U-Tools: Unique Tools for Windows System Administrators
U-Move Help

Clicking the Finish Button

When you click the Finish button, U-Move will load Active Directory into the computer. During this process your computer will reboot.

Your computer (and Active Directory) will be ready when the logon prompt appears.

How to Cancel

You can interrupt the procedure by clicking the Cancel button. U-Move will stop and roll back all pending changes to the computer.

Execution Time

It will typically take about 15-30 minutes for the operation to complete. The actual time will depend on the size of the .BKF file and how fast your computer can reboot.

If you have a large NTDS.DIT database (more than one gigabyte) the procedure may take additional time depending the speed of your disk drive.

If you are moving large application databases such as Exchange or SharePoint, extra time will be required.

During the first boot, if you are booting the first domain controller in a domain and the other domain controllers are not present, Windows may pause up to 15 minutes while booting as it searches for the other domain controllers. During this time Windows will display the message Preparing network connections..   The delay is normal.

In rare cases it may take up to 30 minutes to complete the first boot. This can happen if DNS is not configured correctly. Be patient and the computer will eventually finish startup and present the logon screen.

Benign Error Messages During Normal Operation

The following error messages may appear in the Event Log after booting the domain controller. The messages are benign and can be ignored.

Windows Server 2019:

  • CAPI2: “Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.“ (Windows Server 2019, Event ID 513). See support.microsoft.com/help/3209092/event-id-513-when-running-vss-in-windows-server.
  • DistributedCOM: “Unable to start a DCOM Server: {9C38ED61-D565-4728-AEEE-C80952F0ECDE}. The error: "0" Happened while starting this command: C:\Windows\System32\vdsldr.exe -Embedding” (Windows Server 2019, Event ID 10000)
  • NTDS Database: “The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.” (Event ID 2886) KB935834.
  • User Device Registration: “Automatic registration failed. Failed to lookup the registration service information from Active Directory. Exit code: Unknown HResult Error code: 0x801c001d.” and ”Automatic registration failed at join phase. Exit code: Unknown, HResult Error code: 0x801c001d“ (Windows Server 2019, Event IDs 307 and 304) See support.microsoft.com/help/4480781/event-id-307-and-304-logged-after-deploying-windows-device .
  • WinRM: “The WinRM service failed to create the following SPNs: WSMAN/myhost.com; WSMAN/MyComputerName.”

Windows Server 2012-2016:

  • KDC: “The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified.” (Event ID 29). See KB967623.
  • SChannel: “No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the Internet Information Server, are not affected by this.”
  • ADWS: “Active Directory Web Services could not find a server certificate with the specified name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine.” (Event ID 1400)
  • Microsoft-Windows-PerfNet: “Unable to read Server Queue performance data from the Server service.” (Event ID 2006) KB2279566.
  • MSSQL$MICROSOFT##WID: “The service master key could not be force regenerated as requested by the -F startup option. The error number is 33094.” (Windows Internal Database)
  • Service Control Manager: “The Data Sharing Service service terminated with the following error: %%3239247874” (Windows Server 2016)
Error Messages During the First 30 Minutes

When booting for the first time, some error messages may appear in the Event Log during the first 30 minutes. These error messages are normal and can be ignored. The normal error messages include those generated by NetLogon and the NT Directory Service while waiting for the initial dynamic DNS registration of the domain controller and the Global Catalog for the first time.

AD should stabilize within 30 minutes and the error messages will stop automatically.

The normal temporary error messages include the following:

  • Active Directory Web Services: “The computer is now hosting the specified directory instance, but Active Directory Web Services could not service it. Active Directory Web Services will retry this operation periodically.” (Event ID 1202)
  • DFSR: “The DFS Replication service failed to contact the domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling interval which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, or Active Directory Domain Services, or DNS issues.” (Event ID 1202).
  • DfsSvc: “The DFS Namespace service could not initialize cross forest trust information on this domain controller, but will periodically retry the operation.” (Event ID 14550).
  • DNS: “The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone.” (Event ID 4000) More information.
  • DNS: “The DNS server was unable to open zone _msdcs.mydomain.com in the Active Directory from the application partition ForestDnsZones.mydomain.com. The DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone.” (Event ID 4007) More information.
  • DNS: “The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller.” (Event ID 4013)
  • GroupPolicy: “The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed.” (Event ID 1129)
  • GroupPolicy: “The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.” (Event ID 1054)
  • NetLogon: “Dynamic registration or deletion of one or more DNS records associated with DNS domain MyDomain failed.” (Event ID 5781/5782) More information.
  • NetLogon: “The computer was not able to set up a secure session with a domain controller in domain DomainName due to the following: There are currently no logon servers available to service the logon request.” (Event ID 5719)
  • LsaSrv: “The Security System detected an authentication error for the server MyServer. There failure code from authentication protocol Kerberos was 'There are current no logon servers available to service the logon request.'” (Event ID 40960)
  • LsaSrv: “The Security System could not establish a secured connection with the server ldap/myhost.com@MYHOST.COM. No authentication protocol was available.” (Event ID 40961)
  • NTDS Database: “This server is the owner of the following FSMO role, but does not consider it valid. For the paritition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.” (Event ID 2092) Note: This is a very common error message during the initial boot.
  • NTDS General: “Active Directory attempted to communicate with the global catalog and the attempts were unsuccessful. Global catalog: ComputerName” (Event ID 1655)
  • NTDS General: “Active Directory was unable to establish a connection with the global catalog.” (Event ID 1126)
  • NTDS KCC: “The local domain controller interrupted replication with the following remote domain controller because it identified a change to an object where the object is to be garbage collected now. If this replication took place, it could cause a lingering object. The local domain controller will initiate an immediate garbage collection cycle.” (Event ID 2145) (This error message is very common when the DC writes a its own Internet address into a new DNS Record object in DomainDnsZones in its local copy of Active Directory during the first boot.)
  • NTDS Replication: “Active Directory could not resolve the following DNS host name of the domain controller to an IP address: ComputerName” (Event ID 2087)
  • System: “Name resolution for the name mydomain.com timed out after none of the configured DNS servers responded.rdquo; (Event ID 1014) More information.
  • EventSystem: “The COM+ Event System detected a bad return code during its internal processing. HRESULT was 80070005 from line xxx of D:\rtm\com\complus...” (Event ID 4609). This normal error message appears during shutdown because Active Directory was not running.
  • NtFrs: “File Replication Service is scanning the data in the system volume. Computer cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.” (Event ID 13566)
  • NtFrs: “The File Replication Service moved the preexisting files in C:\windows\sysvol\domain to C:\windows\sysvol\domain\NtFrs_PreExisting___See_EventLog.” (Event ID 13520). More information.
  • Userenv: “Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted.) Group Policy processing aborted.” (Event ID 1054).
  • VSS: “Volume Shadow Copy Service error: Failed resolving account SYSTEM with status 8207. Check connection to domain controller and VssAccessControl registry key.” (Event ID 8230).

The error messages shown above are normal during the first 30 minutes. If the above messages persist after 30 minutes you may need to troubleshoot your DNS settings.

See also the topics Results of Moving Active Directory, and Unattended Operation.