Share via

unable to create gmsa becuase KDS may not running of domain.

Khan_MK 30 Reputation points
2023-08-23T05:19:57.05+00:00

I am trying to achieve the synchronization functionality between azure AD and on-premises AD. But i am getting this error "unable to create gmsa becuase KDS may not running of domain" While checking the logs no event ids are generated of 9001 and 9002 as community suggested for this solution(https://github.com/MicrosoftDocs/SupportArticles-docs/blob/main/support/azure/active-directory/azure-ad-hybrid-sync-unable-create-gmsa-kds-domain-controller.md

User's image

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,969 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,957 questions

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fabio Andrade 1,665 Reputation points Microsoft Employee Moderator
    2023-08-24T22:56:02.8466667+00:00

    Hi @Khan_MK

    Have you tried to continue with the troubleshooting guide besides the fact that you can't find the 9001 and 9002 events?

    Based on the screenshot I can see that your server is set to support AES 128 and AES 256 encryption protocols (0x7ffffff8) There's a good chance that there's a mismatch between the Kerberos encryption protocol supported by the server and the ones supported by the account provAgentgMSA. Could you please follow the rest of the guidance and share the results? The link below from Microsoft Learn has some screenshots available for you:

    https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/azure-ad-hybrid-sync-unable-create-gmsa-kds-domain-controller#unable-to-create-gmsa-because-kds-may-not-be-running-on-domain-controller

    User's image

  2. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2023-08-25T21:43:50.1433333+00:00

    @Khan_MK ,

    To add to Fabio's answer, sometimes the error you mentioned occurs when installing the agent for the first time. If you uninstall it, delete the gMSA from the domain, re-install the agent immediately, and reboot the server, you may be able to install the agent successfully again.  

    Additionally, you may be able to resolve this by creating the KDS root key again with the command: Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key

    0 comments
  3. Fabio Andrade 1,665 Reputation points Microsoft Employee Moderator
    2023-08-31T21:42:00.8+00:00

    Hi @Khan_MK

    I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

    0 comments
  4. Fabio Andrade 1,665 Reputation points Microsoft Employee Moderator
    2023-09-08T21:47:57.03+00:00

    Hi @Khan_MK

    I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.