Active Directory Web Service is missing

Question

Two domain controllers running Server 2019 Standard.

Both are fully up to date.

Domain and Forest functioning level is 2016.

I recently attempted to open Active Directory Administrative Center (ADAC) on my PC.

RSAT installed and working no issue until this.

ADAC generates an error "Cannot connect to any domain. Refresh or try again when connection is available"

If I click "Ok" and click any bookmark, the first error is "The bookmarked item cannot be found or no longer exists."

The second error is "Cannot find an available server in the domain.com domain that is running the Active Directory Web Service (ADWS)"

The actual "Active Directory Web Service" within services.msc does not exist in either domain controller.

ADAC was working fine recently and now it does not work from my PC or on either DC.

All demonstrate the same error.

I have since found some powershell commands that point to the same missing ADWS service.

Get-ADUser command in powershell comes back with "Get-ADUser : Unable to find a default server with Active Directory Web Services running"

Both DCs are Global Catalogs

Both DC's are running DNS Server Service

One DC uses its own static IP as DNS server (not 127.0.0.1)

Second DC points to first DC for DNS

nslookup tests I did all seem to show correct information.

My first instinct was to check the health of Active Directory.

I ran "DCDiag /v" on both DCs

No errors on either other than reference to some occasional replication issues. (Usually happens during backups)

I ran repadmin /showrepl on both DCs

No errors reported.

I ran repadmin /replsum on both DCs

No erorrs reported.

It appears that AD is healthy.

How did ADWS dissapear?

As mentioned, ADAC worked fine up until as recently as a month ago.

I have no other symptoms manifesting themselves as problems and there seems to be no issues on the network I am aware of.

I am just a little leary this might be the beginning of a bigger issue.

I can find no info about ADWS going MIA.

Before I resort to moving FSMO roles and redoing Domain Controllers, I thought I would put this to the community to see if anyone else has seen/experienced this.

Input appreciated.

Answer 1

Hello

Good day!

1) Is there anything I should watch out for once a server has been demoted from being a DC before I re-promote it?

A1: You had better use one server with different DC name and different IP (one server with different DC name and the IP).

Or you may need to rename this Demoted DC and re-promote it.

- Does demoting leave any kind of "mess" that needs cleaning up before promotion to a DC again?

A2: Before you re-promote the demoted DC, you had better perform metadata cleanup of this demoted DC so that all the records about the demoted DC are deleted completely.

On the running and open DC, run the commands in the link below to perform metadata cleanup of this demoted DC.

petri.com

- Should I consider a complete wipe and reinstall instead of just re-promoting each of the two original servers?

A3: I think this may be the best option.

• If I don't need to (not necessary) format and reinstall the OS on the servers (in your opinion) then that works because I have multiple locations within a SDWAN environment all looking to the one server for DHCP and both for DNS.
• Conversely, I do like the idea of a fresh start...my opinion.

2) At any time during my outlined steps to repair, say between doing the 1st demote/promote, should I wait a few days/week and observe functionality before doing the second demote/promote?

A4: You can follow this idea, or you don't have to wait for a few days, but after each step, you need to confirm the working status of each domain controller itself and the AD replication status.

Best Regards,
Daisy Zhou