The story behind our found, reported and fixed issue with Domain Controller Promotions for new domains

Reading Time: 2 minutes


Now, this is a story all about how our lives got flipped-turned upside down
And I'd like to take a minute… Just sit right there… I'll tell you how our project planning got screwed by a bug.


It’s all fun and games…

Being on the front lines of identity and access management technology is fun. Just ask any of my colleagues at SCCT. While we encounter our fair share of mysterious cases when it comes to Microsoft Online Services, we also encounter cases with Microsoft’s less nebulous products like Windows Server and Identity Manager (FIM/MIM).


Exactly one such case occurred when my colleague Max attempted to build a new child domain for one of our hosting customers.

How we got here

Part of our Domain Controller deployment process is to update Windows Server, virtualization platform drivers or firmware to the latest stable versions, before promoting the server to a Domain Controller, but after installing the Active Directory Domain Services role.

This makes the process a lot more predictable, and allowed us to lower the billable hours for Domain Controller promotions in our offers without problems.

Except this time…  

This time, however, we ran into errors. Vague errors
We ran into these issues, because our standard procedure is to update Windows Server after we install the Active Directory Domain Services (AD DS) role, and because the AD DS environment at this customer has the Active Directory Recycle Bin enabled; “Safety First.”

What we did

We took three actions:

  1. We notified the project manager of our impairment
  2. We filed a bug with Microsoft
  3. We kept searching for a resolution or workaround.

We found a workaround after a while, by simply uninstalling Microsoft’s October 9th, 2018 Security update KB4462917 on Windows Server 2016. Then, the Windows Server installation was able to successfully promote to an Active Directory Domain Controller. After the promotion we reapplied the uninstalled update.

Eventually, Microsoft fixed the issue in the following update releases:


How we feel

While we were working with Windows Server 2016, because Windows Server 2019 wasn’t rereleased yet, the problem existed in the latter Operating System, too.

While Windows Server 2019 RTM had many problems, I’m glad that this bug was squashed. It means that our standard procedure holds true to circumvent the same problem on this Operating System.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.