SCOM 2019 integrated UR3 install media? gMSA Problem in SCOM 2019 setup wizard

Jens Steinigen 96 Reputation points
2021-07-21T14:13:53.73+00:00

Hello!

I have SCOM 2019 UR3 running in our environment. The service accounts are implemented as Group Managed Service Accounts. Now, I need to install the Report Server. In the setup wizard it asks for the service accounts. When I enter the gmsa accounts (no password) I cannot continue the installation because no password was entered. Clearly the setup wizard can't handle gmsa account credential, no wonder it was in the first version (before UR1) not capable to.

Is there an installation ISO or archive for SCOM 2019 available with integrated UR1, ..2 or ..3? Was this issue in the setup wizard fixed there? Where can I download it?

Cheers
Jens

Operations Manager
Operations Manager
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
1,481 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jens Steinigen 96 Reputation points
    2021-07-26T12:30:36.117+00:00

    Hello all!

    I found a solution to this problem, that might also work for you guys. I tried an idea extracting the AD-managed passwords and installing the new management server treating the gMSA-accounts like simple domain accounts. It was successful.

    This means even with the installer that doesn’t contain update rollups to handle gMSA accounts for installation, a management server can still be added to the management group using gMSA accounts.

    I remembered an article that demonstrated, how to retrieve a gMSA’s clear text password. https://adsecurity.org/?p=4367

    Based on this I scripted the installation with Powershell (it uses the DSInternals Powershell module). I know it’s not the most elegant script, but it worked.

    $gmsa_AA = Get-ADServiceAccount -Identity gmsa_scom_aa$ -Properties 'msDS-ManagedPassword'
    $mp_AA = $gmsa_AA.'msDS-ManagedPassword'
    $cp_AA = ConvertFrom-ADManagedPasswordBlob $mp_AA
    
    $gmsa_DAS = Get-ADServiceAccount -Identity gmsa_scom_das$ -Properties 'msDS-ManagedPassword'
    $mp_DAS = $gmsa_DAS.'msDS-ManagedPassword'
    $cp_DAS = ConvertFrom-ADManagedPasswordBlob $mp_DAS
    
    
    $gmsa_DWW = Get-ADServiceAccount -Identity gmsa_scom_dww$ -Properties 'msDS-ManagedPassword'
    $mp_DWW = $gmsa_DWW.'msDS-ManagedPassword'
    $cp_DWW = ConvertFrom-ADManagedPasswordBlob $mp_DWW
    
    $gmsa_DWR = Get-ADServiceAccount -Identity gmsa_scom_dwr$ -Properties 'msDS-ManagedPassword'
    $mp_DWR = $gmsa_DWR.'msDS-ManagedPassword'
    $cp_DWR = ConvertFrom-ADManagedPasswordBlob $mp_DWR
    
    $arglist= @("/install /silent /components:OMServer,OMReporting /SqlServerInstance:SQLSRV-SCOM\SCOM /SqlInstancePort:1433 /DatabaseName:OperationsManager /DWSqlServerInstance:SQLSRV-SCOM\SCOM /DWSqlInstancePort:1433 /DWDatabaseName:OperationsManagerDW /ActionAccountUser:DOMAIN\gmsa_scom_aa$ /ActionAccountPassword:"+$cp_AA.CurrentPassword+" /DASAccountUser:DOMAIN\gmsa_scom_das$ /DASAccountPassword:"+$cp_DAS.CurrentPassword+" /DatareaderUser:DOMAIN\gmsa_scom_dwr$ /DatareaderPassword:"+$cp_DWR.CurrentPassword+" /DataWriterUser:DOMAIN\gmsa_scom_dww$ /DataWriterPassword:"+$cp_DWW.CurrentPassword+" /AcceptEndUserLicenseAgreement:1 /SRSInstance:SCOMSRV-REP\MSSQLSERVER /SendODRReports:0 /EnableErrorReporting:Never /SendCEIPReports:0 /UseMicrosoftUpdate:1")
        Start-Process -FilePath $env:systemdrive\SCOM2019\setup.exe -ArgumentList $arglist -wait
    

    With this script the installation went through and after it finished, I immediately installed UR3 and the new management server is running well and smoothly.

    !!! In order to access the gMSA's password the user used to carry-out the installation needs to be member of the group that is in my case the gMSA's "PrincipalsAllowedToRetrieveManagedPassword" group. !!!

    Also, keep in mind, that gMSA-accounts have a limited password age and the password will be changed automatically. Hence, you might want to check how much time you have left to expiry. If the password changes during the install process or before you install the UR3, that might mess-up quite a few things.


2 additional answers

Sort by: Most helpful
  1. Jens Steinigen 96 Reputation points
    2021-07-21T14:17:10.577+00:00

    116787-using-gmsa-for-scom-installation.png

    0 comments No comments

  2. CyrAz 5,181 Reputation points
    2021-07-21T17:42:49.757+00:00

    You can't use gMSAs straight from the installer, you have to first run installation with regular accounts, update to latest UR and then follow the "migrate to gMSAs" procedure. Yes, that's a shame.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.