhere |
39 | Path for SYSVOL is invalid | Change path of SYSVOL folder to a fixed NTFS volume, not a mapped drive or UNC path |
40 | Invalid site name | Provide a site name that exists |
41 | Need to specify a password for safe-mode | Provide a password for the DSRM account, it cannot be blank no matter how the password policy is configured |
42 | Safe-mode password does not meet criteria (promotion only) | Provide a password for the DSRM account that meets the password policy's configured rules |
43 | Admin password does not meet criteria (demotion only) | Provide a password for the local administrator account that meets the password policy's configured rules |
44 | The specified name for the forest is invalid | Specify a valid forest root DNS domain name |
45 | A forest with the specified name already exists | Choose a different forest root DNS domain name |
46 | The specified name for the tree is invalid | Specify a valid tree DNS domain name |
47 | A tree with the specified name already exists | Choose a different tree DNS domain name |
48 | The tree name does not fit into the forest structure | Choose a different tree DNS domain name |
49 | The specified domain does not exist | Verify your typed domain name |
50 | During demote, last domain controller was detected even though it is not, or last domain controller was specified, but it is not | Do not specify Last Domain Controller in the Domain (-lastdomaincontrollerindomain) unless it is true. Use -ignorelastdcindomainmismatch to override if this is truly the last domain controller and there is phantom domain controller metadata |
51 | App partitions exist on this domain controller | Specify to Remove Application Partitions (-removeapplicationpartitions) |
52 | Required command-line argument is missing (that is, an answer file must be specified on the command-line) | Only seen with dcpromo /unattend, which is deprecated. See older documentation |
53 | The promotion/demotion failed, machine must be rebooted to clean up | Examine the extended error and logs |
54 | The promotion/demotion failed | Examine the extended error and logs |
55 | The promotion/demotion was canceled by the user | Examine the extended error and logs |
56 | The promotion/demotion was canceled by the user, machine must be rebooted to clean up | Examine the extended error and logs |
58 | A site name must be specified during RODC promotion | You must specify a site for an RODC, it will not automatically detect one like an RWDC |
59 | During demote, this domain controller is the last DNS server for one of its zones | Specify that this is the Last DNS Server in the Domain or use -ignorelastdnsserverfordomain |
60 | A domain controller running Windows Server 2008 or later must be present in the domain in order to promote RODC | Promote at least one Windows Server 2008 or later model writable domain controller |
61 | You cannot install Active Directory Domain Services with DNS in an existing domain that does not already host DNS | Not possible to get this error |
62 | Answer file does not have a [DCInstall] section | Only seen with dcpromo /unattend, which is deprecated. See older documentation. |
63 | Forest functional level is below windows server 2003 | Raise the forest functional level to at least Windows Server 2003 Native. Windows 2000 and Windows NT 4.0 are no longer supported operating systems |
64 | Promo failed because component binary detection failed | Install the AD DS role |
65 | Promo failed because component binary installation failed | Install the AD DS role |
66 | Promo failed because operating system detection failed | Examine the extended error and logs; the server is failing to return its operating system version. It is likely that the computer will need to be re-installed, as its overall health is highly suspect |
68 | Replication partner is invalid | Use repadmin.exe or the Get-ADReplication* Windows PowerShell to validate partner domain controller health |
69 | Required Port is already in use by some other application | Use netstat.exe -anob to locate processes that are incorrectly assigned to reserved AD DS ports |
70 | The forest root domain controller must be a GC | Only seen with dcpromo /unattend, which is deprecated. See older documentation |
71 | DNS server is already installed | Do not specify to install DNS (-installDNS) if the DNS service is already installed |
72 | Computer is running Remote Desktop Services in non-admin mode | You cannot promote this domain controller, as it is also a RDS server configured for more than two admin users. Do not remove RDS before you carefully inventory its usage - if it is being used by applications or end-users, removal will cause an outage |
73 | The specified forest functional level is invalid. | Specify a valid forest functional level |
74 | The specified domain functional level is invalid. | Specify a valid domain functional level |
75 | Unable to determine the default password replication policy. | Validate that the RODC password replication policy exists and is accessible |
76 | Specified replicated/non-replicated security groups are invalid | Validate that you have typed in valid domain and user accounts when specifying a password replication policy |
77 | The specified argument is invalid | Examine the extended error and logs |
78 | Failed to examine Active Directory Forest | Examine the extended error and logs |
79 | RODC cannot be promoted because rodcprep has not been performed | Use Windows Server 2012 to prepare the forest or use adprep.exe /rodcprep |
80 | Domainprep has not been performed | Use Windows Server 2012 to prepare the domain or use adprep.exe /domainprep |
81 | Forestprep has not been performed | Use Windows Server 2012 to prepare the forest or use adprep.exe /forestprep |
82 | Forest schema mismatch | Use Windows Server 2012 to prepare the forest or use adprep.exe /forestprep |
83 | Unsupported SKU | Not likely to get this error |
84 | Unable to detect a domain controller account | Validate that existing domain controllers have correct user account control attribute set. |
85 | Unable to select a domain controller account for stage 2 | Returned if you specify 'Use Existing Account' but either no account found or there is an error during account lookup. Ensure you provided the correct RODC staged account |
86 | Need to run stage 2 promotion | Returned if you promote an additional domain controller but an existing account exists and 'Allow Reinstall' was not specified |
