[German]A small addendum to the March/April patchday for Windows. Under Windows Server 2008/R2 netdom.exe was broken after installation of the SHA 2 update. The security update KB4493448 from April 2019 fixes this again.
Advertising
What's the problem?
This topic only affects administrators in enterprise environments working with Windows domains on Windows Server 2008 and Windows Server 2008 R2. The bug is fixed with the security updates of April 9, 2019. However, since there were issues with these updates on systems with foreign antivirus programs installed, the information or fix has probably not yet reached all administrators. Therefore I will discuss the topic below.
Support for SHA-2 cod signing is required
As of March 2019, Microsoft offered the security update KB4474419. Update KB4474419(SHA-2 code signing support update for Windows Server 2008 R2 and Windows 7: March 12, 2019) that provides support for SHA-2 signature evaluation for these operating systems. I had discussed this in the blog posts Windows 7: From April 2019 'SHA-2-Support' is required and SHA-2 patch for Windows 7 arrives on March 2019.
Security update KB4474419 kills netdom
Admins, who installed the security update KB4474419 on Windows Server 2008 and Windows Server 2008 R2, run into issues: The program netdom.exe did not work anymore afterwards. No matter what parameters are passed to the program, the error message "The command was not executed correctly" appears. German blog reader Peter had left a comment in the blog on March 14, 2019.
Also German blog reader Disto has reported this within a comment and writes that on Windows 7 and Windows Server 2008 R2 the "netdom query" command no longer works. Disto then linked to the Technet forum article 2008R2 – Netdom.exe Broken, where the whole thing is also discussed.
Within this serverfault.com forum thread administrators discusses that bug as well. A user proposed out a workaround. He simply took an old copy of netdom.exe from before the March 2019 update and copied it back to the machine. The older version could be taken from the RSAT tools, as MVP Dave Patrick notes here. Another user MS_Tizzy states that he fixed the problem by uninstalling two updates:
Advertising
We did uninstall KB4489885, restart and then uninstall KB4489878 and we did recover old netdom.exe version.
Later, Microsoft probably added the known issue in its KB articles on the updates of March 12, 2019. For update KB4489878 it says:
After installing this update, NETDOM.EXE fails to run, and the on-screen error, "The command failed to complete successfully." appears.
Aa a supplement an alternative command line utility and a graphical tool such as PowerShell, NLTEST.EXE, Active Directory Users and Computers (DSA.MSC), and Active Directory Domains and Trusts Snap-in (domain.msc) could be used.
April Update KB4493472 with Netdom Fix
But these tricks are no longer necessary because Microsoft fixed the problem in April 2019. The KB article on KB4493472 states in the list of fixes:
Addresses an issue in which netdom.exe fails to run, and the error, "The command failed to complete successfully" appears.
The known bug has been fixed with this update. Blog reader Peter pointed out the issue in here on April 30, 2019. Thanks for that!
What is Netdom?
Finally, a short note for fellow readers who wonder what netdom.exe does. The program Netdom allows administrators to reset computer account passwords of a Windows Server domain controller under Windows Server 2019, Windows Server Standard 2016, Windows Server 2012 R2 Standard and Windows Server 2008 R2 Standard. Microsoft has described this in more detail in this support article.
Similar articles
Windows 7: From April 2019 'SHA-2-Support' is required
SHA-2 patch for Windows 7 arrives on March 2019
Advertising
