Unable to install service account (gMSA) after Provisioning Agent installation.

Question

Hello,

After installing AADConnectProvisioningAgentSetup.exe I am unable to finish the configuration. gMSA is created in our AD but it still says it fails;

Error while creating group managed service account (gMSA). Error: Unable to install service account pGMSA_4466c675$ after 6 retries

I have tried adding the account in "Lon on as a service" right. Rebooting the DC, reinstalling the agent, removing and letting it recreate the gMSA but I'm stuck in the same place.

What's logged in the trace-file:

[11:48:29.335] [  1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.ActiveDirectory.SynchronizationAgent.Setup.UI.WizardPages.ConfirmPageViewModel.Confirm in Page:"Agent configuration"
[11:48:29.335] [  1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:106650
[11:48:29.335] [ 24] [INFO ] GetDomainController: find a DC in gsdev.local with minimum version WindowsServer2012
[11:48:29.335] [ 24] [INFO ] Validating/Creating KDS Root Key...
[11:48:32.622] [ 24] [INFO ] Successfully Validated KDS Root Key...
[11:48:32.641] [ 24] [INFO ] Found GMSA with name: provAgentgMSA$. SamAccountName: pGMSA_4466c675$
[11:48:45.364] [ 24] [ERROR] Exception caught while creating gmsa. Exception: System.InvalidOperationException: Unable to install service account pGMSA_4466c675$ after 6 retries
   at Microsoft.Online.Deployment.Framework.Providers.GroupManagedServiceAccountProvider.InstallServiceAccount(String samAccountName)
   at Microsoft.ActiveDirectory.SynchronizationAgent.Setup.Utility.ServiceAccountUtility.CreateGMSA(String domainFQDN, String username, String password, String& samAccountName, String& error)
[11:48:45.364] [ 24] [ERROR] Failed to create gmsa. Error: Error while creating group managed service account (gMSA). Error: Unable to install service account pGMSA_4466c675$ after 6 retries. KDSValidated: True.

Answer 1

@KajEdin Thank you for reaching out to us, As I understand you are trying to install AADConnectProvisioningAgentSetup.exe (provisioning agent) and in the process you encountered this issue

Exception caught while creating gmsa. Exception: System.InvalidOperationException: Unable to install service account pGMSA_4466c675$ after 6 retries
   at Microsoft.Online.Deployment.Framework.Providers.GroupManagedServiceAccountProvider.InstallServiceAccount(String samAccountName)
   at Microsoft.ActiveDirectory.SynchronizationAgent.Setup.Utility.ServiceAccountUtility.CreateGMSA(String domainFQDN, String username, String password, String& samAccountName, String& error)
[11:48:45.364] [ 24] [ERROR] Failed to create gmsa. Error: Error while creating group managed service account (gMSA). Error: Unable to install service account pGMSA_4466c675$ after 6 retries. KDSValidated: True.

This can occur when you try to install the cloud sync agent with "Create gMASA" option but there's already another gMSA called 'provAgentgMSA' in a different AD Domain (i.e. child domain or tree domain).

Our team is aware of this issue and working on the fix, As a workaround you can install the cloud sync agent with a custom gMSA. In order to do this, follow the documented steps under https://learn.microsoft.com/en-us/azure/active-directory/hybrid/cloud-sync/how-to-prerequisites?tabs=public-cloud#create-gmsa-account-with-powershell:~:text=2016%20or%20later.-,Custom%20gMSA%20account,-If%20you%20are (custom gMSA account) and then use the option in the Wizard to "Use custom gMSA"

Let me know if you have any further questions, feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.