Applies To: Windows Server
This topic provides background information about Active Directory DomainServices in Windows Server 2016 and explains the process for upgrading domain controllers from Windows Server 2012 or Windows Server 2012 R2.
Pre-requisites
In this article. Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012. This topic covers the updated Active Directory Administrative Center with its new Active Directory Recycle Bin, Fine-grained Password policy, and Windows PowerShell History Viewer in more detail, including architecture, examples for common tasks, and troubleshooting information. AdForest – Classified Ads WordPress Theme Largest Classified WordPress Theme. JNews – One Stop Solution for Web Publishing Top selling WordPress.
The recommended way to upgrade a domain is to promote domain controllers that run newer versions of Windows Server and demote the older domain controllers as needed. That method is preferable to upgrading the operating system of an existing domain controller. This list covers general steps to follow before you promote a domain controller that runs a newer version of Windows Server:
- Verify the target server meets system requirements.
- Verify Application compatibility.
- Review Recommendations for moving to Windows Server 2016
- Verify security settings. For more information, see Deprecated features and behavior changes related to AD DS in Windows Server 2016.
- Check connectivity to the target server from the computer where you plan to run the installation.
- Check for availability of necessary operation master roles:
- To install the first DC that runs Windows Server 2016 in an existing domain and forest, the machine where you run the installation needs connectivity to the schema master in order to run adprep /forestprep and the infrastructure master in order to run adprep /domainprep.
- To install the first DC in a domain where the forest schema is already extended, you only need connectivity to the infrastructure master.
- To install or remove a domain in an existing forest, you need connectivity to the domain naming master.
- Any domain controller installation also requires connectivity to the RID master.
- If you are installing the first read-only domain controller in an existing forest, you need connectivity to the infrastructure master for each application directory partition, also known as a non-domain naming context or NDNC.
Installation steps and required administrative levels
The following table provides a summary of the upgrade steps and the permission requirements to accomplish these steps
Installation action | Credential requirements |
---|---|
Install a new forest | Local Administrator on the target server |
Install a new domain in an existing forest | Enterprise Admins |
Install an additional DC in an existing domain | Domain Admins |
Run adprep /forestprep | Schema Admins, Enterprise Admins, and Domain Admins |
Run adprep /domainprep | Domain Admins |
Run adprep /domainprep /gpprep | Domain Admins |
Run adprep /rodcprep | Enterprise Admins |
For additional information on new features in Windows Server 2016, see What's new in Windows Server 2016.
Supported in-place upgrade paths
Domain controllers that run 64-bit versions of Windows Server 2012 or Windows Server 2012 R2 can be upgraded to Windows Server 2016. Only 64-bit version upgrades are supported because Windows Server 2016 only comes in a 64-bit version.
If you are running this edition: | You can upgrade to these editions: |
---|---|
Windows Server 2012 Standard | Windows Server 2016 Standard or Datacenter |
Windows Server 2012 Datacenter | Windows Server 2016 Datacenter |
Windows Server 2012 R2 Standard | Windows Server 2016 Standard or Datacenter |
Windows Server 2012 R2 Datacenter | Windows Server 2016 Datacenter |
Windows Server 2012 R2 Essentials | Windows Server 2016 Essentials |
Windows Storage Server 2012 Standard | Windows Storage Server 2016 Standard |
Windows Storage Server 2012 Workgroup | Windows Storage Server 2016 Workgroup |
Windows Storage Server 2012 R2 Standard | Windows Storage Server 2016 Standard |
Windows Storage Server 2012 R2 Workgroup | Windows Storage Server 2016 Workgroup |
For more information about supported upgrade paths, see Supported Upgrade Paths
Adprep and Domainprep
If you are doing an in-place upgrade of an existing domain controller to the Windows Server 2016 operating system, you will need to run adprep /forestprep and adprep /domainprep manually. Adprep /forestprep needs to be run only once in the forest. Adprep /domainprep needs to be run once in each domain in which you have domain controllers that you are upgrading to Windows Server 2016.
If you are promoting a new Windows Server 2016 server you do not need to run these manually. These are integrated into the PowerShell and Server Manager experiences.
For more information on running adprep see Running Adprep
Functional level features and requirements
Windows Server 2016 requires a Windows Server 2003 forest functional level. That is, before you can add a domain controller that runs Windows Server 2016 to an existing Active Directory forest, the forest functional level must be Windows Server 2003 or higher. If the forest contains domain controllers running Windows Server 2003 or later but the forest functional level is still Windows 2000, the installation is also blocked.
