Microsoft Knowledge Base Archive

Symptoms

Issue 1

Attempting to install the File Server Resource Manager (FSRM) feature from the File and Storage Services role on Windows Server 2012, Windows Server 2012 R2 or Windows Server 2016 rolls back after restart without any warning or error displayed.

The command to install FSRM reature is as follows:

dism /online /enable-feature /featurename:FSRM-infrastructure /all
dism /online /enable-feature /featurename:FSRM-Management /all

Issue 2

Assume that you enable the roles on the server, and then you change the server to a Read Only Domain Controller (RODC). When you try to install a Windows Server 2016 cumulative update on the server, the update installation is rolled back and you receive this event:

Log Name:      System
Source:        Microsoft-Windows-WindowsUpdateClient
Event ID:      20
Task Category: Windows Update Agent
Level:         Error
Keywords:      Failure,Installation

Description:
Installation Failure: Windows failed to install the following update with error 0x800F0841: 2018-10 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4462917).

0x800F0922:
CBS_E_INSTALLERS_FAILED cbsapi.h
Processing advanced installers and generic commands failed.

Known affected updates as of October 2018 is listed as follows:

KB4088787, KB4088889, KB4096309, KB4093120, KB4093119, KB4103723, KB4103720, KB4284880, KB4284833, KB4338814, KB4345418, KB4338822, KB4346877, KB4343887, KB4343884, KB4457131, KB4457127, KB4462917, KB4462928

Note Older update may also be affected.

↑ Back to the top

Cause

This can happen if the server has already been configured as a RODC. When the FSRM component is being installed or updated, it attempts to create new local security groups on that server. If the server is a domain controller, it attempts to create the group in the domain. This is not possible on RODC, because writing to the account database are not allowed. Additionally the Trusted Installer does not know how to find a writable domain controller during the feature installation.

↑ Back to the top

Resolution

To fix the issue, install the FSRM roles on a read-write domain controller (RWDC). The group will replicate to the RODCs. Alternatively, run the following command on a RWDC to create the Access-Denied Assistance Users group, and then try the installation again:

net localgroup "Access-Denied Assistance Users" /domain /add

↑ Back to the top

More Information

To confirm the scenario with logging on Windows Server 2016, gather %systemroot%\Logs\CBS\CBS.log. Sample logging below shows the failure to install the group of the advanced installer "Group Trustee Online Installer" to install the group "Access-Denied Assistance Users":

2018-09-26 22:15:25, Info CSI 000003d2 Begin executing advanced installer phase 31 index 936 (sequence 968)
Old component: [l:155 ml:156]Microsoft-Windows-FSRM-Service, Culture=neutral, Version=10.0.14393.1944, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=amd64, versionScope=NonSxS
New component: [l:155 ml:156]Microsoft-Windows-FSRM-Service, Culture=neutral, Version=10.0.14393.2515, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=amd64, versionScope=NonSxS
Install mode: delta
Smart installer: FALSE
Installer ID: {118ca598-79a0-4297-953d-e82183960fd2}
Installer name: Group Trustee Online Installer
2018-09-26 22:15:25, Info CSI 000003d3 Loading installer DLL from explicit path: C:\Windows\WinSxS\amd64_microsoft-windows-s..-installers-onecore_31bf3856ad364e35_10.0.14393.2272_none_6175530efffc72ea\grouptrusteeai.dll
2018-09-26 22:15:25, Info CSI 000003d4 Performing 1 operations as follows:
(0) LockComponentPath: flags: 0 comp: {l:16 b:9ee6eff30756d40160030000f8060c07} pathid: {l:16 b:9ee6eff30756d40161030000f8060c07} path: [l:110]\SystemRoot\WinSxS\amd64_microsoft-windows-fsrm-service_31bf3856ad364e35_10.0.14393.1944_none_163b6102218945b5pid: 6f8 starttime: 131824880970812628
2018-09-26 22:15:25, Info CSI 000003d5 Performing 1 operations as follows:
(0) LockComponentPath: flags: 0 comp: {l:16 b:9ee6eff30756d40162030000f8060c07} pathid: {l:16 b:9ee6eff30756d40163030000f8060c07} path: [l:110]\SystemRoot\WinSxS\amd64_microsoft-windows-fsrm-service_31bf3856ad364e35_10.0.14393.2515_none_16638af2216ba0b4pid: 6f8 starttime: 131824880970812628
2018-09-26 22:15:25, Info CSI 000003d6 QueueComponent called with Name: [l:30 ml:31]Access-Denied Assistance Users, Type: 4, Description: [l:185 ml:186]Members of this group are provided access-denied assistance when it is enabled on this server. By default, this group allows all authenticated users to receive access-denied assistance.

2018-09-26 22:15:25, Info CSI 000003d7 QueueComponent called with Name: [l:30 ml:31]Access-Denied Assistance Users, Type: 4, Description: [l:185 ml:186]Members of this group are provided access-denied assistance when it is enabled on this server. By default, this group allows all authenticated users to receive access-denied assistance.

2018-09-26 22:15:25, Info CSI 000003d8@2018/9/27:02:15:25.793CSI Advanced installer perf trace:
CSIPERF:AIDONE;{118ca598-79a0-4297-953d-e82183960fd2};Microsoft-Windows-FSRM-Service, version 10.0.14393.2515, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35};30480us
2018-09-26 22:15:25, Info CSI 000003d9 End executing advanced installer (sequence 968)
Completion status: S_OK

There is a second call into the advanced installer. That does the job of creating the account and that fails.

2018-09-26 22:15:34, Info CSI 000004a1 Begin executing advanced installer phase 31 index 0 (sequence 0)
Old component: [l:0]
New component: [l:0]
Install mode: delta
Smart installer: TRUE
Installer ID: {118ca598-79a0-4297-953d-e82183960fd2}
Installer name: Group Trustee Online Installer
2018-09-26 22:15:34, Error CSI 000004a2@2018/9/27:02:15:34.652(F) onecore\base\wcp\plugins\grouptrusteeai\grouptrusteeai.cpp(402): Error STATUS_NOT_SUPPORTED originated in function Windows::WCP::WCF::GroupTrusteeInstaller::AddTrustee expression: SamCreateAliasInDomain( domainHandle, &newTrustee->TrusteeName, 0x0010 | 0x0001 | 0x0002 | 0x0008, &trusteeHandle, &trusteeRid)
[gle=0x80004005]
2018-09-26 22:15:

↑ Back to the top

Article ID	:	2973343
Revision	:	11
Created on	:	11/5/2018
Published on	:	11/5/2018
Exists online	:	False
Views	:	1191

Microsoft KB Archive Search

FSRM role fails to install or update on an RODC that is running Windows Server 2012, Windows Server 2012 R2 or Windows Server 2016

Symptoms

Issue 1

Issue 2

Cause

Resolution

More Information

Applies to: