FSRM role fails to install or update on an RODC that is running Windows Server 2012, Windows Server 2012 R2 or Windows Server 2016

Applies to: Windows Server 2016Windows Server 2012 DatacenterWindows Server 2012 R2 Datacenter More

Symptoms


Issue 1

Attempting to install the File Server Resource Manager (FSRM) feature from the File and Storage Services role on Windows Server 2012, Windows Server 2012 R2 or Windows Server 2016 rolls back after restart without any warning or error displayed.

The command to install FSRM reature is as follows:

dism /online /enable-feature /featurename:FSRM-infrastructure /alldism /online /enable-feature /featurename:FSRM-Management /all

Issue 2

Assume that you enable the roles on the server, and then you change the server to a Read Only Domain Controller (RODC). When you try to install a Windows Server 2016 cumulative update on the server, the update installation is rolled back and you receive this event:

Known affected updates as of October 2018 is listed as follows:

KB4088787, KB4088889, KB4096309, KB4093120, KB4093119, KB4103723, KB4103720, KB4284880, KB4284833, KB4338814, KB4345418, KB4338822, KB4346877, KB4343887, KB4343884, KB4457131, KB4457127, KB4462917, KB4462928

Note Older update may also be affected. 

Cause


This can happen if the server has already been configured as a RODC. When the FSRM component is being installed or updated, it attempts to create new local security groups on that server. If the server is a domain controller, it attempts to create the group in the domain. This is not possible on RODC, because writing to the account database are not allowed. Additionally the Trusted Installer does not know how to find a writable domain controller during the feature installation.

Resolution


To fix the issue, install the FSRM roles on a read-write domain controller (RWDC). The group will replicate to the RODCs. Alternatively, run the following command on a RWDC to create the Access-Denied Assistance Users group, and then try the installation again:
net localgroup "Access-Denied Assistance Users" /domain /add

More Information


To confirm the scenario with logging on Windows Server 2016, gather %systemroot%\Logs\CBS\CBS.log. Sample logging below shows the failure to install the group of the advanced installer "Group Trustee Online Installer" to install the group  "Access-Denied Assistance Users":