2

I am trying to run the Add-KdsRootKey command on a 2012 R2 domain controller for AD FS setup and am receiving the following error:

Add-KdsRootKey : The specified domain either does not exist or could not be contacted. (Exception from HRESULT:
0x8007054B)
At line:1 char:1
+ Add-KdsRootKey
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-KdsRootKey], COMException
    + FullyQualifiedErrorId : The specified domain either does not exist or could not be contacted. (Exception from HR
   ESULT: 0x8007054B),Microsoft.KeyDistributionService.Cmdlets.AddKdsRootKeyCommand

I am attempting this command because the AD FS installation wizard is throwing an error:enter image description here

I have 2x 2012 R2 domain controllers as well as 2x 2008 R2 domain controllers. I was led to believe as long as one 2012 R2 controller was in the domain this would work.

I am not sure what steps to take at this point.

  • If you need that DC OS mix, troubleshooting may take time. I've also had issues in my lab when I had a mix of 2008R2 and 2012R2 based DCs and attempting to use a GMSA for AD FS. I've only tried this recently so I haven't yet fully investigated it. I am more interested in the inability to run the add-kdsrootkey cmdlet. What happens if you run the below command on the DC. "nltest /dsgetdc:contoso.com /DS_8 /writable /ret_dns" . Replace contoso.com as appropriate. Raise a MS support case if you need quicker resolution than what a forum post will provide. – maweeras Dec 05 '15 at 17:01

1 Answers1

1

Turns out the issue was specific to my environment (2008/2012 mix). Apparently the sysvol/netlogon shares were not replicating correctly causing all sorts of issues. I did the registry hack to set the BurFlags in order to force a reinitialization of the shares. I also transferred FSMO roles from the 2008 DC to one of the 2012R2 DCs. This seemed to help as well.