Microsoft Entra Provisioning Agent - Unable to install service account pgmsa_... after 6 retries

Question

I am trying to install the Entra Cloud Sync Provisioning Agent (v1.1.1370.0) on Windows Server 2019. This a test environment, single Domain, single DC. The install is on the DC.

Completing the connection to Entra ID, then connect to AD, then confirm, are successful.

On the Confirm page, it says that the gMSA is being created but fails with the following error:

"Error while creating group managed service account (gMSA). Error: Unable to install service account pGMSA_

Answer 1

@Cain, Alastair G I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others Opens in new window or tab", I'll repost your solution in case you'd like to "Accept Opens in new window or tab" the answer.

Issue: trying to install the Entra Cloud Sync Provisioning Agent (v1.1.1370.0) on Windows Server 2019. This a test environment, single Domain, single DC. The install is on the DC.

Completing the connection to Entra ID, then connect to AD, then confirm, are successful.

On the Confirm page, it says that the gMSA is being created but fails with the following error:

"Error while creating group managed service account (gMSA). Error: Unable to install service account pGMSA_

Solution: Resolved by @Cain, Alastair G have been doing some more digging and found the following comprehensive article "Migrating from AADConnect Sync to Entra Connect Cloud Sync Correctly" which includes this error.

https://c7solutions.com/2023/09/migrating-from-aadconnect-sync-to-entra-connect-cloud-sync-correctly#:~:text=after%206%20retries-,The%20above%20error,-%2C%20if%20you%20get

The issue is resolved after running the following command, followed by a reboot and a reinstall of the agent.

"Set-ADServiceAccount -Identity CN=provAgentgMSA,CN=Managed Service Accounts,dc=... -KerberosEncryptionType AES128,AES256"

If you have any other questions or are still running into more issues, please let me know.
Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Answer 2

We have been doing some more digging and found the following comprehensive article "Migrating from AADConnect Sync to Entra Connect Cloud Sync Correctly" which includes this error.

https://c7solutions.com/2023/09/migrating-from-aadconnect-sync-to-entra-connect-cloud-sync-correctly#:~:text=after%206%20retries-,The%20above%20error,-%2C%20if%20you%20get

The issue is resolved after running the following command, followed by a reboot and a reinstall of the agent.

"Set-ADServiceAccount -Identity CN=provAgentgMSA,CN=Managed Service Accounts,dc=... -KerberosEncryptionType AES128,AES256"

Answer 3

We have been doing some more digging and found the following comprehensive article "Migrating from AADConnect Sync to Entra Connect Cloud Sync Correctly" which includes this error.

https://c7solutions.com/2023/09/migrating-from-aadconnect-sync-to-entra-connect-cloud-sync-correctly#:~:text=after%206%20retries-,The%20above%20error,-%2C%20if%20you%20get

The issue is resolved after running the following command, followed by a reboot and a reinstall of the agent.

"Set-ADServiceAccount -Identity CN=provAgentgMSA,CN=Managed Service Accounts,dc=... -KerberosEncryptionType AES128,AES256"