Citrix MCS administrators that are using service accounts with narrow permission, not a domain administrator to create machine accounts may find that adding machines or creating new catalogs might fail with the exception:  "DesktopStudio_ErrorId : UnknownError,   ErrorCategory : NotSpecified"

This problem is encountered when the Service Account for adding machine accounts is narrow scope and is not a domain admin. 
If your problem is in scope for the issue described here, you will find, in the Directory Services log on the Active Directory server, ActiveDirectory_DomainService event ID 3044 that reads "The directory service denied an LDAP add request for the following object. The request was denied because the client did not have permission to write one or more attributes included in the add request, based on the default merged security descriptor. "

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

This issue is appearing recently (Mid-November 2021) in environments where the following Microsoft patches have been installed on Domain Controllers: 
Windows 2019 -- KB5008602 (November)
Windows 2012 -- KB5008603 (November)
Windows 2016 -- KB5008601 (November)
This Microsoft update introduces a new security feature to address a security vulnerability in Microsoft Directory Services.
There are some different ways to address the issue to continue to allow a narrow scope, non-admin service account that is used to create machine accounts for MCS.

1. Create a service account with the permissions as described in this Citrix Knowledgebase article:   https://support.citrix.com/article/CTX318084).   We suggest that a new account be created and not to modify any existing account being used
2. Following the steps in this Microsoft article, to configure dSHeuristics attribute with No Audit AND No Enforce. https://support.microsoft.com/en-au/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1  In Citrix internal testing, it appears that Audit is unexpectedly causing failure as well.  It is unclear why at present.
3. Remove the Microsoft Patches.

The option that creates the least risk with regard to the Directory Services vulnerability is option #1. 

Citrix has also tested that option #1 works when the dSHeuristics is configured to ENFORCE, as it will be in April when Microsoft releases this patch again.
 

---

Problem Cause

New security feature introduced by Microsoft for to address Directory Services security issues as described in vulnerability CVE-2021-42291.
 

More information about this update, Microsoft's new security feature, the directory services vulnerability and how to manage it can be found here:  https://support.microsoft.com/en-au/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1