I foolishly thought that I would quickly swap out my 2012 domain controllers with 2019 domain controllers, thus beginning a weeks-long saga. I have 2 DCs in my homelab, DC1 and DC2.
Built a new DC, joined to the domain, promoted to a DC (it ran AD prep for me, nice!), transferred FSMO roles (all were on DC1), all looked great! Demoted DC1, all logins failed with ‘Domain Unavailable’.
Thankfully I had my Synology backing up my FSMO role holder DC. So I restored it from scratch. I figured I might have missed something obvious so I did it again. Same result.
Ran through all sorts of crazy debugging, ntdsutil commands looking for old metadata to clean up, found some old artifacts that I thought might have been causing the issue, and repeated the process. Same result.
Several weeks later I realized what happened – I had a failing UPS take down my Synology multiple times until I replaced it a few days ago. Guess which VM I never restarted? The Enterprise CA. The CA caused all of this. Or at least most of it. Even after I powered up the CA, I was unable to cleanly transfer all FSMO roles. Everything but the Schema Master transferred cleanly, even though they all transferred cleanly while the CA was down. I had to seize the schema master role and manually delete DC1 from ADUC – thankfully, current versions of AD do the metadata cleanup for you when you delete a DC from ADUC.
In hilarious irony, I specifically built the CA on a member server and not a domain controller to avoid upgrade problems.
- When you don’t administer AD every day, you forget lots of things
- No AD upgrade is easy
- Make sure you have a domain controller backup before you start
- Turn on your CA
- Run repadmin /showrepl and dcdiag BEFORE you start messing with the domain
- Run repadmin /showrepl and dcdiag AFTER you add a domain controller and BEFORE you remove old domain controllers
- ntdsutil is like COBOL – old and verbose
UPDATE JUNE 16, 2020
DEAR INTERNET – APPARENTLY THE FONT SIZE I USED BELOW – WHERE I NOT ONLY NAMED THE USER WHO POSTED IT BUT LINKED TO THE CONTENT THAT I COPIED AND PASTED – WAS NOT ENOUGH CREDIT FOR ‘pirwen’. I DID NOT WRITE THIS CONTENT. I REPOSTED IT. I DID NOT WRITE IT. I REPOSTED IT. WHICH IS EXACTLY WHAT MY ORIGINAL POST SAYS. BUT NOW IT SAYS SO IN VERY LARGE FONT.
This post has apparently enraged ‘pirwen’ to a point that that THREE YEARS LATER he came back to say that it’s his content… over and over… posting like 10 times in the comments. The reason my blog repost on this is #1 in Google search results is because the Microsoft community pages are garbage and his solution is buried under page after page of hidden answers. The Microsoft page is also locked for comments, so people comment here.
ONCE AGAIN, THIS IS CONTENT FROM ‘pirwen’.
Original Post – March 6, 2017
OneDrive mysteriously stopped working on my Windows 10 laptop. I have no idea what went wrong, I tried reinstalling it even though it’s now part of Windows 10. Nothing worked. I finally came across this post and wanted to repost it in case it ever disappears. My situation was the same, the GPO setting was unset, which should have had the same effect, but I had to disable it to get One Drive working again.
User ‘pirwen’ posted the solution that worked for me at this link in the Microsoft Community.
“I remembered seeing an option to prevent the usage of OneDrive via the Group Policy editor, seems that there is also an option to force enable it. Here are the steps I followed:
On your keyboard hit Windows Key + R to open the Run dialog and type: gpedit.msc and hit Enter to open Local Group Policy Editor.
Next navigate to Computer Configuration\Administrative Templates\Windows Components\OneDrive. In the right panel, double click Prevent the usage of OneDrive for File Storage.
Then here instead of selecting Enabled (as many tutorials suggest to disable OneDrive on Windows 10) I selected Disabled, and saved my changes. This option was originally unset, which should have worked just as if it was disabled, except it didn’t.
After doing this I opened OneDrive again and got a notification for an update. After a few seconds it opened, and was finally working again.”