KnowledgeBase: KB4462917 breaks Domain Controller Promotions for new Active Directory domains in existing forests

KnowledgeBase

Microsoft’s October 9th, 2018 Security update KB4462917, raising Windows Server 2016 to build 14393.2551, feature a security update for the JET Database engine. However, this update seems to cause an issue with Windows Server installations intended to become Active Directory Domain Controllers.

One of my team members at SCCT experienced this issue at a customer and we decided to investigate a bit more. We were able to reproduce the issue and decided to share our experiences, below.

 

The situation

You have an Active Directory Domain Services (AD DS) environment, with the Active Directory Recycle Bin optional feature turned on.

You want to implement a new Windows Server 2016-based Domain Controller to this environment for a new Active Directory domain, using the Add a new domain to an existing forest option in the Active Directory Domain Services Configuration Wizard or the Install-ADDSDomain PowerShell Cmdlet.

Note:
It does not matter if you use the Active Directory Domain Services Configuration Wizard or the Install-ADDSDomain PowerShell Cmdlet for promotion.

Note:
It does not matter if you try to create a new child domain or a new tree domain.

The intended Domain Controller is fully patched.

 

The issue

In this situation, creation of the child domain fails.

 

Active Directory Domain Services Configuration Wizard

When you use the Active Directory Domain Services Configuration Wizard, it offers the following information:

An error occurred while trying to configure this machine as a Domain Controller

The operation failed because:
Active Directory Domain Services could not replicate the directory partition CN=Schema,CN=Configuration, DC=domain,DC=tld from the remote Active Directory Domain Controller FullyQualifiedDCName.

 

"The replication operation encountered a database error."

 

PowerShell

When you use the Install-ADDSDomain PowerShell cmdlet, you receive the following error:

Install-ADDSDomain : The operation failed because:
Active Directory Domain Services could not replicate the directory partition CN=Schema,CN=Configuration, DC=domain,DC=tld from the remote Active Directory Domain Controller FullyQualifiedDCName.

"The replication operation encountered a database error."

 

DCPromo Log

In dcpromo.log on the failed Domain Controller you find the following lines, indicating the error:

[INFO] DsRolepInstallDs returned 1356

 

Event Viewer

In Event Viewer (eventvwr.exe) on the failed Domain Controller , you find an event log entry with source ActiveDirectory_DomainService Replication with Event ID 2140, task Replication and type Error:

While processing of an Active Directory Domain Services replication request, the Active Directory Domain Services attempted to modify the list of enabled optional features for the forest.  The Active Directory Domain Services is currently enabling or disabling one or more optional features.  Therefore, modifications to the list of enabled optional features for the forest are not being accepted at this time, so the replication request failed.  The Active Directory Domain Services will temporarily discontinue this replication request.  The replication request will be attempted again later.

Request Details:

Object being modified: CN=BootMachine,O=Boot

Attribute being modified: msDS-EnabledFeature

Value being modified: 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a

Optional feature: Recycle Bin Feature

 

The cause

This issue is caused by the Active Directory Recycle Bin optional feature being enabled.

If the Active Directory Recycle Bin optional feature is not enabled yet, the Active Directory Domain Services Configuration Wizard and Install-ADDSDomain are successful, as you’d expect.

 

The solution

After uninstalling Microsoft’s October 9th, 2018 Security update KB4462917 on Windows Server 2016, the Windows Server installation is able to successfully promote to an Active Directory Domain Controller.

After promotion, the update can be safely reinstalled.

We have reason to believe, the issue also exists with:

 

Safari HatHat Tip

Thanks for bringing this issue to my attention, Max Gaulhofer.
Thanks for identifying the initial workaround, Frank Zegers.

Posted on October 26, 2018 by Sander Berkouwer in Active Directory, KnowledgeBase Articles, Security Updates

4 Responses to KnowledgeBase: KB4462917 breaks Domain Controller Promotions for new Active Directory domains in existing forests

  1.  

    Thank you for being so thorough in your investigation!

    from Mike Bradley October 28, 2018 at 8:23 PM
  2.  

    Thanks for this write-up. Seems to be exactly what I needed.

    I'm Promoting a Server 2019 (child domain to an existing forest) to a DC in a Server 2008 R2 Domain/Forest levels. I don't have those updates installed on the 2 DCs in the root domain of the forest and the 2019 Server doesn't have the update either.

    This couldn't resolve the issue. Is there anything else related to this possibly, besides the obvious that there are some replication issues between the sites.

    from Kobus Schlebusch November 21, 2018 at 9:04 PM
  3.  

    The updates also affects AD replication between Domain Controllers.

    from Migue Ramos February 6, 2019 at 7:09 PM
  4.  

    Great help. Many thanks.

    from FlatLine March 11, 2019 at 3:26 PM

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.