Event ID 24 — Active Directory Domain Services Availability

To verify license compliance, Active Directory Domain Services must be available and functioning correctly.

Event Details

Diagnose

This error might be caused by one of the following conditions:

• A network connectivity problem exists with a Windows EBS domain controller.
• A domain controller is not configured correctly.
• Active Directory Domain Services (AD DS) is not configured correctly.
• One or more of the required AD DS services are not running.
• The SYSTEM account does not have permission to write to the Active Directory database.
• The setup process is not finished on all three servers.

A network connectivity problem exists with a Windows EBS domain controller

To determine if there is a network connectivity problem with a Windows EBS domain controller, use the ping command.

Note: The following procedures include steps for using the ping command to perform troubleshooting. Therefore, before performing these steps, check whether the firewall or Internet Protocol security (IPsec) settings on your network allow Internet Control Message Protocol (ICMP) traffic. ICMP is the TCP/IP protocol that is used by the ping command.

To perform this procedure, you must belong to the local Administrators group, or you must have been delegated the appropriate authority.

To determine if there is a network connectivity problem with a domain controller

1. On a server in the network (other than the server you are attempting to ping), click Start, click Run, type cmd, and then click OK.

2. At the command prompt, type ping server_FQDN, where server_FQDN is the fully qualified domain name (FQDN) of the domain controller (for example, server1.contoso.com), and then press ENTER.

   If the ping is successful, you receive a reply similar to the following:

   Reply from IP_address: bytes=32 time=3ms TTL=59

   Reply from IP_address: bytes=32 time=20ms TTL=59

   Reply from IP_address: bytes=32 time=3ms TTL=59

   Reply from IP_address: bytes=32 time=6ms TTL=59

3. At the command prompt, type ping IP_address, where IP_address is the IP address of the domain controller, and then press ENTER.

If you cannot successfully ping the domain controller by IP address or by FQDN, see the section titled "Identify and fix network connectivity issues."

A domain controller is not configured correctly

The dcdiag tool analyzes the state of domain controllers in a forest or enterprise and reports any problems to assist in troubleshooting. As an end-user reporting program, dcdiag encapsulates detailed knowledge about how to identify abnormal behavior in the system.

To view a report of the state of the domain controllers

1. Run the following command on the Management Server:

   dcdiag /s:<ManagementServerName>

   Replace <ManagementServerName> with the name of the Management Server.

2. Run the following command on the Messaging Server:

   dcdiag /s:<MessagingServerName>

   Replace <MessagingServerName> with the name of the Messaging Server.

For more information about using dcdiag, see "Dcdiag" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=133110).

Use the information in "Configure the domain controller" to help resolve connectivity issues.

Active Directory Domain Services is not configured correctly

Use Event Viewer to search for AD DS related events, and refer to AD DS troubleshooting information at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=136736).

You can also view AD DS troubleshooting information at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=136737).

Configure AD DS settings by using the information in "Correct Active Directory Domain Services issues."

One or more Active Directory Domain Services are not running

To view the services that are running on the domain controller

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Services.
2. Ensure that the following services are running:

• Active Directory Domain Services (NTDS)
• DNS Server (DNS)
• Kerberos Key Distribution Center (KDC)

Use the information in "Start the Active Directory Domain Services services" to ensure that the required services are running.

The SYSTEM account does not have permission to write to the Active Directory database

If event ID 12 is reported in Microsoft-Windows-Windows Server Solutions Client Access Licensing at the same time that this event is reported, the SYSTEM account may not have permission to read or write to the Active Directory database. If this occurs, see the section titled "Restore SYSTEM account permissions."

The setup process is not finished on all three servers

Event ID 15 can occur because the setup process is not finshed on all three servers. Ensure that the setup process finishes successfully, and then verify that event ID 15 is not reported again.

Resolve

To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly

Identify and fix domain controller connectivity issues

To resolve this issue, identify and fix any network connectivity problems between the domain controllers and the other computers in the network.

Note:  The following procedures include steps for using the ping command to perform troubleshooting. Therefore, before performing these steps, check whether the firewall or Internet Protocol security (IPsec) settings on your network allow Internet Control Message Protocol (ICMP) traffic. ICMP is the TCP/IP protocol that is used by the ping command.

To perform these procedures, you must belong to the local Administrators group, or you must have been delegated the appropriate authority.

If you can successfully ping the domain controller by IP address, but not by FQDN, this indicates a possible issue with DNS host name resolution.

If you cannot successfully ping the domain controller by IP address, this indicates a possible issue with network connectivity, firewall configuration, or IPsec configuration.

The following are some additional troubleshooting steps that you can perform to help identify the root cause of the problem:

• Ping other computers on the network to help determine the extent of the network connectivity issue.
• If you can ping other servers but not the domain controller, try to ping the domain controller from another computer. If you cannot ping the domain controller from any computer, first ensure that the domain controller is running. If the domain controller is running, check the network settings on the domain controller.
• Check the TCP/IP settings on the local computer by doing the following:
  1. Click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type ipconfig /all, and then press ENTER. Make sure that the information listed is correct.
  3. Type ping localhost to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with your network adapter.
  4. Type ping IP_address, where IP_address is the IP address assigned to the computer. If you can ping the localhost address but not the local address, there may be an issue with the routing table or with the network adapter driver.
  5. Type ping DNS_server, where DNS_server is the IP address assigned to the DNS server. If there is more than one DNS server on your network, you should ping each one. If you cannot ping the DNS servers, this indicates a potential problem with the DNS servers, or with the network between the computer and the DNS servers.
  6. If the domain controller is on a different subnet, try to ping the default gateway. If you cannot ping the default gateway, this might indicate a problem with the network adapter, the router or gateway device, the cabling, or the other connectivity hardware.
• In Device Manager, check the status of the network adapter. To open Device Manager, click Start, click Run, type devmgmt.msc, and then click OK.
• Check the network connectivity indicator lights on the computer and at the hub or router. Check the network cabling.
• Check the firewall settings by using the Windows Firewall with Advanced Security snap-in. For more information about troubleshooting and configuring Windows Firewall, see "Windows Firewall" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=136738).
• Check the IPsec settings by using the IP Security Policy Management snap-in.
• Ensure the NTDS service is running on the domain controller.

Configure the domain controller

To resolve this issue, ensure that the Management Server and the Messaging Server are functioning as domain controllers. If both servers are domain controllers but are not functioning correctly, diagnose and fix problems by using the Domain Controller Diagnostic Tool (dcdiag.exe).

Ensure that the Management Server and the Messaging Server are domain controllers

To view domain information, run the following command:

netdom /query DC

If the Management Server or the Messaging Server were demoted from being a domain controller by using the dcpromo tool, use dcpromo to promote the server to be a domain controller. For more information about using dcpromo, see "Dcpromo" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=136741).

If the Management Server or the Messaging Server have stopped functioning as a domain controller because of corrupted data, it is recommended that you replace the server by using the Windows EBS Installation Wizard. For more information about replacing a server, see "Replacing a Server for Windows Essential Business Server" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=125657).

The dcdiag tool analyzes the state of domain controllers in a forest or enterprise and reports any problems to assist in troubleshooting. As an end-user reporting program, dcdiag encapsulates detailed knowledge about how to identify abnormal behavior in the system.

To view a report of the state of the domain controller, run the following command:

dcdiag /s:<ServerName>

Replace <ServerName> with the name of the Management Server or the Messaging Server.

Correct Active Directory Domain Services issues

To resolve this issue, use Ntdsutil to fix Active Directory Domain Services (AD DS) issues.

Ntdsutil.exe is a command-line tool that provides management facilities for AD DS and for Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil command to perform database maintenance of AD DS, to manage and control single master operations, and to remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.

For more information about using ntdsutil, see "Ntdsutil" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=132629).

Start the required services of Active Directory Domain Services

To view the services that are running on the domain controller

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Services.
2. Ensure that the Active Directory Domain Services (NTDS) service, DNS Server (DNS) service, and Kerberos Key Distribution Center (KDC) service are running.
3. If any of these services are not running, right-click the service and then click Start.

Restore SYSTEM account permissions

To resolve this issue, ensure that the SYSTEM account has Read and Write permissions to the Active Directory database.

To assign Read and Write permissions to the SYSTEM account by using the ADSI Edit snap-in

1. Click Start, click in the Start Search box, type adsiedit.msc, and then press ENTER. The ADSI Edit snap-in opens in Microsoft Management Console.
2. On the Action menu, click Connect to, accept the default selection of Default naming context, and then click OK.
3. In the navigation tree, expand Default naming context, expand DC=<DomainName>, DC=com, and then click CN=System.
4. In the containers pane, right-click CN=msWssgConfig, and then click Properties.
5. Click the Security tab, and then click Advanced.
6. Ensure that Current owner is set to SYSTEM.
7. Click the Permissions tab, and ensure that the SYSTEM account has Read and Write permissions.

Verify

Query the domain controller for information

Netdom enables administrators to manage domains and trust relationships from the command line.

To view domain information, run the following command:

netdom /query DC

For more information about using the netdom tool, see "Netdom" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=136703).

Diagnose the status of the domain controllers

Dcdiag analyzes the state of domain controllers in a forest or enterprise and reports any problems to assist in troubleshooting. As an end-user reporting program, dcdiag encapsulates detailed knowledge about how to identify abnormal behavior in the system.

To view a report of the state of the domain controller, run the following command:

dcdiag /s:<ServerName>

Replace <ServerName> with the name of the Management Server or the Messaging Server.

Test trust relationships and the state of domain controller replication in the domain

To test the domain controller, run the following command:

nltest /dsgetdc:%userDNSdomain%

UserDNSdomain is an environment variable that contains the name of your domain.

For more information about using the nltest tool, see "Nltest" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=136743).

Related Management Information

Active Directory Domain Services Availability

Windows EBS