KnowledgeBase: "The server is not operational" domain controller configuration error when you configure a server by using Server Manager
Microsoft introduced KnowledgeBase article 2738697 with the title "The server is not operational" domain controller configuration error when you configure a server by using Server Manager.
Alternatively, they could’ve named this KnowledgeBase article Why you need to domain join proposed Replica Domain Controllers first in Active Directory in Windows Server 2012. Another good candidate would’ve been: NTLM authentication is disabled by default on Windows Server 2012-based Domain Controllers.
While the title of Microsoft KnowledgeBase article 2738697 suggests this problem only occurs when using Server Manager, you’ll experience similar behavior when using the Install-ADDSDomainController PowerShell Cmdlet to create a new replica Domain Controller.
In this blogpost I’ll explain why.
The Active Directory Domain Services Configuration Wizard, that is part of the new Domain Controller Promotion process in Windows Server 2012, has two modes:
- Non-domain joined mode
In this mode, the Active Directory Domain Services Configuration Wizard uses NTLM v2 authentication to browse the Active Directory forest. This mode is in use, when the server you have envisioned as a replica Domain Controller is not joined to the domain for which you want it to become a replica Domain Controller.
- Domain joined mode
In this mode, the Active Directory Domain Services Configuration Wizard uses Kerberos authentication to browse the Active Directory forest. This mode is in use, when the proposed replica Domain Controller is joined to the domain.
This makes sense, since for Kerberos, you need a Kerberos realm. In Active Directory words, you need to know about the forest, before you can use Kerberos authentication.
But, a Windows Server 2012-based Active Directory environment has NTLM authentication disabled by default. Therefore, a proposed replica Domain Controller cannot browse the Active Directory forest, and can therefore not become a replica Domain Controller.
The Active Directory Domain Services Configuration Wizard does not provide any clue which authentication method is used.
“You’ll want to use Kerberos”
While NTLM authentication sounds like a great idea, you will want to use Kerberos authentication in your Active Directory environment and especially when you promote a server to a Domain Controller. When comparing Kerberos to NTLM authentication, the following advantages for Kerberos show up for the domain controller promotion scenario:
- Mutual authentication.
When a member server uses the Kerberos protocol for authentication, Kerberos provides the server with an assurance that the service is not being impersonated by malicious code on the network.
Kerberos authentication offers improved performance over NTLM authentication.
The solution given in Microsoft KnowledgeBase article 2738697 is to domain join the proposed replica Domain Controller, before promoting it to a replica Domain Controller.
The instructions below assume you have LDAP, RPC, and DNS connectivity and can contact all existing domain controllers without issue for other operations.
For a Full installation of Windows Server 2012, log on with administrative privileges. Press Win+X, then select System from the Power User Menu. Now, click on the Change settings link in the Computer name, domain and workgroup settings area. Click the Change… button and in the Member of area select Domain: and type either the NetBIOS or (Fully Qualified) DNS name of the Active Directory domain and press OK. Supply domain credentials. When welcomed to the domain, press OK again and then click OK to reboot.
After the reboot, from Server Manager, run the Active Directory Domain Services Configuration Wizard again and promote the member server to a replica Domain Controller.
Server Core instalations
On a Server Core installation of Windows Server 2012, things are a little bit different, but not necessarily more difficult. Log on with administrative privileges and on the command prompt type sconfig. This will display the Server Configuration screen. Choose option 1 to change Domain/Workgroup membership. Press D to join a domain. Type the DNS name of the domain to join and supply domain credentials. If you want to rename the server, you could specify that, otherwise let the server reboot as a member server.
Alternatively you can use the following commandline one-liner:
netdom /join localhost /domain domain.tld /userd DOMAIN\Administrator /passwordd * /reboot
Related KnowledgeBase article
"The server is not operational" domain controller configuration error when you configure a server by using Server Manager
New features in AD DS in Windows Server 2012, Part 2: New Promotion Process
New features in AD DS in Windows Server 2012, Part 4: New PowerShell Cmdlets