Windows 2012 – Demote, Promote Domain controllers & Ds Role Server Service relationship

Gear-wheel-256

 

Hello World,

Today,  we will quickly talk about the importance of the DS role Server service in Windows 2012 Server.  It’s by pure coincidence that I’ve met the DS Role Server service on windows 2012.  I was working on an environment where strong hardenning have been applied to the server.  I started the dcpromo operation and it failed miserably….

You wanna know the how and the what… Keep reading then….

Note :

You can read the post about how to promote a Windows 2012 server promtion/demotion  by following the link below 

Meet the DS role Server service

As already mentioned, we were working on a building up a new Windows 2012 Active Directory infrastructure.  This environment was a little bit special because the customer was hardening the server infrastructure.  We started the promotion process of an additonal Domain Controller.   We have described the process on this post. We went through the Active Directory Services Configuration Wizard and everything went fine until the result page was displayed.

The Result page was displaying something similar to the following screenshot.

 

Click on Picture for better resolution

 

The result page was displaying the following error message :   “The service cannot be started because either it’s disabled or because it has not enabled devices associated to it” 

The Wizard didn’t tell me which service was having the problem.  To identify the offending service, we simply opened the services mmc console, sorted the service per startup type and went through them. After some time, we found out that indeed there was a service called DS Role Server  that was set to disabled.

Click on Picture for better resolution

After changing the Startup behaviour from Disabled to Manual, we started again the Active Directory services Configuration Wizard and we were able to succesfully perform the dcpromo operation

Final Notes

When performing your promotion/demotion operations, ensure that the DS Role Server service is set to manual startup.  This is an important change in Windows 2012 Server.  In the previous versions, we were using dcpromo command line utility to promote/demote the domain controller.  In Windows 2012 Server, the setup process has been redesigned and dcpromo has been deprecated. The addition/removal of Domain controller is fully integrated in the  Add/Remove roles approach.

So, if you have a security team that’s in charge of hardening your server, notify them that for future Domain controller, the DS role server cannot be disabled if you want to be able to promote/demote or even clone your Domain Controller

Till next time

See ya

 

Leave a Reply