Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. KDS doesn't start or KDS root key isn't created in Windows Server 2012 R2

KDS doesn't start or KDS root key isn't created in Windows Server 2012 R2

View products that this article applies to.

This article describes some issues that occur when you use the group Managed Service Accounts (gMSAs) feature on Windows Server 2012 R2-based domain controllers. You can fix these issues by using the update in this article. Before you install this update, see the Prerequisites section.

↑ Back to the top

Symptoms

If the domain controller account isn't located in the root of the Domain Controllers organizational unit (OU), you may encounter one of the following issues and receive the corresponding error messages:
  • Microsoft Key Distribution Service (KDS) start failure:

    System error 1064 has occurred. An Exception occurred in the service when handling the control request.
  • KDS root key generation failure:

    The process cannot access the file because it is being used by another process. ( Exception from HRESULT: 0x80070020 )

↑ Back to the top

Cause

This issue occurs because KDS assumes that the domain controllers are in the Domain Controllers OU instead of a child OU of the Domain Controllers.

↑ Back to the top

Resolution

The update changes the KDS service Domain Controller search behavior to look in the subtree below the "Domain Controllers" OU.

How to get this update

Important If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Method 1: Windows Update

This update is provided as a Recommended update on Windows Update. For more information on how to run Windows Update, see How to get an update through Windows Update.

Method 2: Microsoft Download Center

The update is available for download from the Microsoft Download Center:

Download Download the Windows Server 2012 R2 package now.

For more information about how to download Microsoft support files, select the following article number to view the article in the Microsoft Knowledge Base:
119591 How to get Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Update detail information

Prerequisites

To apply this update, you must have April 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355) installed in Windows Server 2012 R2.

Registry information

To apply this update, you don't have to make any changes to the registry.

Restart requirement

You may have to restart the computer after you apply this update.

Update replacement information

This update doesn't replace a previously released update.

↑ Back to the top

More information

If you move DCs out of the Domain Controllers OU, the default setup of Group Policy is not applying to the Domain Controllers anymore, as most of the important settings are applied through the "Domain Controllers" OU. See the following TechNet article that warns about this problem:

Important: Do not move any domain controller accounts out of the default Domain Controllers OU, even if some administrators log on to them to run administrative tasks. Moving these accounts will disrupt the consistent application of domain controller policies to all domains and isn't supported.

Many facilities that search for Domain Controller computer accounts search the subtree of the "Domain Controllers" OU. So placing the computer accounts in subtree may work with a lot of the software solutions out there.

However, there may be some services and applications, including analysis tools, that only search the Domain Controllers OU for DCs (by examining the GUID_DOMAIN_CONTROLLERS_CONTAINER_W value and setting a search base of "one-level"). DCs in child OUs won't be found in this case.

It is up to the owner of the solution whether they see this as a valid issue to create an update to allow accounts to be located in child OUs of "Domain Controllers".

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

References

See reference for well-known AD objects:
https://msdn.microsoft.com/en-us/library/cc223663.aspx

↑ Back to the top

File Information

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). Be aware that dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time bias. The dates and times may also change when you perform certain operations on the files.
Windows Server 2012 R2
Notes
  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

    VersionProductMilestoneService branch
    6.3.960 0.18 xxxWindows Server 2012 R2RTMGDR
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information" section. MUM, MANIFEST, and the associated security catalog (.cat) files, are very important to maintain the state of the updated components. The security catalog files, for which the attributes aren't listed, are signed with a Microsoft digital signature.
x64 Windows Server 2012 R2
File nameFile versionFile sizeDateTimePlatform
Kdscli.dll6.3.9600.1805382,94411-Sep-201514:08x64
Additional file information
x64 Windows Server 2012 R2
File propertyValue
File nameAmd64_bcd58f5a9114accbfd8871471f79bd21_31bf3856ad364e35_6.3.9600.18053_none_739bd7e5101ad639.manifest
File versionNot applicable
File size702
Date (UTC)11-Sep-2015
Time (UTC)21:52
PlatformNot applicable
File nameAmd64_microsoft-windows-kdscli-dll_31bf3856ad364e35_6.3.9600.18053_none_2fb7a8310504274c.manifest
File versionNot applicable
File size2,614
Date (UTC)11-Sep-2015
Time (UTC)15:44
PlatformNot applicable
File nameUpdate.mum
File versionNot applicable
File size1,581
Date (UTC)11-Sep-2015
Time (UTC)21:52
PlatformNot applicable

↑ Back to the top

Keywords: kbsurveynew, kbfix, atdownload, kbexpertiseinter, kb

↑ Back to the top

Article Info
Article ID : 3094486
Revision : 11
Created on : 4/9/2020
Published on : 4/9/2020
Exists online : False
Views : 474