87 | A domain controller account of conflicting type exists | Rename the computer before promoting, if not trying to attach to an unoccupied domain controller. You must attach to the unoccupied domain controller account using -useexistingaccount and the correct read-only or writable argument, depending on account type |
88 | The specified server admin is not valid | You specified an invalid account for RODC admin delegation. Verify that the account specified is a valid user or group |
89 | RID master for the specified domain is offline. | Use netdom.exe query fsmo to detect the RID master. Bring it online and make it accessible to the domain controller you are promoting |
90 | Domain naming master is offline. | Use netdom.exe query fsmo to detect the domain naming master. Bring it online and make it accessible to the domain controller you are promoting |
91 | Failed to detect if the process is wow64 | Not possible to get this error anymore, the operating system is 64-bit |
92 | Wow64 process is not supported | Not possible to get this error anymore, the operating system is 64-bit |
93 | Domain controller service is not running for non-forceful demotion | Start the AD DS service |
94 | Local admin password does not meet requirement: either blank or not required | Provide a non-blank password and ensure that the local password policy requires a password |
95 | Cannot demote last Windows Server 2008 or later domain controller in the domain where live RODCs exist | You must first demote all RODCs before you can demote all Windows Server 2008 or later writable domain controllers |
96 | Unable to uninstall DS binaries | Only seen with dcpromo /unattend, which is deprecated. See older documentation |
97 | Forest functional level version higher than that of the child domain operating system | Provide a child domain functional the same or higher than the forest functional level |
98 | Component binary install/uninstall is in progress. | Only seen with dcpromo /unattend, which is deprecated. See older documentation |
99 | Forest functional level is too low (error is Windows Server 2012 only) | Raise the forest functional level to at least Windows Server 2003 native. Windows 2000 and Windows NT 4.0 are no longer supported operating systems |
100 | Domain functional level is too low (error is Windows Server 2012 only) | Raise the domain functional level to at least Windows Server 2003 native. Windows 2000 and Windows NT 4.0 are no longer supported operating systems |
Known issues and common support scenarios
The following are common issues seen during the Windows Server 2012 development process. All of these issues are 'by design' and have either a valid workaround or more appropriate technique to avoid them in the first place. Many of these behaviors are identical in Windows Server 2008 R2 and older operating systems, but the rewrite of AD DS deployment brings heightened sensitivity to issues.
Issue | Demoting a domain controller leaves DNS running with no zones |
---|---|
Symptoms | Server still responds to DNS requests but has no zone information |
Resolution and Notes | When removing the AD DS role, also remove the DNS Server role or set the DNS Server service to disabled. Remember to point the DNS client to another server than itself. If using Windows PowerShell, run the following after you demote the server: Code - uninstall-windowsfeature dns or Code - set-service dns -starttype disabled stop-service dns |
Issue | Promoting a Windows Server 2012 into an existing single-label domain does not configure updatetopleveldomain=1 or allowsinglelabeldnsdomain=1 |
---|---|
Symptoms | DNS dynamic record registration does not occur |
Resolution and Notes | Set these values using the Netlogon and DNS group policies. Microsoft began blocking single-label domain creation in Windows Server 2008; you can use ADMT or the Domain Rename Tool to change to an approved DNS domain structure. |
Issue | Demotion of last domain controller in a domain fails if there are pre-created, unoccupied RODC accounts |
---|---|
Symptoms | Demotion fails with message: Dcpromo.General.54 Active Directory Domain Services could not find another Active Directory Domain Controller to transfer the remaining data in directory partition CN=Schema,CN=Configuration,DC=corp,DC=contoso,DC=com. 'The format of the specified domain name is invalid.' |
Resolution and Notes | Remove any remaining pre-created RODC accounts before demoting a domain, using Dsa.msc or Ntdsutil.exe metadata cleanup. |
Issue | Automated forest and domain preparation does not run GPPREP |
---|---|
Symptoms | Cross-domain planning functionality for Group Policy, Resultant Set of Policy (RSOP) Planning Mode, requires updated file system and Active Directory permissions for existing GP. Without Gpprep, you cannot use RSOP Planning across domains. |
Resolution and Notes | Run adprep.exe /gpprep manually for all domains that were not previously prepared for Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. Administrators should run GPPrep only once in the history of a domain, not with every upgrade. It is not run by automatic adprep because if you have already set adequate custom permissions, it would cause all SYSVOL contents to re-replicate on all domain controllers. |
Issue | Install from media fails to verify when pointing to a UNC path |
---|---|
Symptoms | Error returned: Code - Could not validate media path. Exception calling 'GetDatabaseInfo' with '2' arguments. The folder is not valid. |
Resolution and Notes | You must store IFM files on a local disk, not a remote UNC path. This intentional block prevents partial server promotion due to a network interruption. |
Issue | DNS delegation warning shown twice during domain controller promotion |
---|---|
Symptoms | Warning returned twice when promoting using ADDSDeployment Windows PowerShell: Code - 'A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain. Otherwise, no action is required.' |
Resolution and Notes | Ignore. ADDSDeployment Windows PowerShell shows the warning first during prerequisite checking, then again during configuration of the domain controller. If you do not wish to configure DNS delegation, use argument: Code - -creatednsdelegation:$false Do not skip the prerequisite checks in order to suppress this message |
Issue | Specifying UPN or non-domain credentials during configuration returns misleading errors |