Windows 2000 domain controllers must be removed prior to adding Windows Server 2016 domain controllers to your forest. In this case, consider the following workflow:
- Install domain controllers that run Windows Server 2003 or later. These domain controllers can be deployed on an evaluation version of Windows Server. This step also requires running adprep.exe for that operating system release as a prerequisite.
- Remove the Windows 2000 domain controllers. Specifically, gracefully demote or forcibly remove Windows Server 2000 domain controllers from the domain and used Active Directory Users and Computers to remove the domain controller accounts for all removed domain controllers.
- Raise the forest functional level to Windows Server 2003 or higher.
- Install domain controllers that run Windows Server 2016.
- Remove domain controllers that run earlier versions of Windows Server.
Rolling back functional levels
After you set the forest functional level (FFL) to a certain value, you cannot roll back or lower the forest functional level, with the following exceptions:
- If you are upgrading from Windows Server 2012 R2 FFL, you can lower it back to Windows Server 2012 R2.
- If you are upgrading from Windows Server 2008 R2 FFL, you can lower it back to Windows Server 2008 R2.
After you set the domain functional level to a certain value, you cannot roll back or lower the domain functional level, with the following exceptions:
- When you raise the domain functional level to Windows Server 2016 and if the forest functional level is Windows Server 2012 or lower, you have the option of rolling the domain functional level back to Windows Server 2012 or Windows Server 2012 R2.
For more information about features that are available at lower functional levels, see Understanding Active Directory Domain Services (AD DS) Functional Levels.
AD DS interoperability with other server roles and Windows operating systems
AD DS is not supported on the following Windows operating systems:
- Windows MultiPoint Server
- Windows Server 2016 Essentials
AD DS cannot be installed on a server that also runs the following server roles or role services:
- Microsoft Hyper-V Server 2016
- Remote Desktop Connection Broker
Administration of Windows Server 2016 servers
Use the Remote Server Administration Tools for Windows 10 to manage domain controllers and other servers that run Windows Server 2016. You can run the Windows Server 2016 Remote Server Administration Tools on a computer that runs Windows 10.
Step-by-Step for Upgrading to Windows Server 2016
The following is a simple example of upgrading the Contoso forest from Windows Server 2012 R2 to Windows Server 2016.
Join the new Windows Server 2016 to your forest. Restart when prompted.
Sign in to the new Windows Server 2016 with a domain admin account.
In Server Manager, under Add Roles and Features, install Active Directory Domain Services on the new Windows Server 2016. This will automatically run adprep on the 2012 R2 forest and domain.
In Server Manager, click the yellow triangle, and from the drop-down click Promote the server to a domain controller.
On the Deployment Configuration screen, select Add a domain controller to an existing forest and click next.
On the Domain Controller options screen, enter the Directory Services Restore Mode (DSRM) password and click next.
For the remainder of the screens click Next.
On the Prerequisite Check screen, click install. Once the restart has completed you can sign back in.
On the Windows Server 2012 R2 server, in Server Manager, under tools, select Active Directory Module for Windows PowerShell.
In the PowerShell windows use the Move-ADDirectoryServerOperationMasterRole to move the FSMO roles. You can type the name of each -OperationMasterRole or use numbers to specify the roles. For more information see Move-ADDirectoryServerOperationMasterRole
Verify the roles have been moved by going to the Windows Server 2016 server, in Server Manager, under tools, select Active Directory Module for Windows PowerShell. Use the
Get-ADDomain
andGet-ADForest
cmdlets to view the FSMO role holders.Demote and remove the Windows Server 2012 R2 domain controller. For information on demoting a dc, see Demoting Domain Controllers and Domains
Once the server is demoted and removed you can raise the forest functional and domain functional levels to Windows Server 2016.
Next Steps
-->Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic covers the updated Active Directory Administrative Center with its new Active Directory Recycle Bin, Fine-grained Password policy, and Windows PowerShell History Viewer in more detail, including architecture, examples for common tasks, and troubleshooting information. For an introduction, see Introduction to Active Directory Administrative Center Enhancements (Level 100).
Active Directory Administrative Center Architecture
Active Directory Administrative Center Executables, DLLs
The module and underlying architecture of Active Directory Administrative Center has not changed with the new recycle bin, FGPP, and history viewer capabilities.
- Microsoft.ActiveDirectory.Management.UI.dll
- Microsoft.ActiveDirectory.Management.UI.resources.dll
- Microsoft.ActiveDirectory.Management.dll
- Microsoft.ActiveDirectory.Management.resources.dll
- ActiveDirectoryPowerShellResources.dll
The underlying Windows PowerShell and layer of operations for the new Recycle Bin functionality are illustrated below:
Enabling and Managing the Active Directory Recycle Bin Using Active Directory Administrative Center
Capabilities
- The Windows Server 2012 or newer Active Directory Administrative Center enables you to configure and manage the Active Directory Recycle Bin for any domain partition in a forest. There is no longer a requirement to use Windows PowerShell or Ldp.exe to enable the Active Directory Recycle Bin or restore objects in domain partitions.
- The Active Directory Administrative Center has advanced filtering criteria, making targeted restoration easier in large environments with many intentionally deleted objects.
Limitations
Because the Active Directory Administrative Center can only manage domain partitions, it cannot restore deleted objects from the Configuration, Domain DNS, or Forest DNS partitions (you cannot delete objects from the Schema partition). To restore objects from non-domain partitions, use Restore-ADObject.
The Active Directory Administrative Center cannot restore sub-trees of objects in a single action. For example, if you delete an OU with nested OUs, users, groups, and computers, restoring the base OU does not restore the child objects.
Note
The Active Directory Administrative Center batch restore operation does a 'best effort' sort of the deleted objects within the selection only so parents are ordered before the children for the restore list. In simple test cases, sub-trees of objects may be restored in a single action. But corner cases, such as a selection that contains partial trees - trees with some of the deleted parent nodes missing - or error cases, such as skipping the child objects when parent restore fails, may not work as expected. For this reason, you should always restore sub-trees of objects as a separate action after you restore the parent objects.
The Active Directory Recycle Bin requires a Windows Server 2008 R2 Forest Functional Level and you must be a member of the Enterprise Admins group. Once enabled, you cannot disable Active Directory Recycle Bin. Active Directory Recycle Bin increases the size of the Active Directory database (NTDS.DIT) on every domain controller in the forest. Disk space used by the recycle bin continues to increase over time as it preserves objects and all their attribute data.
Enabling Active Directory Recycle Bin using Active Directory Administrative Center
To enable the Active Directory Recycle Bin, open the Active Directory Administrative Center and click the name of your forest in the navigation pane. From the Tasks pane, click Enable Recycle Bin.
The Active Directory Administrative Center shows the Enable Recycle Bin Confirmation dialog. This dialog warns you that enabling the recycle bin is irreversible. Click OK to enable the Active Directory Recycle Bin. The Active Directory Administrative Center shows another dialog to remind you that the Active Directory Recycle Bin is not fully functional until all domain controllers replicate the configuration change.
Important
The option to enable the Active Directory Recycle Bin is unavailable if:
- The forest functional level is less than Windows Server 2008 R2
- It is already enabled
The equivalent Active Directory Windows PowerShell cmdlet is:
For more information about using Windows PowerShell to enable the Active Directory Recycle Bin, see the Active Directory Recycle Bin Step-by-Step Guide.
Managing Active Directory Recycle Bin using Active Directory Administrative Center
This section uses the example of an existing domain named corp.contoso.com. This domain organizes users into a parent OU named UserAccounts. The UserAccounts OU contains three child OUs named by department, which each contain further OUs, users, and groups.
Storage and Filtering
The Active Directory Recycle Bin preserves all objects deleted in the forest. It saves these objects according to the msDS-deletedObjectLifetime attribute, which by default is set to match the tombstoneLifetime attribute of the forest. In any forest created using Windows Server 2003 SP1 or later, the value of tombstoneLifetime is set to 180 days by default. In any forest upgraded from Windows 2000 or installed with Windows Server 2003 (no service pack), the default tombstoneLifetime attribute is NOT SET and Windows therefore uses the internal default of 60 days. All of this is configurable.You can use the Active Directory Administrative Center to restore any objects deleted from the domain partitions of the forest. You must continue to use the cmdlet Restore-ADObject to restore deleted objects from other partitions, such as Configuration.Enabling the Active Directory Recycle Bin makes the Deleted Objects container visible under every domain partition in the Active Directory Administrative Center.
