Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

FSRM role fails to install or update on an RODC that is running Windows Server 2012, Windows Server 2012 R2 or Windows Server 2016

View products that this article applies to.


Issue 1

Attempting to install the File Server Resource Manager (FSRM) feature from the File and Storage Services role on Windows Server 2012, Windows Server 2012 R2 or Windows Server 2016 rolls back after restart without any warning or error displayed.

The command to install FSRM reature is as follows:

dism /online /enable-feature /featurename:FSRM-infrastructure /all
dism /online /enable-feature /featurename:FSRM-Management /all

Issue 2

Assume that you enable the roles on the server, and then you change the server to a Read Only Domain Controller (RODC). When you try to install a Windows Server 2016 cumulative update on the server, the update installation is rolled back and you receive this event:

Known affected updates as of October 2018 is listed as follows:

KB4088787, KB4088889, KB4096309, KB4093120, KB4093119, KB4103723, KB4103720, KB4284880, KB4284833, KB4338814, KB4345418, KB4338822, KB4346877, KB4343887, KB4343884, KB4457131, KB4457127, KB4462917, KB4462928

Note Older update may also be affected. 

↑ Back to the top


This can happen if the server has already been configured as a RODC. When the FSRM component is being installed or updated, it attempts to create new local security groups on that server. If the server is a domain controller, it attempts to create the group in the domain. This is not possible on RODC, because writing to the account database are not allowed. Additionally the Trusted Installer does not know how to find a writable domain controller during the feature installation.

↑ Back to the top


To fix the issue, install the FSRM roles on a read-write domain controller (RWDC). The group will replicate to the RODCs. Alternatively, run the following command on a RWDC to create the Access-Denied Assistance Users group, and then try the installation again:
net localgroup "Access-Denied Assistance Users" /domain /add

↑ Back to the top

More Information

To confirm the scenario with logging on Windows Server 2016, gather %systemroot%\Logs\CBS\CBS.log. Sample logging below shows the failure to install the group of the advanced installer "Group Trustee Online Installer" to install the group  "Access-Denied Assistance Users":

↑ Back to the top

Keywords: kb

↑ Back to the top

Article Info
Article ID : 2973343
Revision : 11
Created on : 11/5/2018
Published on : 11/5/2018
Exists online : False
Views : 1011