---|---|
Symptoms | Server Manager returns error: Code - Exception calling 'DNSOption' with '6' Arguments ADDSDeployment Windows PowerShell returns error: Code - Verification of user permissions failed. You must supply the name of the domain to which this user account belongs. |
Resolution and Notes | Ensure you are providing valid domain credentials in the form of domainuser. |
Issue | Removing the DirectoryServices-DomainController role using Dism.exe leads to unbootable server |
---|---|
Symptoms | If using Dism.exe to remove the AD DS role before demoting a domain controller gracefully, the server no longer boots normally and shows error: Code - Status: 0x000000000 Info: An unexpected error has occurred. |
Resolution and Notes | Boot into Directory Services Repair Mode using Shift+F8. Add the AD DS role back, and then forcibly demote the domain controller. Alternatively, restore the System State from backup. Do not use Dism.exe for AD DS role removal; the utility has no knowledge of domain controllers. |
Issue | Installing a new forest fails when setting forestmode to Win2012 |
---|---|
Symptoms | Promotion using ADDSDeployment Windows PowerShell returns error: Code - Test.VerifyDcPromoCore.DCPromo.General.74 Verification of prerequisites for Domain Controller promotion failed. The specified domain functional level is invalid |
Resolution and Notes | Do not specify a forest functional mode of Win2012 without also specifying a domain functional mode of Win2012. Here is an example that will work without errors: Code - -forestmode Win2012 -domainmode Win2012] |
Issue | Clicking Verify in the Install from Media selection area appears to do nothing |
Symptoms | When you specify a path to an IFM folder, clicking the Verify button never returns a message or appears to do anything. |
Resolution and Notes | The Verify button only returns errors if there are issues. Otherwise, it makes the Next button selectable if you have provided an IFM path. You must click Verify to proceed if you have selected IFM. |
Issue | Demoting with Server Manager does not provide feedback until completed. |
Symptoms | When using Server Manager to remove the AD DS role and demote a domain controller, there is no ongoing feedback given until the demotion completes or fails. |
Resolution and Notes | This is a limitation of Server Manager. For feedback, use ADDSDeployment Windows PowerShell cmdlet: Code - Uninstall-addsdomaincontroller |
Issue | Install from Media Verify does not detect that RODC media provided for writable domain controller, or vice versa. |
Symptoms | When promoting a new domain controller using IFM and providing incorrect media to IFM - such as RODC media for a writable domain controller, or RWDC media for an RODC - the Verify button does not return an error. Later, promotion fails with error: Code - An error occurred while trying to configure this machine as a domain controller. The Install-From-Media promotion of a Read-Only DC cannot start because the specified source database is not allowed. Only databases from other RODCs can be used for IFM promotion of a RODC. |
Resolution and Notes | Verify only validates the overall integrity of IFM. Do not provide the wrong IFM type to a server. Restart the server before you attempt promotion again with the correct media. |
Issue | Promoting an RODC into a pre-created computer account fails |
Symptoms | When using ADDSDeployment Windows PowerShell to promote a new RODC with a staged computer account, receive error: Code - Parameter set cannot be resolved using the specified named parameters. InvalidArgument: ParameterBindingException + FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.DirectoryServices.Deployment.PowerShell.Commands.Install |
Resolution and Notes | Do not provide parameters already defined already on a pre-created RODC account. These include: Code - -readonlyreplica -installdns -donotconfigureglobalcatalog -sitename -installdns |
Issue | Deselecting/selecting 'Restart each destination server automatically if required' does nothing |
Symptoms | If selecting (or not selecting) the Server Manager option Restart each destination server automatically if required whendemoting a domain controller through role removal, the server always restarts, regardless of choice. |
Resolution and Notes | This is intentional. The demotion process restarts the server regardless of this setting. |
Issue | Dcpromo.log shows '[error] setting security on server files failed with 2' |
Symptoms | Demotion of a domain controller completes without issues, but examination of the dcpromo log shows error: Code - [error] setting security on server files failed with 2 |
Resolution and Notes | Ignore, error is expected and cosmetic. |
Issue | Prerequisite adprep check fails with error 'Unable to perform Exchange schema conflict check' |
Symptoms | When attempting to promote a Windows Server 2012 domain controller into an existing Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 forest, prerequisite check fails with error: Code - Verification of prerequisites for AD prep failed. Unable to perform Exchange schema conflict check for domain (Exception: the RPC server is unavailable) The adprep.log shows error: Code - Adprep could not retrieve data from the server through Windows Management Instrumentation (WMI). |
Resolution and Notes | The new domain controller cannot access WMI through DCOM/RPC protocols against the existing domain controllers. To date, there have been three causes for this: - A firewall rule blocks access to the existing domain controllers - The NETWORK SERVICE account is missing from the 'Logon as a service' (SeServiceLogonRight) privilege on the existing domain controllers - NTLM is disabled on domain controllers, using security policies described in Introducing the Restriction of NTLM Authentication |
Issue | Creating a new AD DS forest always shows DNS warning |
Symptoms | When creating a new AD DS forest and creating the DNS zone on the new domain controller for itself, you always receive warning message: Code - An error was detected in the DNS configuration. None of the DNS servers used by this computer responded within the timeout interval. (error code 0x000005B4 'ERROR_TIMEOUT') |
Resolution and Notes | Ignore. This warning is intentional on the first domain controller in the root domain of a new forest, in case you intended to point to an existing DNS server and zone. |
