Fix: Unable to Find a Default Server with Active Directory Web Services Running

1.6K

The error Cannot find the default server running Active Directory Web Services may appear when you import an PowerShell ActiveDirectory module into your session or run various cmdlets from that module. Let’s take a closer look at Active Directory Web Services and how you can troubleshoot this error message.

What is Active Directory Web Services?

Active Directory Web Services (ADWS) in Windows Server 2008 R2 and subsequent versions is a new Windows service, that provides a web service interface to Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) instances. When ADWS is stopped or deactivated, applications like the Active Directory module for Windows PowerShell or the Active Directory Administrative Center cannot access or manage any directory service instances on that server.

When adding the AD DS or AD LDS server roles to your Windows Server 2008 R2 or newer, ADWS is automatically installed. It is automatically configured when you promote a member server into a domain controller via Dcpromo.exe or establish an AD LDS instance on the server. Unless there’s a reason otherwise, setting ADWS to start automatically is recommended.

This service is also used with hybrid connectivity services, such as Azure AD Connect. When Azure AD Connect performs synchronization tasks, it communicates with on-premises Active Directory Domain Services (AD DS) through ADWS. If the ADWS is not running or inaccessible, Azure AD Connect can’t read or write to the on-premises AD, impacting its functionality.

Describing the error message

For example, when you transfer FSMO roles with Move-ADDirectoryServerOperationMasterRole, creating bulk AD users using New-ADUser, and all other cmdlets, you need to import the Active Directory module and run a few cmdlets.

Import-Module ActiveDirectory

WARNING: Error initializing default drive: ‘Unable to find a default server with Active Directory Web Services running’

Move-ADDirectoryServerOperationMasterRole -Identity dc01 –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster

CategoryInfo: ResourceUnavailable, ADServerDownException

ActiveDirectoryServer:1355,Microsoft.ActiveDirectory.Management.Commands.Move-ADDirectoryServerOperationMasterRole

Note the following error message when you run the PowerShell command in Windows PowerShell:

Also, the error might look like this:

Set-ADUser : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.

This error occurs because your computer was unable to connect to Active Directory Web Services (ADWS) on the nearest domain controller. The ADWS service is installed on a domain controller and used to provide remote management of AD Directory Services through the WS-Management protocols.

The PowerShell AD module uses Active Directory Web Services on DC to communicate with ADDS. The TCP port 9389 on the domain controller must be accessible from your computer to communicate properly with ADWS.

Troubleshooting Active Directory Web Services Connectivity in Windows

If you are running your PowerShell commands on a non-domain controller device, the first thing to check is if you have connectivity with your Active Directory domain and by extension, the Active Directory Web Service. Use the following commands to check if your computer can access the domain:

nslookup yourdomain.loc

ping yourdomain.loc

By default, the RSAT-AD-PowerShell module cmdlets try to connect to the domain controller that is specified in the LOGONSERVER environment variable. Check the value of this environment variable on your computer:

$env:LOGONSERVER

Check the availability of port TCP/9389 on the domain controller name (specify the logonserver name) with the command:

Test-NetConnection your_logon_DC -port 9389

If the command returns TcpTestSucceeded: False, it means the connection is blocked by the firewall, the ADWS service is not running, or the DC is down.

Run the following command on any domain controller to find the nearest DC with the ADWS role:

Get-ADDomainController -Discover -Service ADWS

You can find a DC with the ADWS role in another Active Directory sites and subnets:

Get-ADDomainController -ForceDiscover -Discover -Service ADWS –NextClosestSite

Note. The search for the domain controllers with the ADWS role is performed by the special DS_WEB_SERVICE_REQUIRED flag.

If your LogonServer is unavailable, not working properly, or blocked by a firewall, you can connect to another DC. To do this, you can change the LogonServer using the command:

nltest /SC_RESET:CONTOSO\DC02.contoso.com

Or you can run the AD PowerShell module cmdlets from your computer against the specific DC, using the –Server parameter. For example:

New-ADUSer –Server DC02 …..

or:

Move-ADDirectoryServerOperationMasterRole -Server dc02 ……

Hint. Also, the ‘Unable to find a default server with Active Directory Web Services running’ error may appear if your computer is not joined to the Active Directory domain. In this case, you must specify the domain controller name in all PowerShell cmdlets using the parameter –Server {DC_FQDN/IP address}.

If the domain is available and the DNS service is working correctly, you need to check the status of Active Directory Web Services on your domain controller.

Checking the ADWS Role on a Domain Controller

Connect to the desired DC and make sure the Microsoft ADWS service is running on it. To do this, open the services.msc console, locate Active Directory Web Services, and verify that it is in a Running state.

Start it if the service is stopped. If the service is running, restart the DC or restart the service with the PS command. You can also do this with PowerShell remoting as well.

Run PowerShell command:

Restart-Service –name ADWS –verbose

Verify if the ADWS service is configured to start automatically:

Get-Service ADWS | Select-Object -Property Name, StartType, Status

If necessary, change the startup type to automatic:

Set-Service -Name ADWS –StartupType AutomaticDelayedStart

Open the Event Viewer on the domain controller, expand Windows Logs > System and filter your System log by the event ID 1206 with the description:

Active Directory Web Services could not determine if the computer is a global catalog server.

If you found this error in the DC’s Event log, you need to enable and then disable the Global Catalog FSMO role on this DC.

1. Open the Active Directory Sites and Services console (dssite.msc) and find this domain controller in one of the AD sites;
2. Right-click on NTDS Settings and then click Properties;
3. Check/Uncheck the Global Catalog option on the General tab.
   
4. Wait a while for AD changes to replicate and then revert back to the previous value;
5. Reboot the domain controller.

ADWS has been built into ADDS since Windows Server 2008 R2. The ADWS service is installed automatically on Windows Server when you promote the server to an Active Directory domain controller (you can do that with dcpromo command). The service is available on both regular RW domain controllers and Read-Only Domain Controllers (RODCs).

This service must be installed separately if your Active Directory forest uses Windows Server 2003 R2/Windows Server 2008 domain controllers.

ADWS is installed as an Active Directory Management Gateway Service package: KB969166 and KB968934. ADMGS provides web-based management APIs on domain controllers running Windows Server 2003 SP2 and Windows Server 2008.

For the AD-PowerShell module cmdlets to work correctly, the ADWS service must be installed on at least one DC.

Wrapping up

If you’re running into the error message “Unable to find a default server with Active Directory Web Services running” while using PowerShell commands related to Active Directory, it’s an indicator that there’s an issue with your Active Directory Web Services (ADWS). ADWS is essential for several operations, from syncing with Azure AD Connect to running Active Directory commands in PowerShell.

Essentially, ADWS acts as a bridge between your server and Active Directory functionalities. If this service is down or not configured properly, certain tasks will hit a wall. Troubleshooting this error might involve checking if ADWS is running, ensuring the right ports are open, and verifying that your computer can communicate with the domain controller.

In short, when this error pops up, think of it as a connectivity or configuration issue between your computer and the ADWS on your domain controller. You can pinpoint and address the underlying issue through the steps mentioned above.