Installing MBAM on a Domain Controller is not supported

Symptoms

Consider the following scenario:
  • You have a system running Windows Server 2008 or Windows Server 2008 R2.
  • The server have Active Directory Domain Services role installed.
  • When you execute Microsoft BitLocker Administration and Monitoring (MBAM) setup it would fail to install.
  • You notice following error logged in MBAMSetup.log file:
Populating Groups

Locating group 'MBAM Report Users'
Adding 'S-1-5-21-1439336290-1767738825-2630487909-500' to group 'MBAM Report Users'
Locating group 'MBAM Recovery and Hardware DB Access'
Adding 'S-1-5-20' to group 'MBAM Recovery and Hardware DB Access'
Exception: A new member could not be added to a local group because the member has the wrong account type.

StackTrace:
at System.DirectoryServices.AccountManagement.SAMStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes)
at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes)
at System.DirectoryServices.AccountManagement.SAMStoreCtx.Update(Principal p)
at Microsoft.Windows.Mdop.BitlockerManagement.SetupCAs.Groups.CreateGroupsDeferred(Session session)

InnerException:Exception: A new member could not be added to a local group because the member has the wrong account type.
InnerException:StackTrace:   
at System.DirectoryServices.AccountManagement.UnsafeNativeMethods.IADsGroup.Add(String bstrNewItem)
at System.DirectoryServices.AccountManagement.SAMStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes)
CustomAction MbamCreateGroupsDeferred returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Note: MBAM logs can be collected by when you execute MBAM Setup using the below command from eleavted command prompt.

mbamsetup.exe /lvx c:\mbam.log

Cause

This is a known issue in the product.

Workaround

Do not install MBAM on a server that has Active Directory Domain Services role installed.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
內容

文章識別碼:2712461 - 最後檢閱時間:2015年3月6日 - 修訂: 1

意見反應