The Deleted Objects container shows you all the restorable objects in that domain partition. Deleted objects older than msDS-deletedObjectLifetime are known as recycled objects. The Active Directory Administrative Center does not show recycled objects and you cannot restore these objects using Active Directory Administrative Center.
For a deeper explanation of the recycle bin's architecture and processing rules, see The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting.
The Active Directory Administrative Center artificially limits the default number of objects returned from a container to 20,000 objects. You can raise this limit as high as 100,000 objects by clicking the Manage menu, then Management List Options.
Restoration
Filtering
Active Directory Administrative Center offers powerful criteria and filtering options that you should become familiar with before you need to use them in a real-life restoration. Domains intentionally delete many objects over their lifetime. With a likely deleted object lifetime of 180 days, you cannot simply restore all objects when an accident occurs.
Rather than writing complex LDAP filters and converting UTC values into dates and times, use the basic and advanced Filter menu to list only the relevant objects. If you know the day of deletion, the names of objects, or any other key data, use that to your advantage when filtering. Toggle the advanced filter options by clicking the chevron to the right of the search box.
The restore operation supports all the standard filter criteria options, the same as any other search. Of the built-in filters, the important ones for restoring objects are typically:
- ANR (ambiguous name resolution - not listed in the menu, but what is used when you type in theFilterbox)
- Last modified between given dates
- Object is user/inetorgperson/computer/group/organization unit
- Name
- When deleted
- Last known parent
- Type
- Description
- City
- Country /region
- Department
- Employee ID
- First name
- Job title
- Last name
- SAMaccountname
- State/Province
- Telephone number
- UPN
- ZIP/Postal code
You can add multiple criteria. For example, you can find all user objects deleted on September 24, 2012 from Chicago, Illinois with a job title of Manager.
You can also add, modify, or reorder the column headers to provide more detail when evaluating which objects to recover.
For more information about Ambiguous Name Resolution, see ANR Attributes.
Single Object
Restoring deleted objects has always been a single operation. The Active Directory Administrative Center makes that operation easier. To restore a deleted object, such as a single user:
- Click the domain name in the navigation pane of the Active Directory Administrative Center.
- Double-click Deleted Objects in the management list.
- Right-click the object and then click Restore, or click Restore from the Tasks pane.
The object restores to its original location.
Click Restore To... to change the restore location. This is useful if the deleted object's parent container was also deleted but you do not want to restore the parent.
Multiple Peer Objects
You can restore multiple peer-level objects, such as all the users in an OU. Hold down the CTRL key and click one or more deleted objects you want to restore. Click Restore from the Tasks pane. You can also select all displayed objects by holding down the CTRL and A keys, or a range of objects using SHIFT and clicking.
Multiple Parent and Child Objects
It is critical to understand the restoration process for a multi-parent-child restoration because the Active Directory Administrative Center cannot restore a nested tree of deleted objects with a single action.
- Restore the top-most deleted object in a tree.
- Restore the immediate children of that parent object.
- Restore the immediate children of those parent objects.
- Repeat as necessary until all objects restore.
You cannot restore a child object before restoring its parent. Attempting this restoration returns the following error:
The operation could not be performed because the object's parent is either uninstantiated or deleted.
The Last Known Parent attribute shows the parent relationship of each object. The Last Known Parent attribute changes from the deleted location to the restored location when you refresh the Active Directory Administrative Center after restoring a parent. Therefore, you can restore that child object when a parent object's location no longer shows the distinguished name of the deleted objects container.
Consider the scenario where an administrator accidentally deletes the Sales OU, which contains child OUs and users.
First, observe the value of the Last Known Parent attribute for all the deleted users and how it reads OU=Sales0ADEL:<guid+deleted objects container distinguished name>:
Filter on the ambiguous name Sales to return the deleted OU, which you then restore:
Refresh the Active Directory Administrative Center to see the deleted user object's Last Known Parent attribute change to the restored Sales OU distinguished name:
Filter on all the Sales users. Hold down the CTRL and A keys to select all the deleted Sales users. Click Restore to move the objects from the Deleted Objects container to the Sales OU with their group memberships and attributes intact.
If the Sales OU contained child OUs of its own, then you would restore the child OUs first before restoring their children, and so on.
