Share via

Install-ADServiceAccount fail with unspecified error creating gMSA

Marco Mangiante 21 Reputation points
2022-12-06T18:20:08.753+00:00

Hello,

I tried the script inside how-to-prerequisites to create a gMSA to test Azure AD Connect cloud sync; the script is this: 

$Name = 'aadsyncgMSA'  
$Description = "Azure AD Cloud Sync service account for LAB-DC1 server"  
#$Server = "LAB-DC1.marcosoft.local"  
$Server = "aadsyncgMSA.marcosoft.local"  
$Principal = Get-ADGroup 'Domain Computers'  
  
# Create service account in Active Directory  
New-ADServiceAccount -Name $Name `  
-Description $Description `  
-DNSHostName $Server `  
-ManagedPasswordIntervalInDays 30 `  
-PrincipalsAllowedToRetrieveManagedPassword $Principal `  
-Enabled $True `  
-PassThru

when I try the command Install-ADServiceAccount -Identity $Name I otain the error "Cannot install service account. Error Message: 'An unspecified error has occurred'"; I found that some people use the Set-ADServiceAccount -Identity $Name -PrincipalsAllowedToRetrieveManagedPassword $Principal but when I use the cmdlet to test Test-ADServiceAccount -Identity aadsyncgMSA | Format-List what I obtain is "WARNING: Test failed for Managed Service Account aadsyncgMSA. If standalone Managed Service Account, the account is linked to another computer object in the Active Directory. If group Managed Service Account, either this computer does not have permission to
use the group MSA or this computer does not support all the Kerberos encryption types required for the gMSA. See the MSA operational log for more information."; I also found in the event viewer, in the Security-Netlogon section, that when I give the install command there are 2 errors:

ID 9000: Netlogon failed to retrieve the password for account aadsyncgMSA in domain NULL. Object Name not found.
ID 9002: Netlogon failed to add aadsyncgMSA as a managed service account to this local machine. {Access Denied}
A process has requested access to an object, but has not been granted those access rights.

Any idea to try to solve this issue?

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,628 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,426 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kenneth Henseler 21 Reputation points
    2022-12-15T01:29:51.413+00:00

    Sounds like the server(s) where you're trying to install the gMSA, Domain Computers = ALL Computers (workstations and servers) joined to domain, have not yet been restarted or had their Kerberos tickets purged so they're aware of being a member of the...

    I have two recommendations:

    1. Don't use "Domain Computers" as your $Principal. You should create a new Global Security Group for this purpose, adding the relevant Computer objects that need to use the gMSA as members to the group.
    2. Once computer added to the group, either restart computer or use the following command to purge existing Kerberos tickets: klist purge -li 0x3e7

    After restart or klist purge, try re-running your Install-ADServiceAccount cmdlet. Should work this time!

    4 people found this answer helpful.
    0 comments
  2. Gianfranco Cisneros Barreiro 0 Reputation points
    2025-02-27T04:02:33.4733333+00:00

    Hello,

    I just run into this issue but if anyone is experiencing the same the fix is:

    • Set-ADServiceAccount -Identity [ServiceAccountName] -KerberosEncryptionType AES256

    Cheers!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.