Active Directory Web Service is missing

Question

Two domain controllers running Server 2019 Standard.

Both are fully up to date.

Domain and Forest functioning level is 2016.

I recently attempted to open Active Directory Administrative Center (ADAC) on my PC.

RSAT installed and working no issue until this.

ADAC generates an error "Cannot connect to any domain. Refresh or try again when connection is available"

If I click "Ok" and click any bookmark, the first error is "The bookmarked item cannot be found or no longer exists."

The second error is "Cannot find an available server in the domain.com domain that is running the Active Directory Web Service (ADWS)"

The actual "Active Directory Web Service" within services.msc does not exist in either domain controller.

ADAC was working fine recently and now it does not work from my PC or on either DC.

All demonstrate the same error.

I have since found some powershell commands that point to the same missing ADWS service.

Get-ADUser command in powershell comes back with "Get-ADUser : Unable to find a default server with Active Directory Web Services running"

Both DCs are Global Catalogs

Both DC's are running DNS Server Service

One DC uses its own static IP as DNS server (not 127.0.0.1)

Second DC points to first DC for DNS

nslookup tests I did all seem to show correct information.

My first instinct was to check the health of Active Directory.

I ran "DCDiag /v" on both DCs

No errors on either other than reference to some occasional replication issues. (Usually happens during backups)

I ran repadmin /showrepl on both DCs

No errors reported.

I ran repadmin /replsum on both DCs

No erorrs reported.

It appears that AD is healthy.

How did ADWS dissapear?

As mentioned, ADAC worked fine up until as recently as a month ago.

I have no other symptoms manifesting themselves as problems and there seems to be no issues on the network I am aware of.

I am just a little leary this might be the beginning of a bigger issue.

I can find no info about ADWS going MIA.

Before I resort to moving FSMO roles and redoing Domain Controllers, I thought I would put this to the community to see if anyone else has seen/experienced this.

Input appreciated.

Answer 1

No. I am hoping it does not come to that. What is missing on both controllers is the ADWS service itself. In the directory above, "Microsoft.ActiveDirectory.WebServices.exe" is found. This would be the executable called upon as ADWS when installed as a service correct? If double clicked, you get this:

To me, this seems to elude to the available option of installing (re-installing) Microsoft.ActiveDirectory.WebServices.exe as a service using "installutill.exe".

The whole issue is that ADWS is no longer running as a sercvice and that's what Active Directory Administrative Center is complaining about when I attempt to open it. Same as certain powershell commands. If the service itself could be re installed, I am thinking this would resolve the issue at hand. Does this make sense?

Answer 2

Hello

Good day!

When I click C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe on the DC in my lab., I have the same error message as you.

But the AD WS service is running well.

You can try to find if there is AD WS service and it is disabled only.

Best Regards,
Daisy Zhou

Answer 3

Just to clarify, the service is missing...not disabled therefor I cannot simply enable it and set it to start automatically.

*Windows Update*

I am sure you are aware KB5039217 is the June 2024 Cumulative update for Windows server 2019.

It was just applied to both my DCs.

I just noticed something clearly a little on the strange side.

Poking through events logged under Active Directory Web Services.

I see when it stopped adding entries mid-April this year and began again after the application of the June 2024 Cumulative update mentioned above. This behavior noticed on both DCs.

Event ID 1000 - Active Directory Web Services is starting.

Event ID 1100 -The values specified in the <appsettings> section of the configuration file for Active Directory Web Services have been loaded without errors.

Event ID 1008 - Active Directory Web Services has successfully reduced its security privileges.

So how can a service that is completely missing, not disabled, begin to add event entries after a two-month hiatus?

Did a previous Windows Update take it out in the first place?

Closest Cumulative update I can find is KB5036896 installed on 4/10/2024.

Again, I am leaning towards the path of using a utility to attempt to re-install the service.

I think the utility "installutil.exe" might be specific to .NET but that might be a wrong assumption from running the command below.

The SC command seems like it may be a candidate to reinstall the service.

What other option do I have to get this service back to installed and operational?

Thank you.

Answer 4

Hello

Good day！

I've never had the ADWS service disappear, and I've had a lot of queries to either reinstall AD DS or AD LDS.

In your case, you can try the two ideas below:

One idea:
If you want to confirm if the issue was caused by the KBs you mentioned, you can test to install them on one DC in lab, check if the issue reproduces. If so, unstall the KBs to check if the issue disappears.

The other idea:

If you can, you copy and detach one of your problematic domain controllers from the environment, uninstall ADDS, and then reinstall ADD to see if that resolves the problem.

If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 5

Good day. I finally had a chance to do a test.

I used Mark Russinovich's utility to turn physical into virtual machine and copied to a USB-C SSD drive.

I did this on both DCs demonstrating the missing ADWS service issue.

I fired both up within a privately bound Hyper-V environment so there was no interaction with my setup or access to internet.

I assigned the applicable IP addresses to the interface on each VM, and they could see each other within the environment.

I don't think it was a perfect setup as they are Domain Controllers in an unfamiliar environment, and I saw some errors but here is what I did anyway.

I removed the ADDS server role from one of the VMs.

It ran and then spawns the familiar DC-Promo option which I carried on with.

Now a member server, I noted that DHCP and DNS were left intact which works for me later in the scenario.

Looking at C:\Windows\ADWS, I noticed all files but one were in the directory.

I deleted ADWS directory

I then added the ADDS server role and re-promoted back a to Domain Controller.

The ADWS service has now been restored.

C:\Windows\ADWS was present and populated with the applicable files and directories.

Once I finished, the other DC which I had done nothing to was now able to open Active Directory Administrative Center because it now found ADWS running as a service within the network (Virtual Environment in this case)

Again, I don't think the DCs were completely happy within the test environment, but I think the results were positive.

I think this is in line with "The other idea" you suggested.

So, I have a plan to fix my issue, and I thought I would present it for feedback.

1. Fire up a new server instance and bring it on as a third domain controller.
2. Transfer FSMO roles from 1st existing DC that is missing the ADWS service
3. Demote that 1st existing DC to a member server
4. Promote it back to a DC and move the FSMO roles back from the 3rd temporary DC
5. Carry out the same steps 2-4 only on the 2nd existing DC missing the ADWS service.
6. Demote the temporary third server used to carry out this plan.

According to the test I did, both servers should now have the ADWS service present and functional.

Questions

1. Is there anything I should watch out for once a server has been demoted from being a DC before I re-promote it?

• Does demoting leave any kind of "mess" that needs cleaning up before promotion to a DC again?
• Should I consider a complete wipe and reinstall instead of just re-promoting each of the two original servers?
• If I don't need to (not necessary) format and reinstall the OS on the servers (in your opinion) then that works because I have multiple locations within a SDWAN environment all looking to the one server for DHCP and both for DNS.
• Conversely, I do like the idea of a fresh start...my opinion.

2. At any time during my outlined steps to repair, say between doing the 1st demote/promote, should I wait a few days/week and observe functionality before doing the second demote/promote?

Feedback welcome.