Installing Entra Provisioning Agent: Error while creating group managed service account (gMSA). Error: There is no such object on the server.

SamB-9973 5 Reputation points
2023-12-01T20:18:33.5966667+00:00

Hello Community,

I'm trying to install the Microsoft Entra Provisioning Agent on a new Windows Server 2022.

At the confirm step I get the error: Error while creating group managed service account (gMSA). error: There is no sucj object on the server.

Following this: https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/azure-ad-hybrid-sync-no-such-object-on-server

At First try the Managed Service Accounts container was missing. I re-created it by deleting CN=5e1574f6-55df-493e-a671-aaeffca6a100 and clear the revision attribute for CN=ActiveDirectoryUpdate and then ran adprep /domainprep (Ref: https://www.carlwebster.com/what-happened-to-my-managed-service-accounts-container/ )

Now the Managed Service Accounts container is present, but I still get the same error. Still following https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/azure-ad-hybrid-sync-no-such-object-on-server

Here is the Output of the powershell command:

PS C:\Windows\system32: $ListOWKO = Get-ADObject (Get-ADRootDSE).DefaultNamingContext -Properties otherwellKnownObjects

$ListOWKO.otherwellKnownObjects

B:32:683A24E2E8164BD3AF86AC3C2CF3F981:CN=Keys,DC=solisco,DC=dom

B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts\0ADEL:4f88c669-a15b-4ff4-b3fa-065524fe8fc5,CN=Deleted Objects,DC=solisco,D

C=dom

This is where I'm stuck now.

Can you help me complete the agent installation please?

It's an existing forest, the Active Directory currently sync with Azure AD Connect from a Windows 2012 Domain controller. Functional Level is Windows 2012.

The original goal is to build new domain controllers on Windows Server 2022 and demote the old Windows 2012 domain controllers. So I'm installing the cloud sync agent on the new server.

MORE:

I am able to create gMSA using Powershell but I MUST provide the -Path parameter. If I don't specify the -Path, it fails as if the "default" path is wront. So I think the value for the default path/link to "Managed Service Accounts" Container is broken/not updated with the new value.

New-ADServiceAccount -Name gMSAtestttt -DNSHostName "gMSAtestttt.domain.dom" -Path "CN=Managed Service Accounts,DC=domain,DC=dom"

If I don't use the -Path parameter I get:

New-ADServiceAccount : Parameter: 'Path' is required for this operation.

At line:1 char:1

  • New-ADServiceAccount -name gMSAtestttt -DNSHostName gMSAtestttt.d ...
  • 
        + CategoryInfo          : InvalidArgument: (:) [New-ADServiceAccount], ArgumentException
    
        + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount
    
     
    
    

I opened a ticket with Microsoft but no answer for a week now.

I'm thinking about trying that solution: https://www.reddit.com/r/activedirectory/comments/1525sam/any_way_to_update_otherwellknownobjects_path/

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,797 questions
{count} votes

2 answers

Sort by: Most helpful
  1. SamB-9973 5 Reputation points
    2023-12-18T18:20:56.94+00:00

    Didn't get any more news from Microsoft support. Request lost in the clouds.

    I have been able to walk through this issue using this solution: https://www.reddit.com/r/activedirectory/comments/1525sam/any_way_to_update_otherwellknownobjects_path/

    Which populate the new value for the otherwellKnownObjects.

    I also found it would have been possible to update the value using the LDP tools from Microsoft https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771022(v=ws.11)

    After this I got other issues but were related to some GPOs on our side. (Allow log on locally, Log On As Service, Log On As Batch) https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/services-sync-not-start

    1 person found this answer helpful.
    0 comments No comments

  2. Thameur-BOURBITA 34,936 Reputation points
    2023-12-04T17:20:50.7+00:00

    Hi @SamB-9973

    I invite your to take a look on the article below, I think it talk about the same issue:

    Microsoft Entra Hybrid Sync Agent Installation Issues - There is no such object on the server


    Please don't forget to accept helpful answer


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.