KDS doesn't start or KDS root key isn't created in Windows Server 2012 R2

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Server 2012 R2 Essentials
This article describes some issues that occur when you use the group Managed Service Accounts (gMSAs) feature on Windows Server 2012 R2-based domain controllers. You can fix these issues by using the update in this article. Before you install this update, see the Prerequisites section.

Symptoms

If the domain controller account isn't located in the root of the Domain Controllers organizational unit (OU), you may encounter one of the following issues and receive the corresponding error messages:
  • Microsoft Key Distribution Service (KDS) start failure:

    System error 1064 has occurred. An Exception occurred in the service when handling the control request.
  • KDS root key generation failure:

    The process cannot access the file because it is being used by another process. ( Exception from HRESULT: 0x80070020 )

Cause

This issue occurs because KDS assumes that the domain controllers are in the Domain Controllers OU instead of a child OU of the Domain Controllers.

Resolution

The update changes the KDS service Domain Controller search behavior to look in the subtree below the "Domain Controllers" OU.

How to get this update

Important If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Method 1: Windows Update

This update is provided as a Recommended update on Windows Update. For more information on how to run Windows Update, see How to get an update through Windows Update.

Method 2: Microsoft Download Center

The update is available for download from the Microsoft Download Center:

Download Download the Windows Server 2012 R2 package now.

For more information about how to download Microsoft support files, select the following article number to view the article in the Microsoft Knowledge Base:
119591 How to get Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Update detail information

Prerequisites

To apply this update, you must have April 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355) installed in Windows Server 2012 R2.

Registry information

To apply this update, you don't have to make any changes to the registry.

Restart requirement

You may have to restart the computer after you apply this update.

Update replacement information

This update doesn't replace a previously released update.

More information

If you move DCs out of the Domain Controllers OU, the default setup of Group Policy is not applying to the Domain Controllers anymore, as most of the important settings are applied through the "Domain Controllers" OU. See the following TechNet article that warns about this problem:

Important: Do not move any domain controller accounts out of the default Domain Controllers OU, even if some administrators log on to them to run administrative tasks. Moving these accounts will disrupt the consistent application of domain controller policies to all domains and isn't supported.

Many facilities that search for Domain Controller computer accounts search the subtree of the "Domain Controllers" OU. So placing the computer accounts in subtree may work with a lot of the software solutions out there.

However, there may be some services and applications, including analysis tools, that only search the Domain Controllers OU for DCs (by examining the GUID_DOMAIN_CONTROLLERS_CONTAINER_W value and setting a search base of "one-level"). DCs in child OUs won't be found in this case.

It is up to the owner of the solution whether they see this as a valid issue to create an update to allow accounts to be located in child OUs of "Domain Controllers".

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

See reference for well-known AD objects:
https://msdn.microsoft.com/en-us/library/cc223663.aspx

File Information

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). Be aware that dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time bias. The dates and times may also change when you perform certain operations on the files.