To restore all nested deleted objects by specifying a deleted parent container, see Appendix B: Restore Multiple, Deleted Active Directory Objects (Sample Script).
The Active Directory Windows PowerShell cmdlet for restoring deleted objects is:
The Restore-ADObject cmdlet functionality did not change between Windows Server 2008 R2 and Windows Server 2012.
Server-side Filtering
It is possible that over time, the Deleted Objects container will accumulate over 20,000 (or even 100,000) objects in medium and large enterprises and have difficulty showing all objects. Since the filter mechanism in Active Directory Administrative Center relies on client-side filtering, it cannot show these additional objects. To work around this limitation, use the following steps to perform a server-side search:
- Right click the Deleted Objects container and click Search under this node.
- Click the chevron to expose the +Add criteria menu, select and add Last modified between given dates. The Last Modified time (the whenChanged attribute) is a close approximation of the deletion time; in most environments, they are identical. This query performs a server-side search.
- Locate the deleted objects to restore by using further display filtering, sorting, and so on in the results, and then restore them normally.
Configuring and Managing Fine-Grained Password Policies Using Active Directory Administrative Center
Configuring Fine-Grained Password Policies
The Active Directory Administrative Center enables you to create and manage Fine-Grained Password Policy (FGPP) objects. Windows Server 2008 introduced the FGPP feature but Windows Server 2012 has the first graphical management interface for it. You apply Fine-Grained Password Policies at a domain level and it enables overriding the single domain password required by Windows Server 2003. By creating different FGPP with different settings, individual users or groups get differing password policies in a domain.
For information about the Fine-Grained Password Policy, see AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide (Windows Server 2008 R2).
In the Navigation pane, click Tree View, click your domain, click System, click Password Settings Container, and then in the Tasks pane, click New and Password Settings.
Ad Forest Theme Demo Free
Managing Fine-Grained Password Policies
Creating a new FGPP or editing an existing one brings up the Password Settings editor. From here, you configure all desired password policies, as you would have in Windows Server 2008 or Windows Server 2008 R2, only now with a purpose-built editor.
Fill out all required (red asterisk) fields and any optional fields, and then click Add to set the users or groups that receives this policy. FGPP overrides default domain policy settings for those specified security principals. In the figure above, an extremely restrictive policy applies only to the built-in Administrator account, to prevent compromise. The policy is far too complex for standard users to comply with, but is perfect for a high-risk account used only by IT professionals.
You also set precedence and to which users and groups the policy applies within a given domain.
The Active Directory Windows PowerShell cmdlets for Fine-Grained Password Policy are:
Fine-Grained Password Policy cmdlet functionality did not change between the Windows Server 2008 R2 and Windows Server 2012. As a convenience, the following diagram illustrates the associated arguments for cmdlets:
The Active Directory Administrative Center also enables you to locate the resultant set of applied FGPP for a specific user. Right click any user and click View resultant password settings... to open the Password Settings page that applies to that user through implicit or explicit assignment:
Examining the Properties of any user or group shows the Directly Associated Password Settings, which are the explicitly assigned FGPPs:
Implicit FGPP assignment does not display here; for that, you must use the View resultant password settings... option.
Using the Active Directory Administrative Center Windows PowerShell History Viewer
The future of Windows management is Windows PowerShell. By layering graphical tools on top of a task automation framework, management of the most complex distributed systems becomes consistent and efficient. You need to understand how Windows PowerShell works in order to reach your full potential and maximize your computing investments.
The Active Directory Administrative Center now provides a complete history of all the Windows PowerShell cmdlets it runs and their arguments and values. You can copy the cmdlet history elsewhere for study or modification and re-use. You can create Task notes to assist in isolating what your Active Directory Administrative Center commands resulted in Windows PowerShell. You can also filter the history to find points of interest.
The Active Directory Administrative Center Windows PowerShell History Viewer's purpose is for you to learn through practical experience.
Click the chevron (arrow) to show Windows PowerShell History Viewer.
Then, create a user or modify a group's membership. The history viewer continually updates with a collapsed view of each cmdlet that the Active Directory Administrative Center ran with the arguments specified.
Expand any line item of interest to see all values provided to the cmdlet's arguments:
Click the Start Task menu to create a manual notation before you use Active Directory Administrative Center to create, modify, or delete an object. Type in what you were doing. When done with your change, select End Task. The task note groups all of those actions performed into a collapsible note you can use for better understanding.
