• What Happened to My Managed Service Accounts Container?

    January 26, 2021

    Active Directory

    In Windows Server 2008 R2 Active Directory (AD), Microsoft introduced managed service accounts. If you create a new AD domain with Windows Server 2008 R2 or later, when you look in Active Directory Users and Computers (ADUC), you see a container named Managed Services Accounts, as shown in Figure 1.

    Figure 1
    Figure 1

    Some people mistakenly call this an Organizational Unit (OU), but it is a container. The Domain Controllers OU is the only OU created when you create an AD domain. You can see the difference in the icon between the Domain Controllers OU and the other items in the domain.

    Enable Advanced Features in ADUC, as shown in Figure 2, by clicking View -> Advanced Features.

    Figure 2
    Figure 2

    Right-click the Domain Controllers OU and click Properties, as shown in Figure 3.

    Figure 3
    Figure 3

    Click the Attribute Editor tab, and scroll down to find the objectCategory and objectClass attributes, as shown in Figure 4.

    Figure 4
    Figure 4

    Those two attributes show Domain Controllers as an OU.

    If you follow the same process for Managed Service Accounts, the two attributes show Managed Service Accounts as a container, as shown in Figure 5.

    Figure 5
    Figure 5

    One other way to see the difference between a container and an OU is with the Group Policy Management Console (GPMC). As shown in Figure 6, if you open the GPMC and expand the domain, you only see OUs. There are no containers shown because you cannot directly link a Group Policy Object to a container.

    Figure 6
    Figure 6

    Back in ADUC, if you right-click any of the other containers, for example, Computers or Users, you see no Delete option, as shown in Figures 7 and 8.

    Figure 7
    Figure 7
    Figure 8
    Figure 8

    There is a Delete option when you right-click the Managed Service Accounts container, as shown in Figure 9.

    Figure 9
    Figure 9

    Because there IS a delete option, an admin can accidentally delete that container. The Managed Service Accounts container is not critical, which is probably why Microsoft allows for its deletion. If “someone” deletes the container, as shown in Figure 10, how do we get it back?

    Figure 10
    Figure 10

    Recreating the Managed Service Accounts container is a simple process.

    1. Open ADSIEdit

    2. Right-click the ADSI Edit node and click Connect to…, as shown in Figure 11.

    Figure 11
    Figure 11

    3. Name: Default naming context

    Select a well known Naming Context: Default naming context

    Select Default (Domain or server that you logged in to)

    Click OK, as shown in Figure 12.

    Figure 12

    Figure 12

    4. Drill down to Default naming context -> DC=<DomainName>,DC=<TLD> -> CN=System -> CN=DomainUpdates -> CN=Operations, as shown in Figure 13.

    Figure 13

    Figure 13

    5. In the middle pane, right-click the item with the Name CN=5e1574f6-55df-493e-a671-aaeffca6a100 and click Delete, as shown in Figure 14.

    Figure 14

    Figure 14

    6. Click Yes to confirm the deletion, as shown in Figure 15.

    Figure 15

    Figure 15

    7. In the left pane, click on CN=ActiveDirectoryUpdate, as shown in Figure 16.

    Figure 16

    Figure 16

    8. Right-click CN=ActiveDirectoryUpdate and click Properties, as shown in Figure 17.

    Figure 17

    Figure 17

    9. Scroll down and find the attribute named revision and click Edit, as shown in Figure 18.

    Figure 18

    Figure 18

    10. Click Clear, as shown in Figure 19.

    Figure 19

    Figure 19

    11. Click OK, as shown in Figure 20.

    Figure 20

    Figure 20

    12. Close the dialog and exit ADSI Edit.

    13. Mount your Server OS ISO.

    14. Open an elevated command prompt.

    15. Change to the ADPrep folder, x:\support\adprep (where x: is the drive letter for the installation media) and run adprep /domainprep, as shown in Figure 21.

    Figure 21

    Figure 21

    16. Refresh the ADUC console, and you see the Managed Service Accounts container, as shown in Figure 22.

    Figure 22

    Figure 22

    Now you can get back to doing whatever it is you wanted to do with managed service accounts.

    Thanks

    Webster

     







    About Carl Webster

    Carl Webster is an independent consultant specializing in Citrix, Active Directory, and technical documentation. Carl (aka “Webster”) serves the broader Citrix community by writing articles (see CarlWebster.com) and by being the most active person in the Citrix Zone on Experts Exchange. Webster has a long history in the IT industry beginning with mainframes in 1977, PCs and application development in 1986, and network engineering in 2001. He has worked with Citrix products since 1990 with the premiere of their first product – the MULTIUSER OS/2.

    View all posts by Carl Webster

    No comments yet.

    Leave a Reply