Defender for Identity - gMSA account

karthik palani 1,036 Reputation points
2023-01-22T10:54:57.61+00:00

HI All,

While creating gMSA account for Defender for Identity, i am facing failed messages as below and followed exact information mentioned in

[https://learn.microsoft.com/en-us/defender-for-identity/directory-service-accounts#create-a-gmsa-account

MDI.jpg

Even i did KDS root refresh - Add-KdsRootKey -EffectiveImmediately, should i wait for sometime since i am getting FALSE for below Identity testing

Test-ADServiceAccount -Identity 'mdiSvc01'

Please suggest

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
3,003 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,902 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,491 questions
Microsoft Entra
{count} votes

3 answers

Sort by: Most helpful
  1. Limitless Technology 44,541 Reputation points
    2023-01-23T16:25:08.89+00:00

    Hello Karthik palani,

    I would recommend you take a look at the official KDS article, as for instance:

    Extract:

    Domain Controllers (DC) require a root key to begin generating gMSA passwords. The domain controllers will wait up to 10 days from time of creation to allow all domain controllers to converge their AD replication before allowing the creation of a gMSA. Waiting up to 10 days is a safety measure to prevent password generation from occurring before all DCs in the environment are capable of answering gMSA requests. Trying to use a gMSA too soon might fail when the gMSA host attempts to retrieve the password, as the key may not have been replicated to all domain controllers. gMSA password retrieval failures can also occur when using DCs with limited replication schedules or if there's a replication issue.

    And

    Deleting and recreating the root key may lead to issues where the old key continues to be used after deletion due to caching of the key. The Key Distribution Service (KDC) should be restarted on all domain controllers if the root key is recreated.

    Reference: https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  3. Givary-MSFT 35,216 Reputation points Microsoft Employee
    2023-01-27T08:38:56.48+00:00

    @karthik palani Thank you for reaching out to us, As I understand you are trying to configure gMSA account for Defender for Identity configuration, steps mentioned in this article [https://learn.microsoft.com/en-us/defender-for-identity/directory-service-accounts#create-a-gmsa-account:~:text=purge%20%2Dli%200x3e7-,Create%20a%20gMSA%20account,-In%20the%20following are correct, addition to that would suggest running these commands and verify if KDS root key is configured correctly or not

    Below command lets us create a KDS key without the normal 10hour wait

    $a=Get-Date

    $b=$a.AddHours(-10)

    Add-KdsRootKey –EffectiveTime $b

    Check to see if the KDS root key is present:

    Get-KDSrootkey

    Next step would be to create gMSA account

    Check the password principle by using this command Get-AdserviceAccount <serviceaccountname> -Properties PrincipalsAllowedToRetrieveManagedPassword

    Let me know if these steps doesnt help, we can connect offline to troubleshoot further on the same.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.