Fix: Unable to Find a Default Server with Active Directory Web Services Running

The error Cannot find the default server running Active Directory Web Services may appear when you import an PowerShell ActiveDirectory module into your session or when you run various cmdlets from that module. For example, when you transfer FSMO roles with Move-ADDirectoryServerOperationMasterRole, creating bulk AD users using New-ADUser, and all other cmdlets:

Import-Module ActiveDirectory

WARNING: Error initializing default drive: ‘Unable to find a default server with Active Directory Web Services running’

Move-ADDirectoryServerOperationMasterRole -Identity dc01 –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster

CategoryInfo: ResourceUnavailable, ADServerDownException

ActiveDirectoryServer:1355,Microsoft.ActiveDirectory.Management.Commands.Move-ADDirectoryServerOperationMasterRole

Also, the error might look like this:

Set-ADUser : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.

This error occurs because your computer was unable to connect to Active Directory Web Services (ADWS) on the nearest domain controller. The ADWS service is installed on a domain controller and used to provide remote management of AD Directory Services through the WS-Management protocols.

The PowerShell AD module uses Active Directory Web Services on DC to communicate with ADDS. The TCP port 9389 on the domain controller must be accessible from your computer to communicate properly with ADWS.

Troubleshooting Active Directory Web Services Connectivity in Windows

If you are running your PowerShell commands on a non-domain controller device, the first thing to check is if you have connectivity with your Active Directory domain. Use the following commands to check if your computer can access the domain:

nslookup yourdomain.loc

ping yourdomain.loc

By default, the RSAT-AD-PowerShell module cmdlets try to connect to the domain controller that is specified in the LOGONSERVER environment variable. Check the value of this environment variable on your computer:

$env:LOGONSERVER

Check the availability of port TCP/9389 on the domain controller name (specify the logonserver name) with the command:

Test-NetConnection your_logon_DC -port 9389

If the command returns TcpTestSucceeded: False, it means the connection is blocked by the firewall, the ADWS service is not running, or the DC is down.

Run the following command on any domain controller to find the nearest DC with the ADWS role:

Get-ADDomainController -Discover -Service ADWS

You can find a DC with the ADWS role in another Active Directory sites and subnets:

Get-ADDomainController -ForceDiscover -Discover -Service ADWS –NextClosestSite

Note. The search for the domain controllers with the ADWS role is performed by the special DS_WEB_SERVICE_REQUIRED flag.

If your LogonServer is unavailable, not working properly, or blocked by a firewall, you can connect to another DC. To do this, you can change the LogonServer using the command:

nltest /SC_RESET:CONTOSO\DC02.contoso.com

Or you can run the AD PowerShell module cmdlets from your computer against the specific DC, using the –Server parameter. For example:

New-ADUSer –Server DC02 …..

or:

Move-ADDirectoryServerOperationMasterRole -Server dc02 ……

Hint. Also, the ‘Unable to find a default server with Active Directory Web Services running’ error may appear if your computer is not joined to the Active Directory domain. In this case, you must specify the domain controller name in all PowerShell cmdlets using the parameter –Server {DC_FQDN/IP address}.

If the domain is available and the DNS service is working correctly, you need to check the status of Active Directory Web Services on your domain controller.

Checking the ADWS Role on a Domain Controller

Connect to the desired DC and make sure the ADWS service is running on it. To do this, open the services.msc console, locate Active Directory Web Services, and verify that it is in a Running state.

Start it if the service is stopped. If the service is running, restart the DC or restart the service with the PS command:

Restart-Service –name ADWS –verbose

Verify if the ADWS service is configured to start automatically:

Get-Service ADWS | Select-Object -Property Name, StartType, Status

If necessary, change the startup type to automatic:

Set-Service -Name ADWS –StartupType AutomaticDelayedStart

Open the Event Viewer on the domain controller, expand Windows Logs > System and filter your System log by the event ID 1206 with the description:

Active Directory Web Services was unable to determine if the computer is a global catalog server.

If you found this error in the DC’s Event log, you need to enable and then disable the Global Catalog FSMO role on this DC.

1. Open the Active Directory Sites and Services console (dssite.msc) and find this domain controller in one of the AD sites;
2. Right-click on NTDS Settings and then click Properties;
3. Check/Uncheck the Global Catalog option on the General tab.
   
4. Wait a while for AD changes to replicate and then revert back to the previous value;
5. Reboot the domain controller.

ADWS has been built into ADDS since Windows Server 2008 R2. The ADWS service is installed automatically on Windows Server when you promote the server to an Active Directory domain controller (you can do that with dcpromo command). The service is available on both regular RW domain controllers and Read-Only Domain Controllers (RODCs).

If your Active Directory forest uses Windows Server 2003 R2/Windows Server 2008 domain controllers, this service must be installed separately.

ADWS is installed as an Active Directory Management Gateway Service package: KB969166 and KB968934. ADMGS provides web-based management APIs on domain controllers running Windows Server 2003 SP2 and Windows Server 2008.

For the AD-PowerShell module cmdlets to work correctly, the ADWS service must be installed on at least one DC.