In a previous post I covered the basics of managed service accounts (MSAs) in Windows Server 2008 R2. Today, I will discuss  a bug that can prevent MSAs from being created in domains that include Read-Only Domain Controllers (RODCs) on screened subnets.

Both the Read-Only Domain Controller (RODC) and the Managed Service Account (MSA) are, for my money, delightful advancements in the Windows Server platform. We will recall that the RODC allows Windows administrators to deploy Active Directory domain controllers to unmanaged or lightly managed branch offices in a more secure fashion. The idea is that because the domain controller directory database is not writeable, a malicious user would thereby be prevented from making unauthorized changes to it.

The managed service account is great because it solves the (seemingly) age-old conundrum of how we can integrate domain password policy with dedicated service accounts for our applications and services.

We use Windows PowerShell 2.0 to administer managed service accounts.

As nice as the RODC and MSA are, some of you may have faced the problem of not being able to create or remove MSAs in situations where you have RODCs deployed on screened subnets (also called demilitarized zones or DMZs).

This is not as “one off” of a situation as you might think. Many organizations use RODCs for branch office networks in which the RODC is that branch’s sole link to a domain controller.

The following diagram shows a representative problem situation:

Managed Service Accounts and Read-Only Domain Controllers

The source of the problem is that, with the release to manufacturing (RTM) versions of Windows Server 2008 R2 and Windows 7, managed service accounts work only with standard, read/write Active Directory Domain Services domain controllers. Can you say, “Whoops?!”

The solution ^

The great news I have to share with you is that Microsoft recognized and resolved this problem. To address it, you can go one of two ways: apply a hotfix, or install the Windows Server 2008 R2 Service Pack 1 (SP1) package:

The solution is confirmed in the Microsoft Directory Services Team blog:

Recall that a hotfix is a piece of software that was developed to address a single code defect. On the other hand, a service pack is a much more intrusive installation because the service pack contains a “rollup” of all hotfixes released since the last service pack in addition to brand-new features and feature enhancements.

Conclusion ^

While Microsoft’s solution to the RODC/MSA problem is not exactly brand-new news, I hope nonetheless that some Windows systems administrators who have been affected by this issue now can take comfort in this fix. Please feel free to leave any comments concerning this situation in the comments portion of this post. Thanks a lot for reading!

For further study ^


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account