UserAccountControl Explained: A Tool to Determine Account State and Settings

Code - uninstall-windowsfeature dnsorCode - set-service dns -starttype disabledstop-service dnsIssuePromoting a Windows Server 2012 into an existing single-label domain does not configure updatetopleveldomain=1 or allowsinglelabeldnsdomain=1SymptomsDNS dynamic record registration does not occurResolution and NotesSet these values using the Netlogon and DNS group policies. Microsoft began blocking single-label domain creation in Windows Server 2008; you can use ADMT or the Domain Rename Tool to change to an approved DNS domain structure.IssueDemotion of last domain controller in a domain fails if there are pre-created, unoccupied RODC accountsSymptomsDemotion fails with message:Dcpromo.General.54Active Directory Domain Services could not find another Active Directory Domain Controller to transfer the remaining data in directory partition CN=Schema,CN=Configuration,DC=corp,DC=contoso,DC=com."The format of the specified domain name is invalid."Resolution and NotesRemove any remaining pre-created RODC accounts before demoting a domain, using Dsa.msc or Ntdsutil.exe metadata cleanup.IssueAutomated forest and domain preparation does not run GPPREPSymptomsCross-domain planning functionality for Group Policy, Resultant Set of Policy (RSOP) Planning Mode, requires updated file system and Active Directory permissions for existing GP. Without Gpprep, you cannot use RSOP Planning across domains.Resolution and NotesRun adprep.exe /gpprep manually for all domains that were not previously prepared for Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. Administrators should run GPPrep only once in the history of a domain, not with every upgrade. It is not run by automatic adprep because if you have already set adequate custom permissions, it would cause all SYSVOL contents to re-replicate on all domain controllers.IssueInstall from media fails to verify when pointing to a UNC pathSymptomsError returned:Code - Could not validate media path. Exception calling "GetDatabaseInfo" with "2" arguments. The folder is not valid.Resolution and NotesYou must store IFM files on a local disk, not a remote UNC path. This intentional block prevents partial server promotion due to a network interruption.IssueDNS delegation warning shown twice during domain controller promotionSymptomsWarning returned twice when promoting using ADDSDeployment Windows PowerShell:Code - "A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain. Otherwise, no action is required."Resolution and NotesIgnore. ADDSDeployment Windows PowerShell shows the warning first during prerequisite checking, then again during configuration of the domain controller. If you do not wish to configure DNS delegation, use argument:Code - -creatednsdelegation:$falseDo not skip the prerequisite checks in order to suppress this messageIssueSpecifying UPN or non-domain credentials during configuration returns misleading errorsSymptomsServer Manager returns error:Code - Exception calling "DNSOption" with "6" ArgumentsADDSDeployment Windows PowerShell returns error:Code - Verification of user permissions failed. You must supply the name of the domain to which this user account belongs.Resolution and NotesEnsure you are providing valid domain credentials in the form of domain\user.IssueRemoving the DirectoryServices-DomainController role using Dism.exe leads to unbootable serverSymptomsIf using Dism.exe to remove the AD DS role before demoting a domain controller gracefully, the server no longer boots normally and shows error:Code - Status: 0x000000000Info: An unexpected error has occurred.Resolution and NotesBoot into Directory Services Repair Mode using Shift+F8. Add the AD DS role back, and then forcibly demote the domain controller. Alternatively, restore the System State from backup. Do not use Dism.exe for AD DS role removal; the utility has no knowledge of domain controllers.IssueInstalling a new forest fails when setting forestmode to Win2012SymptomsPromotion using ADDSDeployment Windows PowerShell returns error:Code - Test.VerifyDcPromoCore.DCPromo.General.74Verification of prerequisites for Domain Controller promotion failed. The specified domain functional level is invalidResolution and NotesDo not specify a forest functional mode of Win2012 without also specifying a domain functional mode of Win2012. Here is an example that will work without errors:Code - -forestmode Win2012 -domainmode Win2012]IssueClicking Verify in the Install from Media selection area appears to do nothingSymptomsWhen you specify a path to an IFM folder, clicking the Verify button never returns a message or appears to do anything.Resolution and NotesThe Verify button only returns errors if there are issues. Otherwise, it makes the Next button selectable if you have provided an IFM path. You must click Verify to proceed if you have selected IFM.IssueDemoting with Server Manager does not provide feedback until