Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Installing MBAM on a Domain Controller is not supported


View products that this article applies to.

Symptoms

Consider the following scenario:
  • You have a system running Windows Server 2008 or Windows Server 2008 R2.
  • The server have Active Directory Domain Services role installed.
  • When you execute Microsoft BitLocker Administration and Monitoring (MBAM) setup it would fail to install.
  • You notice following error logged in MBAMSetup.log file:
Populating Groups

Locating group 'MBAM Report Users'
Adding 'S-1-5-21-1439336290-1767738825-2630487909-500' to group 'MBAM Report Users'
Locating group 'MBAM Recovery and Hardware DB Access'
Adding 'S-1-5-20' to group 'MBAM Recovery and Hardware DB Access'
Exception: A new member could not be added to a local group because the member has the wrong account type.

StackTrace:
at System.DirectoryServices.AccountManagement.SAMStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes)
at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes)
at System.DirectoryServices.AccountManagement.SAMStoreCtx.Update(Principal p)
at Microsoft.Windows.Mdop.BitlockerManagement.SetupCAs.Groups.CreateGroupsDeferred(Session session)

InnerException:Exception: A new member could not be added to a local group because the member has the wrong account type.
InnerException:StackTrace:   
at System.DirectoryServices.AccountManagement.UnsafeNativeMethods.IADsGroup.Add(String bstrNewItem)
at System.DirectoryServices.AccountManagement.SAMStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes)
CustomAction MbamCreateGroupsDeferred returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Note: MBAM logs can be collected by when you execute MBAM Setup using the below command from eleavted command prompt.

mbamsetup.exe /lvx c:\mbam.log

↑ Back to the top


Cause

This is a known issue in the product.

↑ Back to the top


Workaround

Do not install MBAM on a server that has Active Directory Domain Services role installed.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


Keywords: kbtshoot, kb

↑ Back to the top

Article Info
Article ID : 2712461
Revision : 1
Created on : 1/7/2017
Published on : 3/6/2015
Exists online : False
Views : 394