Unable to install service account (gMSA) after Provisioning Agent installation.

Question

Unable to install service account (gMSA) after Provisioning Agent installation.

KajEdin 0

Hello,

After installing AADConnectProvisioningAgentSetup.exe I am unable to finish the configuration. gMSA is created in our AD but it still says it fails;

Error while creating group managed service account (gMSA). Error: Unable to install service account pGMSA_4466c675$ after 6 retries

I have tried adding the account in "Lon on as a service" right. Rebooting the DC, reinstalling the agent, removing and letting it recreate the gMSA but I'm stuck in the same place.

What's logged in the trace-file:

[11:48:29.335] [  1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.ActiveDirectory.SynchronizationAgent.Setup.UI.WizardPages.ConfirmPageViewModel.Confirm in Page:"Agent configuration"
[11:48:29.335] [  1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:106650
[11:48:29.335] [ 24] [INFO ] GetDomainController: find a DC in gsdev.local with minimum version WindowsServer2012
[11:48:29.335] [ 24] [INFO ] Validating/Creating KDS Root Key...
[11:48:32.622] [ 24] [INFO ] Successfully Validated KDS Root Key...
[11:48:32.641] [ 24] [INFO ] Found GMSA with name: provAgentgMSA$. SamAccountName: pGMSA_4466c675$
[11:48:45.364] [ 24] [ERROR] Exception caught while creating gmsa. Exception: System.InvalidOperationException: Unable to install service account pGMSA_4466c675$ after 6 retries
   at Microsoft.Online.Deployment.Framework.Providers.GroupManagedServiceAccountProvider.InstallServiceAccount(String samAccountName)
   at Microsoft.ActiveDirectory.SynchronizationAgent.Setup.Utility.ServiceAccountUtility.CreateGMSA(String domainFQDN, String username, String password, String& samAccountName, String& error)
[11:48:45.364] [ 24] [ERROR] Failed to create gmsa. Error: Error while creating group managed service account (gMSA). Error: Unable to install service account pGMSA_4466c675$ after 6 retries. KDSValidated: True.

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-09-29T17:39:12.5866667+00:00

@KajEdin

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
DS 31 Reputation points

2024-03-19T17:50:36.82+00:00
After navigating through numerous incorrect answers on Microsoft's "learn" platform, I discovered a solution for setting up a second Azure AD Connect Provisioning Agent, specifically when it involves using an existing Group Managed Service Account (gMSA). Contrary to the Microsoft documentation that suggests creating a new gMSA, this approach is not feasible when an account with the same common name already exists. Here's a clear guide on how to accomplish this setup:

Selecting "Use Existing" for gMSA: During the agent setup, when prompted to either create a new gMSA or use an existing one, choose "USE EXISTING."

Identify the sAMAccountName of the Original gMSA: Locate the sAMAccountName attribute of the original gMSA account created by the first setup wizard. This is typically formatted as pGMSA_xxxxxxx. Despite the wizard's hint suggesting you should enter the common name, what it actually requires is the sAMAccountName.

Enter the sAMAccountName in the Wizard: Input the identified sAMAccountName into the field within the wizard setup.

Troubleshooting the Service Start Issue: After proceeding, you might encounter an error indicating the service cannot start due to login issues. If this happens, do not close the wizard.

Configure the Service Account Manually in Services:

Navigate to Windows Services and locate the **Microsoft Azure AD Connect Provisioning Agent** service. Access the service properties and navigate to the **Log On** tab. Use the directory browsing feature to filter by service accounts only, and then select the account labeled similarly to **`provAgentgMsa`**. This action will autofill the account name in the logon field. Clear any entries in the password fields. Apply the changes by clicking **OK**. **Start the Azure AD Connect Provisioning Agent Service**: Manually start the service from the Services window. Ensure it runs successfully. **Finalize the Wizard Setup**: Return to the Azure AD Connect setup wizard and click on **confirm**. This should successfully register the agent with Azure.
RS-8823 0 Reputation points

2024-04-25T17:08:29.46+00:00

Thank you so much for this. The MS official documentation is just wrong, and this was the ticket to getting a second Entra Cloud Sync agent installed on a 2nd DC.

1 answer

Your answer

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-09-29T17:39:12.5866667+00:00

@KajEdin

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
RS-8823 0 Reputation points

2024-04-25T17:08:29.46+00:00

Thank you so much for this. The MS official documentation is just wrong, and this was the ticket to getting a second Entra Cloud Sync agent installed on a 2nd DC.

Answer 1

@KajEdin Thank you for reaching out to us, As I understand you are trying to install AADConnectProvisioningAgentSetup.exe (provisioning agent) and in the process you encountered this issue

Exception caught while creating gmsa. Exception: System.InvalidOperationException: Unable to install service account pGMSA_4466c675$ after 6 retries
   at Microsoft.Online.Deployment.Framework.Providers.GroupManagedServiceAccountProvider.InstallServiceAccount(String samAccountName)
   at Microsoft.ActiveDirectory.SynchronizationAgent.Setup.Utility.ServiceAccountUtility.CreateGMSA(String domainFQDN, String username, String password, String& samAccountName, String& error)
[11:48:45.364] [ 24] [ERROR] Failed to create gmsa. Error: Error while creating group managed service account (gMSA). Error: Unable to install service account pGMSA_4466c675$ after 6 retries. KDSValidated: True.

This can occur when you try to install the cloud sync agent with "Create gMASA" option but there's already another gMSA called 'provAgentgMSA' in a different AD Domain (i.e. child domain or tree domain).

Our team is aware of this issue and working on the fix, As a workaround you can install the cloud sync agent with a custom gMSA. In order to do this, follow the documented steps under https://learn.microsoft.com/en-us/azure/active-directory/hybrid/cloud-sync/how-to-prerequisites?tabs=public-cloud#create-gmsa-account-with-powershell:~:text=2016%20or%20later.-,Custom%20gMSA%20account,-If%20you%20are (custom gMSA account) and then use the option in the Wizard to "Use custom gMSA"

Let me know if you have any further questions, feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2023-09-27T05:33:27.9033333+00:00

@KajEdin Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Share via

Unable to install service account (gMSA) after Provisioning Agent installation.

1 answer

Your answer