completed.SymptomsWhen using Server Manager to remove the AD DS role and demote a domain controller, there is no ongoing feedback given until the demotion completes or fails.Resolution and NotesThis is a limitation of Server Manager. For feedback, use ADDSDeployment Windows PowerShell cmdlet:Code - Uninstall-addsdomaincontrollerIssueInstall from Media Verify does not detect that RODC media provided for writable domain controller, or vice versa.SymptomsWhen promoting a new domain controller using IFM and providing incorrect media to IFM - such as RODC media for a writable domain controller, or RWDC media for an RODC - the Verify button does not return an error. Later, promotion fails with error:Code - An error occurred while trying to configure this machine as a domain controller. The Install-From-Media promotion of a Read-Only DC cannot start because the specified source database is not allowed. Only databases from other RODCs can be used for IFM promotion of a RODC.Resolution and NotesVerify only validates the overall integrity of IFM. Do not provide the wrong IFM type to a server. Restart the server before you attempt promotion again with the correct media.IssuePromoting an RODC into a pre-created computer account failsSymptomsWhen using ADDSDeployment Windows PowerShell to promote a new RODC with a staged computer account, receive error:Code - Parameter set cannot be resolved using the specified named parameters. InvalidArgument: ParameterBindingException + FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.DirectoryServices.Deployment.PowerShell.Commands.InstallResolution and NotesDo not provide parameters already defined already on a pre-created RODC account. These include:Code - -readonlyreplica-installdns-donotconfigureglobalcatalog-sitename-installdnsIssueDeselecting/selecting "Restart each destination server automatically if required" does nothingSymptomsIf selecting (or not selecting) the Server Manager option Restart each destination server automatically if required whendemoting a domain controller through role removal, the server always restarts, regardless of choice.Resolution and NotesThis is intentional. The demotion process restarts the server regardless of this setting.IssueDcpromo.log shows "[error] setting security on server files failed with 2"SymptomsDemotion of a domain controller completes without issues, but examination of the dcpromo log shows error:Code - [error] setting security on server files failed with 2Resolution and NotesIgnore, error is expected and cosmetic.IssuePrerequisite adprep check fails with error "Unable to perform Exchange schema conflict check"SymptomsWhen attempting to promote a Windows Server 2012 domain controller into an existing Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 forest, prerequisite check fails with error:Code - Verification of prerequisites for AD prep failed. Unable to perform Exchange schema conflict check for domain (Exception: the RPC server is unavailable)The adprep.log shows error:Code - Adprep could not retrieve data from the server through Windows Management Instrumentation (WMI).Resolution and NotesThe new domain controller cannot access WMI through DCOM/RPC protocols against the existing domain controllers. To date, there have been three causes for this:- A firewall rule blocks access to the existing domain controllers- The NETWORK SERVICE account is missing from the "Logon as a service" (SeServiceLogonRight) privilege on the existing domain controllers- NTLM is disabled on domain controllers, using security policies described in Introducing the Restriction of NTLM AuthenticationIssueCreating a new AD DS forest always shows DNS warningSymptomsWhen creating a new AD DS forest and creating the DNS zone on the new domain controller for itself, you always receive warning message:Code - An error was detected in the DNS configuration. None of the DNS servers used by this computer responded within the timeout interval.(error code 0x000005B4 "ERROR_TIMEOUT")Resolution and NotesIgnore. This warning is intentional on the first domain controller in the root domain of a new forest, in case you intended to point to an existing DNS server and zone.IssueWindows PowerShell -whatif argument returns incorrect DNS server informationSymptomsIf you use the -whatif argument when configuring a domain controller with implicit or explicit -installdns:$true, the resulting output shows:Code - "DNS Server: No"Resolution and NotesIgnore. DNS is installed and configured correctly.IssueAfter promotion, logon fails with " Not enough storage is available to process this command"SymptomsAfter you promote a new domain controller and then log off and attempt to log on interactively, you receive error:Code - Not enough storage is available to process this commandResolution and NotesThe domain controller was not rebooted after promotion, either due to an error or because you specified the ADDSDeployment Windows PowerShell argument -norebootoncompletion. Restart the domain controller.IssueThe Next button is not available on the Domain Controller Options pageSymptomsEven though you have set a password, the Next button on the Domain Controller Options page in Server Manager is not available. There is no site listed in the Site name menu.Resolution and NotesYou have multiple AD DS sites and at least one is missing subnets; this future domain controller belongs to one of those subnets. You must manually select the subnet from the Site name dropdown menu. You should also review all AD sites using DSSITE.MSC or use the following Windows PowerShell command to find all sites missing subnets:Code - get-adreplicationsite -filter * -property subnets where-object !