Issue | Windows PowerShell -whatif argument returns incorrect DNS server information |
Symptoms | If you use the -whatif argument when configuring a domain controller with implicit or explicit -installdns:$true, the resulting output shows: Code - 'DNS Server: No' |
Resolution and Notes | Ignore. DNS is installed and configured correctly. |
Issue | After promotion, logon fails with ' Not enough storage is available to process this command' |
Symptoms | After you promote a new domain controller and then log off and attempt to log on interactively, you receive error: Code - Not enough storage is available to process this command |
Resolution and Notes | The domain controller was not rebooted after promotion, either due to an error or because you specified the ADDSDeployment Windows PowerShell argument -norebootoncompletion. Restart the domain controller. |
Issue | The Next button is not available on the Domain Controller Options page |
Symptoms | Even though you have set a password, the Next button on the Domain Controller Options page in Server Manager is not available. There is no site listed in the Site name menu. |
Resolution and Notes | You have multiple AD DS sites and at least one is missing subnets; this future domain controller belongs to one of those subnets. You must manually select the subnet from the Site name dropdown menu. You should also review all AD sites using DSSITE.MSC or use the following Windows PowerShell command to find all sites missing subnets: Code - get-adreplicationsite -filter * -property subnets | where-object {!$_.subnets -eq '*'} | format-table name |
Issue | Promotion or demotion fails with message 'the service cannot be started' |
Symptoms | If you attempt promotion, demotion, or cloning of a domain controller you receive error: Code - The service cannot be started, either because it is disabled or it has no enabled devices associated with it' (0x80070422) The error may be interactive, an event, or written to a log like dcpromoui.log or dcpromo.log |
Resolution and Notes | The DS Role Server service (DsRoleSvc) is disabled. By default, this service is installed during AD DS role installation and set to a Manual start type. Do not disable this service. Set it back to Manual and allow the DS role operations to start and stop it on demand. This behavior is by design. |
Issue | Server Manager still warns that you need to promote DC |
Symptoms | If you promote a domain controller using the deprecated dcpromo.exe /unattend or upgrade an existing Windows Server 2008 R2 domain controller in place to Windows Server 2012, Server Manager still shows the post-deployment configuration task Promote this server to a domain controller. |
Resolution and Notes | Click the post-deployment warning link and the message will disappear for good. This behavior is cosmetic and expected. |
Issue | Server Manager deployment script missing role installation |
Symptoms | If you promote a domain controller using Server Manager and save the Windows PowerShell deployment script, it does not include the role installation cmdlet and arguments (install-windowsfeature -name ad-domain-services -includemanagementtools). Without the role, the DC cannot be configured. |
Resolution and Notes | Manually add that cmdlet and arguments to any scripts. This behavior is expected and by design. |
Issue | Server Manager deployment script is not named PS1 |
Symptoms | If you promote a domain controller using Server Manager and save the Windows PowerShell deployment script, the file is named with a random temporary name and not as a PS1 file. |
Resolution and Notes | Manually rename the file. This behavior is expected and by design. |
Issue | Dcpromo /unattend allows unsupported functional levels |
---|---|
Symptoms | If you promote a domain controller using dcpromo /unattend with the following sample answer file: Code - [DCInstall] NewDomain=Forest ReplicaOrNewDomain=Domain NewDomainDNSName=corp.contoso.com SafeModeAdminPassword=Safepassword@6 DomainNetbiosName=corp DNSOnNetwork=Yes AutoConfigDNS=Yes RebootOnSuccess=NoAndNoPromptEither RebootOnCompletion=No DomainLevel=0 ForestLevel=0 Promotion fails with the following errors in the dcpromoui.log: Code - dcpromoui EA4.5B8 0089 13:31:50.783 Enter CArgumentsSpec::ValidateArgument DomainLevel dcpromoui EA4.5B8 008A 13:31:50.783 Value for DomainLevel is 0 dcpromoui EA4.5B8 008B 13:31:50.783 Exit code is 77 dcpromoui EA4.5B8 008C 13:31:50.783 The specified argument is invalid. dcpromoui EA4.5B8 008D 13:31:50.783 closing log dcpromoui EA4.5B8 0032 13:31:50.830 Exit code is 77 Level 0 is Windows 2000, which is not supported in Windows Server 2012. |
Resolution and Notes | Do not use the deprecated dcpromo /unattend and understand that it allows you to specify invalid settings that later fail. This behavior is expected and by design. |
Issue | Promotion 'hangs' at creating NTDS settings object, never completes |
---|---|
Symptoms | If you promote a replica DC or RODC, the promotion reaches 'creating NTDS settings object' and never proceeds or completes. The logs stop updating as well. |
Resolution and Notes | This is a known issue caused by providing credentials of the built-in local Administrator account with a matching password to the built-in domain Administrator account. This causes a failure down in the core setup engine that does not error, but instead waits indefinitely (quasi-loop). This is expected - albeit undesirable - behavior. To fix the server: 1. Reboot it. 1. In AD, delete that server's member computer account (it will not yet be a DC account) 1. On that server, forcibly disjoin it from the domain 1. On that server, remove the AD DS role. 1. Reboot 1. Re-add the AD DS role and reattempt promotion, ensuring that you always provide the domainadmin formatted credentials to DC promotion and not just the built-in local administrator account |
Applies to: Configuration Manager (current branch)
To install a new Configuration Manager site by using a guided user interface, use the Configuration Manager Setup Wizard (setup.exe). The wizard supports installing a primary site or central administration site. You also use the wizard to upgrade an evaluation installation of Configuration Manager to a fully licensed installation. When you don't want to use the wizard, you can instead use an installation script and run an unattended command-line installation.
