- Microsoft Key Distribution Service (KDS) start failure:
System error 1064 has occurred. An Exception occurred in the service when handling the control request.
- KDS root key generation failure:
The process cannot access the file because it is being used by another process. ( Exception from HRESULT: 0x80070020 )
The update changes the KDS service Domain Controller search behavior to look in the subtree below the "Domain Controllers" OU.
How to get this update
Important If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.
Method 1: Windows UpdateThis update is provided as a Recommended update on Windows Update. For more information on how to run Windows Update, see How to get an update through Windows Update.
Method 2: Microsoft Download CenterThe update is available for download from the Microsoft Download Center:
Download the Windows Server 2012 R2 package now.
For more information about how to download Microsoft support files, select the following article number to view the article in the Microsoft Knowledge Base:
Update detail information
PrerequisitesTo apply this update, you must have April 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355) installed in Windows Server 2012 R2.
Registry informationTo apply this update, you don't have to make any changes to the registry.
Restart requirementYou may have to restart the computer after you apply this update.
Update replacement informationThis update doesn't replace a previously released update.
If you move DCs out of the Domain Controllers OU, the default setup of Group Policy is not applying to the Domain Controllers anymore, as most of the important settings are applied through the "Domain Controllers" OU. See the following TechNet article that warns about this problem:
Important: Do not move any domain controller accounts out of the default Domain Controllers OU, even if some administrators log on to them to run administrative tasks. Moving these accounts will disrupt the consistent application of domain controller policies to all domains and isn't supported.
Many facilities that search for Domain Controller computer accounts search the subtree of the "Domain Controllers" OU. So placing the computer accounts in subtree may work with a lot of the software solutions out there.
However, there may be some services and applications, including analysis tools, that only search the Domain Controllers OU for DCs (by examining the GUID_DOMAIN_CONTROLLERS_CONTAINER_W value and setting a search base of "one-level"). DCs in child OUs won't be found in this case.
It is up to the owner of the solution whether they see this as a valid issue to create an update to allow accounts to be located in child OUs of "Domain Controllers".