Hello Community,
I'm trying to install the Microsoft Entra Provisioning Agent on a new Windows Server 2022.
At the confirm step I get the error: Error while creating group managed service account (gMSA). error: There is no sucj object on the server.
Following this: https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/azure-ad-hybrid-sync-no-such-object-on-server
At First try the Managed Service Accounts container was missing. I re-created it by deleting CN=5e1574f6-55df-493e-a671-aaeffca6a100 and clear the revision attribute for CN=ActiveDirectoryUpdate and then ran adprep /domainprep (Ref: https://www.carlwebster.com/what-happened-to-my-managed-service-accounts-container/ )
Now the Managed Service Accounts container is present, but I still get the same error. Still following https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/azure-ad-hybrid-sync-no-such-object-on-server
Here is the Output of the powershell command:
PS C:\Windows\system32: $ListOWKO = Get-ADObject (Get-ADRootDSE).DefaultNamingContext -Properties otherwellKnownObjects
$ListOWKO.otherwellKnownObjects
B:32:683A24E2E8164BD3AF86AC3C2CF3F981:CN=Keys,DC=solisco,DC=dom
B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts\0ADEL:4f88c669-a15b-4ff4-b3fa-065524fe8fc5,CN=Deleted Objects,DC=solisco,D
C=dom
This is where I'm stuck now.
Can you help me complete the agent installation please?
It's an existing forest, the Active Directory currently sync with Azure AD Connect from a Windows 2012 Domain controller. Functional Level is Windows 2012.
The original goal is to build new domain controllers on Windows Server 2022 and demote the old Windows 2012 domain controllers. So I'm installing the cloud sync agent on the new server.
MORE:
I am able to create gMSA using Powershell but I MUST provide the -Path parameter. If I don't specify the -Path, it fails as if the "default" path is wront. So I think the value for the default path/link to "Managed Service Accounts" Container is broken/not updated with the new value.
New-ADServiceAccount -Name gMSAtestttt -DNSHostName "gMSAtestttt.domain.dom" -Path "CN=Managed Service Accounts,DC=domain,DC=dom"
If I don't use the -Path parameter I get:
New-ADServiceAccount : Parameter: 'Path' is required for this operation.
At line:1 char:1
- New-ADServiceAccount -name gMSAtestttt -DNSHostName gMSAtestttt.d ...
-
+ CategoryInfo : InvalidArgument: (:) [New-ADServiceAccount], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount
I opened a ticket with Microsoft but no answer for a week now.
I'm thinking about trying that solution: https://www.reddit.com/r/activedirectory/comments/1525sam/any_way_to_update_otherwellknownobjects_path/