Install a secondary site from within the Configuration Manager console. Secondary sites don't support a scripted command-line installation.
Note
Starting in version 1906, the splash.hta file no longer exists at the root of the installation media. It provided links to the following information:
- Install site:
smssetupbinx64setup.exe
. For more information, see Install a central administration or primary site. - Before you begin: Design a hierarchy of sites
- Assess server readiness: Prerequisite Checker
- Download required prerequisite files:
smssetupbinx64setupdl.exe
. For more information, see Setup Downloader. - Install Configuration Manager console:
smssetupbini386consolesetup.exe
. For more information, see Install consoles. - Download System Center Updates Publisher
- Download clients for additional operating systems
- Release notes
- Read documentation
- Obtain installation assistance: TechNet Forums: Configuration Manager (Current Branch) – Site and Client Deployment
- Configuration Manager community: System Center Community: How to Participate
- Configuration Manager home
Install a central administration or primary site
Use the following procedure to install a central administration site or a primary site. Also use it to upgrade an evaluation site to a fully licensed Configuration Manager site.
Before starting the site installation, be familiar with the details in the following articles:
If you're installing a central administration site as part of a site expansion scenario, review Expanding a stand-alone primary site before using the following procedure.
Process to install a primary or central administration site
- On the computer where you want to install the site, run
<InstallationMedia>SMSSETUPBINX64Setup.exe
to start the Configuration Manager Setup Wizard.NoteWhen you install a central administration site to expand on a stand-alone primary site, or install a new child primary site in an existing hierarchy, use installation media (source files) that match the version of the existing site or sites. If you've installed in-console updates that have changed the version of the previously installed sites, don't use the original installation media. Instead, use source files from the CD.Latest folder of an updated site. Configuration Manager requires you to use source files that match the version of the existing site that your new site will connect to. - On the Before You Begin page, choose Next.
- On the Getting Started page, select the type of site that you want to install:
- Central administration site, as the first site of a new hierarchy, or when expanding a stand-alone primary site:Select Install a Configuration Manager central administration site.During a later step of this procedure, you're offered the choice to install a central administration site as the first site of a new hierarchy, or to install a central administration site to expand on a stand-alone primary site.
- Primary site, as a stand-alone primary site that is the first site of a new hierarchy, or as a child primary:Select Install a Configuration Manager primary site.TipTypically, you only select the option Use typical installation options for a stand-alone primary site when you want to install a stand-alone primary site in a test environment. When you select this option, setup does the following actions:
- Automatically configures the site as a stand-alone primary site.
- Uses a default installation path.
- Uses a local installation of the default instance of SQL Server for the site database.
- Installs a management point and a distribution point on the site server computer.
- Configures the site with English and the display language of the OS on the primary site server if it matches one of the languages that Configuration Manager supports.
- On the Product Key page:
- Choose whether to install Configuration Manager as an evaluation edition or a licensed edition.
- If you select a licensed edition, enter your product key, and choose Next.
- If you select an evaluation edition, choose Next. (You can upgrade an evaluation installation to a full installation later.)
- You can also specify the Software Assurance expiration date of your licensing agreement. It's a convenient reminder of that date. If you don't enter this date during Setup, you can specify it later from within the Configuration Manager console.NoteMicrosoft doesn't validate the expiration date that you entered and doesn't use this date for license validation. You can use it as a reminder of your expiration date. This date is useful because Configuration Manager periodically checks for new software updates offered online. Your software assurance license status should be current so that you're eligible to use these additional updates.
For more information, see Licensing and branches. - On the Microsoft Software License Terms page, read and accept the license terms.
- On the Prerequisite Licenses page, read and accept the license terms for the prerequisite software. Setup downloads and automatically installs the software on site systems or clients when it's required. Accept all of the terms before you continue to the next page.
- On the Prerequisite Downloads page, specify whether Setup must download the latest prerequisite redistributable files from the internet or use previously downloaded files:
- If you want Setup to download the files at this time, select Download required files. Then specify a location to store the files.
- If you previously downloaded the files by using Setup Downloader, select Use previously downloaded files. Then specify the download folder.TipIf you use previously downloaded files, verify that the path to the download folder contains the most recent version of the files.
