Share via

GMSA issues when setting a service logon

Nolimit 0 Reputation points
2024-09-27T04:13:19.3266667+00:00

Hello all,

I have a parent domain and multiple subdomains.

In my parent domain, I have configured a GMSA account and allowed a machine that is going to use it to pull GMSA related info.

The problem I have is that when using the GMSA account, I see the following behavior.

  1. Service is automatic and set to GMSA logon. The machine takes a significant amount to apply the logon and if we reboot the machine, the machine takes over an hour to start back up.
  2. Service is automatic delayed and set to GMSA logon. The service stays stuck in starting and if rebooted the machine starts up quick but again the service will stay stuck in a starting state.
  3. If the service is set to automatic and set to use local system. The service starts instantly and if rebooted both the machine and service start up quick.

We do not see this same behavior when creating a GMSA on subdomains only when we try this on the parent of all subdomains. I’m unable to find any logs related to anything in the process.

We see this issue when setting SQL Server or third party tools(GMSA compatible). Permissions over the necessary folders have been granted.

No clue what might be going on, any help appreciated. Is it a too many machines/subdomain issue? Does GMSA parse through all subdomains as part of some kind of verify step?

thank you!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,136 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,579 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jing Zhou 7,020 Reputation points Microsoft Vendor
    2024-10-04T08:10:15.6766667+00:00

    Hello,

     

    Thank you for posting in Q&A forum.

    To further troubleshoot this issue, please kindly try below steps:

    1.Check if the Microsoft Key Distribution Service is set to Automatic.

    REF: https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/service-using-gmsa-account-not-start

    2.Check if there are any differences in the configuration or policies between the parent domain and the subdomains.

    3.Check event log and see if there's any related errors like eventID 7038.

    4.Ensure that the network and DNS configurations are correctly set up.

     

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

     

    Best regards,

    Jill Zhou

     

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.