Windows Server: Active Directory domain controller boots to stop code 0xC00002CB

DCs within a forest fail to boot into normal mode but boot successfully into Directory Services Restore Mode (DSRM). Attempting to boot a DC into normal mode results in error 0xC00002CB. This error code is not well documented publicly.

This issue likely affects all DCs in the forest but only becomes apparent when an affected DC is rebooted. Any DCs which are still operational should not be rebooted until the issue is resolved.

The resolution provided in this article requires at least one DC running in normal mode. If no DC in the forest can boot into normal mode, an authoritative restore of the Claims Configuration object (see below) is likely the only option. The steps for performing this authoritative restore are not covered in this article.
 

This issue can be caused if the following object is missing from Active Directory:

CN=Claims Configuration,CN=Services,CN=Configuration,DC=domain,DC=suffix

To confirm the issue, perform the following steps:

1. On an operational DC, launch ADSI Edit (adsiedit.msc).
2. From the Action menu, select Connect to...
3. From the dropdown list under Select a well known naming context, select Configuration, and click OK.
4. In the left pane, expand Configuration.
5. Expand CN=Configuration, DC=domain, DC=suffix.
6. Expand CN=Services and look for an object named CN=Claims Configuration.
7. If the Claims Configuration object is missing, proceed with the steps in the Resolution section below. Otherwise, do not proceed; this article is not applicable to your issue.

To resolve the issue, perform the following steps:
 

1. Still within the same location in ADSI Edit, look a few lines above CN=Services in the left pane and locate CN=ForestUpdates. Select this container object.
2. In the center pane, right-click CN=ActiveDirectoryUpdate and select Properties.
3. In the properties window, locate the revision attribute. The value of this attribute depends on the AD forest functional level:
   • Windows Server 2008: 2
   • Windows Server 2008 R2: 5
   • Windows Server 2012: 11
   • Windows Server 2012 R2: 15
   • Windows Server 2016: 16
4. Select the revision attribute and click Edit. Change the value to the previous version. (For example, if the value is 15, set it to 11.) Click OK to confirm the change.
5. In the left pane, expand CN=ForestUpdates and select the CN=Operations container object beneath it.
6. The center pane should show container objects with GUIDs for their names. Select these objects and delete them. The CN=Operations container should be empty after this.
7. Close ADSI Edit.
8. Locate operating system installation media which corresponds to the current AD forest functional level. (For example, if the forest functional level is Windows Server 2012 R2, use the Windows Server 2012 R2 installation media. If the functional level is Windows Server 2016, then either Windows Server 2016 or 2019 installation media may be used.) Insert the DVD or mount the ISO image, as appropriate.
9. From an elevated command prompt, go to X:\support\adprep. (Replace X with the drive letter of the DVD drive or mounted ISO image in the previous step.)
10. Run adprep /forestprep and ensure that it finishes without errors. This re-creates the missing Claims Configuration object, its child objects, and the container objects that were deleted in step 6.
11. Dismount the ISO image, if it was used in the preceding steps.

The issue should now be resolved on the local domain controller. The changes made replicate to any DCs which are still running in normal mode. The normal AD replication schedule applies to these changes, but replication can be forced using variations of the repadmin /syncall command.