- On the Server Language Selection page, select the languages that are available for the Configuration Manager console and for reports. (English is selected by default and can't be removed.) For more information, see Language packs.
- On the Client Language Selection page, select the languages that are available to client computers. Also specify whether to enable all client languages for mobile device clients. (English is selected by default and can't be removed.)ImportantWhen you use a central administration site, make sure that client languages you configure at the central administration site include all client languages that you configure at each child primary site. Clients that install from a distribution point have access to the client languages from the top-tier site, while clients that install from a management point have access to the client languages from their assigned primary site.
- On the Site and Installation Settings page, specify the following settings for the new site that you're installing:
- Site code: Each site code in a hierarchy must be unique. Use three alpha-numeric digits: A through Z and 0 through 9. Because the site code is used in folder names, don't use Windows-reserved names, including:
- AUX
- CON
- NUL
- PRN
- SMS
NoteSetup doesn't verify whether the site code that you specify is already in use, or if it's a reserved name. - Site name: Each site requires this friendly name, which can help you identify the site.
- Installation folder: This folder is the path to the Configuration Manager installation. You can't change the location after the site installs. The path can't contain Unicode characters or trailing spaces.NoteConsider whether you want to use the default installation folder. If you use the default OS partition in a production environment, you may experience the following issues in the future:
- If Configuration Manager uses the additional free disk space on the OS partition, neither Windows or Configuration Manager will operate properly. If you install Configuration Manager on a separate partition, its disk consumption won't impact the OS.
- Configuration Manager performance is better with a fast disk. Some server designs don't optimize the OS disk for speed.
- You can service, restore, or reinstall the OS without impacting your Configuration Manager installation.
- On the Site Installation page, use the following option that matches your scenario:
- I'm installing a central administration site:On the Central Administration Site Installation page, select Install as the first site in a new hierarchy, and then choose Next to continue.
- I'm expanding a stand-alone primary into a hierarchy with a central administration site:On the Central Administration Site Installation page, select Expand an existing stand-alone primary into a hierarchy. Then specify the FQDN of the stand-alone primary site server, and choose Next to continue.The media that you use to install the new central administration site must match the version of the primary site.
- I'm installing a stand-alone primary site:On the Primary Site Installation page, select Install the primary site as a stand-alone site, and then choose Next.
- I'm installing a child primary site:On the Primary Site Installation page, select Join the primary site to an existing hierarchy. Then specify the FQDN for the central administration site, and choose Next.
- On the Database Information page, specify the following information:
- SQL Server name (FQDN): By default, this value is set to the site server computer.If you use a custom port, add that port to the FQDN of the SQL Server. Follow the FQDN of the SQL Server with a comma and then the port number. For example, for server SQLServer1.fabrikam.com, use the following to specify port 1551:
SQLServer1.fabrikam.com,1551
- Instance name: By default, this value is blank. It uses the default instance of SQL on the site server computer.
- Database name: By default, this value is set to
CM_<Sitecode>
. You can customize this value. - Service Broker Port: By default, this value is set to use the default SQL Server Service Broker (SSB) port of 4022. SQL uses it to communicate directly to the site database at other sites.
- On the second Database Information page, you can specify custom locations for the SQL Server data file and the SQL Server log file for the site database:
- By default, it uses the default file locations for SQL Server.
- When you use a SQL Server cluster, the option to specify custom file locations isn't available.
- The prerequisite checker doesn't run a check for free disk space for custom file locations.
- On the SMS Provider Settings page, specify the FQDN for the server where you want to install the SMS Provider.
- By default, it specifies the site server.
- After the site installs, you can configure additional SMS Providers. For more information, see Plan for the SMS Provider.
- On the Client Communication Settings page, choose whether to configure all site systems to accept only HTTPS communication from clients or for the communication method to be configured for each site system role.When you select All site system roles accept only HTTPS communication from clients, the client computer must have a valid PKI certificate for client authentication. For more information, see PKI certificate requirements.NoteThis step only applies when you install a primary site. If you're installing a central administration site, skip this step.
- On the Site System Roles page, choose whether to install a management point or distribution point. For each role that you choose to have installed by Setup:
- Enter the FQDN for the server that will host the role. Then choose the client connection method that the server will support: HTTP or HTTPS.
- If you selected All site system roles accept only HTTPS communication from clients on the previous page, the client connection settings are automatically configured for HTTPS. You can't change this setting unless you go back to the previous page.
NoteThis step only applies when you install a primary site. If you're installing a central administration site, skip this step.NoteTo install site system roles, Setup uses the site system installation account. By default, this uses the primary site’s computer account. This account must be a local administrator on a remote computer to install the site system role. If this account lacks the required permissions, uncheck the site system roles and install them later from within the Configuration Manager console, after configuring additional accounts to use as site system installation accounts. For more information, see Accounts. - On the Usage Data page, review the information about data that Microsoft collects, and then choose Next. For more information, see Diagnostics and usage data.
- The Service Connection Point Setup page is only available during the following scenarios:
- When you're installing a stand-alone primary site.
- When you're installing a central administration site.
