Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

KnowledgeBase: "The service cannot be started" error during Active Directory Domain Services configuration

Microsoft KnowledgeBase article 2737880, titled "The service cannot be started" error during AD DS configuration describes an issue where promotion of a Windows Server 2012-based server to a Domain Controller and demotion of a Windows Server 2012-based Domain Controller is unable to finish.

Its root cause is a policy or an administrator that prevents the DS Role Server service (DsRoleSvc) from starting.

About the DS Role Server service

The DS Role Server service (DsRoleSvc) is new to Active Directory Domain Services in Windows Server 2012 and is used to install or remove Active Directory or to clone Domain Controllers. It is not present by default on Windows Server 2012, but gets installed when the Active Directory Domain Services Server Role is installed, either through Server Manager or the Install-WindowsFeature PowerShell Cmdlet.

  

The situation

In Windows Server 2012, you try to:

  • Configure a new Domain Controller by using Server Manager and the Active Directory Domain Services Configuration Wizard
  • Configure a new Domain Controller using the Install-ADDSForest, Install-ADDSDomain, or Install-ADDSDomainController PowerShell Cmdlets from the AddsDeployment Windows PowerShell module
  • Remove Active Directory Domain Services from an existing Domain Controller by using Server Manager and the Active Directory Domain Services Configuration Wizard
  • Remove Active Directory Domain Services from an existing Domain Controller by using the Uninstall-ADDSDomainController PowerShell Cmdlet from the AddsDeployment Windows PowerShell module
  • Clone a virtualized Domain Controller by using dccloneconfig.xml 

The configuration change fails, and you receive an error, stating that the service cannot be started, either because it is disabled or because it has no enabled devices associated with it:

An error occured when demoting the Active Directory domain controller. The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. (Click for original screenshot)

When you try and perform the actions above through PowerShell, you receive the following error:

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

    

Additionally, you see that C:\Windows\Debug\dcpromoui.log contains the following line of text:

Enter GetErrorMessage 80070422

    

The cause

This error occurs because a policy or an administrator prevents the DS Role Server service (DsRoleSvc) from starting. A common configuration is to disable the service:

DS Role Service Properties

  

Note:
This does not occur because of the Security Configuration Wizard (scw.exe). Although the Security Configuration Wizard offers security configuration and is capable of service lockdown through Group Policies, based on current roles and services, installed on a reference server the DS Role Service is not affected by it.

     

The resolution

The KnowledgeBase article states to simply enable the service by setting its startup type to manual, either in the Services MMC Snap-in (services.msc) or by issuing the following command on an elevated command prompt:

sc.exe config dsrolesvc start= demand

  

Related KnowledgeBase articles

"The service cannot be started" error during AD DS configuration

Posted: Friday, November 30, 2012 2:00 PM by Sander Berkouwer

Comments

No Comments

Anonymous comments are disabled