For example, to see the Windows PowerShell commands used to change a user's password and remove him from a group:
Selecting the Show All check box also shows the Get-* verb Windows PowerShell cmdlets that only retrieve data.
The history viewer shows the literal commands run by the Active Directory Administrative Center and you might note that some cmdlets appear to run unnecessarily. For example, you can create a new user with:
and do not need to use:
The Active Directory Administrative Center's design required minimal code usage and modularity. Therefore, instead of a set of functions that create new users and another set that modify existing users, it minimally does each function and then chains them together with the cmdlets. Keep this in mind when you are learning Active Directory Windows PowerShell. You can also use that as a learning technique, where you see how simply you can use Windows PowerShell to complete a single task.
Troubleshooting AD DS Management
Introduction to Troubleshooting
Because of its relative newness and lack of usage in existing customer environments, the Active Directory Administrative Center has limited troubleshooting options.
Adforest Theme Free Download
Troubleshooting Options
Logging Options
The Active Directory Administrative Center now contains built-in logging, as part of a tracing config file. Create/modify the following file in the same folder as dsac.exe:
dsac.exe.config
Create the following contents:
The verbosity levels for DsacLogLevel are None, Error, Warning, Info, and Verbose. The output file name is configurable and writes to the same folder as dsac.exe. The output can tell you more about how ADAC is operating, which domain controllers it contacted, what Windows PowerShell commands executed, what the responses were, and further details.
Adforest Theme Documentation
For example, while using the INFO level, which returns all results except the trace-level verbosity:
DSAC.exe starts
Logging starts
Domain Controller requested to return initial domain information
Domain controller DC1 returned from domain Corp
PS AD virtual drive loaded
Get domain Root DSE Information
Get domain AD recycle bin information
Get AD forest
Get Schema information for supported encryption types, FGPP, certain user information
Get all information about the domain object to display to administrator who clicked on the domain head.
Setting the Verbose level also shows the .NET stacks for each function, but these do not include enough data to be particularly useful except when troubleshooting the Dsac.exe suffering an access violation or crash. The two likely causes of this issue are:
- The ADWS service is not running on any accessible domain controllers.
- Network communications are blocked to the ADWS service from the computer running the Active Directory Administrative Center.
Important
There is also an out-of-band version of the service called the Active Directory Management Gateway, which runs on Windows Server 2008 SP2 and Windows Server 2003 SP2.
The errors shown when no Active Directory Web Services instances are available are:
Error | Operation |
---|---|
'Cannot connect to any domain. Refresh or try again when connection is available' | Shown at start of the Active Directory Administrative Center application |
'Cannot find an available server in the domain that is running the Active Directory Web Service (ADWS)' | Shown when trying to select a domain node in the Active Directory Administrative Center application |
To troubleshoot this issue, use these steps:
Validate the Active Directory Web Services service is started on at least one domain controller in the domain (and preferably all domain controllers in the forest). Ensure that it is set to start automatically on all domain controllers as well.
From the computer running the Active Directory Administrative Center, validate that you can locate a server running ADWS by running these NLTest.exe commands:
If those tests fail even though the ADWS service is running, the issue is with name resolution or LDAP and not ADWS or Active Directory Administrative Center. This test fails with error '1355 0x54B ERROR_NO_SUCH_DOMAIN' if ADWS is not running on any domain controllers though, so double-check before reaching any conclusions.
On the domain controller returned by NLTest, dump the listening port list with command:
Examine the ports.txt file and validate that the ADWS service is listening on port 9389. Example:
If listening, validate the Windows Firewall rules and ensure that they allow 9389 TCP inbound. By default, domain controllers enable firewall rule 'Active Directory Web Services (TCP-in)'. If not listening, validate again that the service is running on this server and restart it. Validate that no other process is already listening on port 9389.
Install NetMon or another network capture utility on the computer running Active Directory Administrative Center and on the domain controller returned by NLTEST. Gather simultaneous network captures from both computers, where you start Active Directory Administrative Center and see the error before stopping the captures. Validate that the client is able to send to and receive from the domain controller on port TCP 9389. If packets are sent but never arrive, or arrive and the domain controller replies but they never reach the client, it is likely there is a firewall in between the computers on the network dropping packets on that port. This firewall may be software or hardware, and may be part of third party endpoint protection (antivirus) software.