NoteIf you're installing a child primary site, skip this step.If you're installing a central administration site as part of a site expansion scenario, and this role is already installed at the stand-alone primary site, first uninstall this role from the stand-alone primary site. Only one instance of this role is permitted in a hierarchy, and it's only supported at the top-tier site of the hierarchy.After you select a configuration for the Service Connection Point, choose Next. After Setup completes, you can change this configuration from within the Configuration Manager console. For more information, see About the service connection point. - On the Settings Summary page, review the setting that you've selected. When you're ready, choose Next to start the Prerequisite Checker.
- On the Prerequisite Installation Check page, it lists any problems that the checker can identify.
- When the Prerequisite Checker finds a problem, choose an item in the list for details about how to resolve the problem.
- Before you can continue to install the site, resolve Failed items. Also try to resolve items with a status of Warning, but they don't block the installation of the site.
- After resolving issues, choose Run Check to rerun the Prerequisite Checker.When the Prerequisite Checker runs, and no checks receive a Failed status, you can choose Begin Install to start the site installation.
TipIn addition to the feedback that the wizard provides, you can find additional information about prerequisite issues in the ConfigMgrPrereq.log file. It's in the root of the system drive of the computer on which you're installing the site. For more information, see List of prerequisite checks. - On the Installation page, Setup displays the installation status. When the core site server installation is complete, you can Close the installation wizard. When you close the wizard, the installation and initial site configurations continue in the background.
- You can connect a Configuration Manager console to the site before Setup is complete. This console connects as read-only, and lets you view objects and settings, but you can't modify anything.
- After Setup completes, you can connect a console that can edit objects and settings.
Expand a stand-alone primary site
When you've installed a stand-alone primary site as your first site, you have the option later to expand that site into a larger hierarchy by installing a central administration site.
When you expand a stand-alone primary site, you install a new central administration site that uses the existing stand-alone primary site database as a reference. After the new central administration site installs, the stand-alone primary site functions as a child primary site.
- You can only expand a stand-alone primary site into a new hierarchy.
- You can only expand one stand-alone primary site into a specific hierarchy. You can't use this option to join additional stand-alone primary sites into the same hierarchy. Instead, use the Migration Wizard to migrate data from one hierarchy into another. For more information, see Migrate data between hierarchies.
- After you expand a stand-alone site into a hierarchy with a central administration site, you can add additional child primary child sites.
- To remove a primary site from a hierarchy with a central administration site, first uninstall the primary site.
To expand the site, use the Configuration Manager Setup Wizard to install a new central administration site with the following caveats:
- Install the central administration site by using the same version of Configuration Manager as the stand-alone primary site.
- On the Getting Started page of the Setup Wizard, select the option to install a central administration site. At a later stage of Setup, you'll choose an option to expand an existing stand-alone primary site.
- When you configure the Client Language Selection page for the new central administration site, select the same client languages that are configured for the stand-alone primary site that you're expanding.
- On the Site Installation page, select the option to expand the stand-alone primary site.
To expand a stand-alone primary site, first see the prerequisites to expand a site. Then use the procedure To install a primary or central administration site earlier in this article.
Install a secondary site
Use the Configuration Manager console to install a secondary site.
- If the console you use isn't connected to the primary site that will be the parent site to the new secondary site, the command to install the site is replicated to the correct primary site.
- Before starting the site installation, make sure that your user account has the prerequisite permissions. Also make sure that the server that will host the new secondary site meets all the prerequisites for use as a secondary site server.
- When you install the secondary site, Configuration Manager configures the new site to use the client communication ports that are configured at the parent primary site.
Process to install a secondary site
- In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Sites node. Select the site that will be the parent primary site of the new secondary site.
- To start the Create Secondary Site Wizard, choose Create Secondary Site in the ribbon.
- On the Before You Begin page, confirm that the primary site that's listed is the site that you want to be the parent of the new secondary site. Then choose Next.
- On the General page, specify the following settings:
- Site code: Each site code in a hierarchy must be unique. Use three alpha-numeric digits: A through Z and 0 through 9. Because the site code is used in folder names, don't use Windows-reserved names, including:
- AUX
- CON
- NUL
- PRN
- SMS
NoteSetup doesn't verify whether the site code that you specify is already in use, or if it's a reserved name.- Site server name: This value is the FQDN of the server where the new secondary site will install.
- Site name: Each site requires this friendly name, which can help you identify the site.
- Installation folder: This folder is the path to the Configuration Manager installation. You can't change the location after the site installs. The path can't contain Unicode characters or trailing spaces.
ImportantAfter you specify details on this page, you can choose Summary to go directly to the Summary page of the wizard. This action uses the default settings for the remainder of the secondary site options.- Only use this option when you're familiar with the default settings in this wizard, and they're the settings you want to use.
- When you use the default settings, boundary groups aren't associated with the distribution point. Until you configure boundary groups that include the secondary site server, clients won't use the distribution point that's installed on this secondary site as a content source location.
- On the Installation Source Files page, choose how the secondary site computer obtains source files for installing the site.When you use CD.Latest source files that are shared on the network or copied locally to the target secondary site server:
- Version 1802 and earlier
- The CD.Latest source file location includes a folder named Redist. Move this Redist folder as a subfolder under the SMSSETUP folder.NoteIf hash mismatch errors occur during setup, update the Redist folder. Use the Setup Downloader to get the latest files. For any files that cause a hash mismatch error, also copy them from the updated Redist folder to the SMSSETUPBINX64 folder.
