Installation of Windows Domain Controller on an existing SharePoint Farm

A couple of weeks ago I faced with an interesting challenge. I have been upgrading our development machine that contained an existing Farm of SharePoint 2013 running in a workgroup of Windows 2012.

After I have installed a Windows Domain Controller on this machine the SharePoint Farm has stopped working.

Error message

Any attempts to connect to a Farm via browser or Powershell immediately failed with a very misleading error message that read as

This operation can be performed only on a computer that is joined to a server farm by users who have permissions in SQL Server to read from the configuration database. To connect this server to the server farm, use the SharePoint Products Configuration Wizard, located on the Start menu in Microsoft SharePoint 2010 Products.

Yes, namely a legacy message for SharePoint 2010 was visible on the failed Farm of 2013.

Anyway, the error looked quite familiar to me. I had seen this message many times before in our data migration projects and the reason was usually related to insufficient permissions of the application pool and (or) Farm account on the configuration database.

But this time, the reason was different.

The actual reason

Installation of a Domain Controller significantly tightens security permissions on the registry hives and certain folders of the file system in compare with more permissive settings in a Workgroup setup.

How to repair your SharePoint Farm

The required steps read as:

• Open Start > Run > regedit.exe > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\15.0\Secure > Right mouse button > Permissions...

• Grant "Read" permissions to the domain group DOMAIN\WSS_WPG and "Full Control" to the domain group DOMAIN\WSS_Admin_WPG.

• Open Properties > Security tab of the folder ‪C:\ProgramData\Microsoft\SharePoint

• Grant "Read & Execute" permissions to the domain group DOMAIN\WSS_WPG and "Full Control" to the domain group DOMAIN\WSS_Admin_WPG
• This should eliminate the problems with Distributed Cache permissions visible in the ULS logs.
• Reprovision Distributed Cache via SharePoint's PowerShell
• Use-CacheCluster
• Get-CacheHost -- > It can show "DOWN" in the status, in this case, execute the next 4 lines
• Stop-SPDistributedCacheServiceInstance -Gracefully
• Remove-SPDistributedCacheServiceInstance
• Add-SPDistributedCacheServiceInstance
• Get-CacheHost --> This time, it must show "UP" in the status
• Open Properties > Security tab of the folder ‪C:\Program Files\Microsoft Office Servers\15.0\Data\Office Server\Applications
• Grant "Read & Execute" permissions to the domain group DOMAIN\WSS_WPG and "Full Control" to the domain group DOMAIN\WSS_Admin_WPG
• This step should fix weird looking errors visible in the Content Search Web Parts and in the Search Scheme