$_.subnets -eq "*" format-table nameIssuePromotion or demotion fails with message "the service cannot be started"SymptomsIf you attempt promotion, demotion, or cloning of a domain controller you receive error:Code - The service cannot be started, either because it is disabled or it has no enabled devices associated with it" (0x80070422)The error may be interactive, an event, or written to a log like dcpromoui.log or dcpromo.logResolution and NotesThe DS Role Server service (DsRoleSvc) is disabled. By default, this service is installed during AD DS role installation and set to a Manual start type. Do not disable this service. Set it back to Manual and allow the DS role operations to start and stop it on demand. This behavior is by design.IssueServer Manager still warns that you need to promote DCSymptomsIf you promote a domain controller using the deprecated dcpromo.exe /unattend or upgrade an existing Windows Server 2008 R2 domain controller in place to Windows Server 2012, Server Manager still shows the post-deployment configuration task Promote this server to a domain controller.Resolution and NotesClick the post-deployment warning link and the message will disappear for good. This behavior is cosmetic and expected.IssueServer Manager deployment script missing role installationSymptomsIf you promote a domain controller using Server Manager and save the Windows PowerShell deployment script, it does not include the role installation cmdlet and arguments (install-windowsfeature -name ad-domain-services -includemanagementtools). Without the role, the DC cannot be configured.Resolution and NotesManually add that cmdlet and arguments to any scripts. This behavior is expected and by design.IssueServer Manager deployment script is not named PS1SymptomsIf you promote a domain controller using Server Manager and save the Windows PowerShell deployment script, the file is named with a random temporary name and not as a PS1 file.Resolution and NotesManually rename the file. This behavior is expected and by design.IssueDcpromo /unattend allows unsupported functional levelsSymptomsIf you promote a domain controller using dcpromo /unattend with the following sample answer file:Code -[DCInstall]NewDomain=ForestReplicaOrNewDomain=DomainNewDomainDNSName=corp.contoso.comSafeModeAdminPassword=Safepassword@6DomainNetbiosName=corpDNSOnNetwork=YesAutoConfigDNS=YesRebootOnSuccess=NoAndNoPromptEitherRebootOnCompletion=NoDomainLevel=0ForestLevel=0Promotion fails with the following errors in the dcpromoui.log:Code - dcpromoui EA4.5B8 0089 13:31:50.783 Enter CArgumentsSpec::ValidateArgument DomainLeveldcpromoui EA4.5B8 008A 13:31:50.783 Value for DomainLevel is 0dcpromoui EA4.5B8 008B 13:31:50.783 Exit code is 77dcpromoui EA4.5B8 008C 13:31:50.783 The specified argument is invalid.dcpromoui EA4.5B8 008D 13:31:50.783 closing logdcpromoui EA4.5B8 0032 13:31:50.830 Exit code is 77Level 0 is Windows 2000, which is not supported in Windows Server 2012.Resolution and NotesDo not use the deprecated dcpromo /unattend and understand that it allows you to specify invalid settings that later fail. This behavior is expected and by design.IssuePromotion "hangs" at creating NTDS settings object, never completesSymptomsIf you promote a replica DC or RODC, the promotion reaches "creating NTDS settings object" and never proceeds or completes. The logs stop updating as well.Resolution and NotesThis is a known issue caused by providing credentials of the built-in local Administrator account with a matching password to the built-in domain Administrator account. This causes a failure down in the core setup engine that does not error, but instead waits indefinitely (quasi-loop). This is expected - albeit undesirable - behavior.To fix the server:1. Reboot it.1. In AD, delete that server's member computer account (it will not yet be a DC account)1. On that server, forcibly disjoin it from the domain1. On that server, remove the AD DS role.1. Reboot1. Re-add the AD DS role and reattempt promotion, ensuring that you always provide the domain\admin formatted credentials to DC promotion and not just the built-in local administrator account Feedback Submit and view feedback for

How to determine if an account is disabled by examining useraccountcontrol

2ff7e9595c