- Version 1806 and later
- The CD.Latest source file location includes a folder named Redist. Move this Redist folder as a subfolder under the SMSSETUP folder.
- Copy the following files from the Redist folder to the SMSSETUPBINX64 folder:
- SharedManagementObjects.msi
- SQLSysClrTypes.msi
- sqlncli.msi
- If any of the files from Redist aren't available, Setup fails to install the secondary site.
- The computer account of the secondary site server must have Read permissions to the source file folder and share.
- On the SQL Server Settings page, specify the version of SQL Server to use, and then configure related settings.NoteSetup doesn't validate the information that you enter on this page until it starts the installation. Before you continue, verify these settings.
- Install and configure a local copy of SQL Express on the secondary site computer
- SQL Server Service port: Specify the SQL Server service port for SQL Server Express to use. The service port is typically configured to use TCP port 1433, but you can configure another port.
- SQL Server Broker port: Specify the SQL Server Service Broker (SSB) port for SQL Server Express to use. The Service Broker is typically configured to use TCP port 4022, but you can configure a different port. Specify a valid port that no other site or service is using, and that no firewall restrictions are blocking.
- Use an existing SQL Server instance
- SQL Server FQDN: Review the FQDN for the computer running SQL Server. You must use a local server running SQL Server to host the secondary site database, and you can't modify this setting.
- SQL Server instance: Specify the instance of SQL Server to use as the secondary site database. Leave this option blank to use the default instance.
- ConfigMgr site database name: Specify the name to use for the secondary site database.
- SQL Server Broker port: Specify the SQL Server Service Broker (SSB) port for SQL Server to use. Specify a valid port that no other site or service is using, and that no firewall restrictions block.
TipFor a list of the SQL Server versions that Configuration Manager supports, see Supported SQL Server versions. - On the Distribution Point page, configure settings for the distribution point that will be installed on the secondary site server.
- Required settings:
- Specify how client devices communicate with the distribution point: Choose between HTTP and HTTPS.
- Create a self-signed certificate or import a PKI client certificate: Choose between using a self-signed certificate or importing a certificate from your PKI. A self-signed certificate lets you also allow anonymous connections from Configuration Manager clients to the content library. The certificate is used to authenticate the distribution point to a management point before the distribution point sends status messages. For more information, see PKI certificate requirements.
- Optional settings:
- Install and configure IIS if required by Configuration Manager: Select this setting to let Configuration Manager install and configure Internet Information Services (IIS) on the server, if it's not already installed. IIS is required on all distribution points.NoteAlthough this setting is optional, IIS must be installed on the server before a distribution point can be installed successfully.
- Enable and configure BranchCache for this distribution point
- Description: This value is a friendly description for the distribution point to help you recognize it.
- Enable this distribution point for prestaged content
- On the Drive Settings page, specify the drive settings for the secondary site distribution point.You can configure up to two disk drives for the content library and two disk drives for the package share. However, Configuration Manager can use additional drives when the first two reach the configured drive space reserve. The Drive Settings page is where you configure the priority for the disk drives and the amount of free disk space to remain on each disk drive.
- Drive space reserve (MB): The value that you configure for this setting determines the amount of free space on a drive before Configuration Manager chooses a different drive and continues the copy process to that drive. Content files can span multiple drives.
- Content Locations: Specify the content locations for the content library and package share. Configuration Manager copies content to the primary content location until the amount of free space reaches the value that's specified for Drive space reserve (MB).
By default, the content locations are set to Automatic. The primary content location is set to the disk drive that has the most disk space at installation time. The secondary location is set to the disk drive that has the most free disk space after the primary drive. When the primary and secondary drives reach the drive space reserve, Configuration Manager selects another available drive with the most free disk space and continues the copy process. - On the Content Validation page, specify whether to validate the integrity of content files on the distribution point.
- When you enable content validation on a schedule, Configuration Manager starts the process at the scheduled time. All content on the distribution point is verified.
- You can also configure the Content validation priority.
- To view the results of the content validation process, in the Configuration Manager console, go to the Monitoring workspace, expand Distribution Status, and select the Content Status node. It displays the content for each package type. These types include applications, software update packages, and boot images.
- On the Boundary Groups page, manage the boundary groups that this distribution point is assigned to:
- During content deployment, clients must be in a boundary group that's associated with the distribution point to use it as a source location for content.
- You can select the Allow fallback source location for content option to allow clients outside these boundary groups to fall back and use the distribution point as a source location for content when no preferred distribution points are available.For more information, see the Fundamental concepts for content management.
- On the Summary page, verify the settings, and then choose Next to install the secondary site. When the wizard presents the Completion page, you can close the wizard. The secondary site installation continues in the background.
How to verify the secondary site installation status
- In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Sites node.
- Select the secondary site that you're installing, and then choose Show Install Status in the ribbon.TipWhen you install more than one secondary site at a time, the Prerequisite Checker runs against a single site at a time. It must finish a site before it starts to check the next site.