SCOM 2019 integrated UR3 install media? gMSA Problem in SCOM 2019 setup wizard

Question

Hello!

I have SCOM 2019 UR3 running in our environment. The service accounts are implemented as Group Managed Service Accounts. Now, I need to install the Report Server. In the setup wizard it asks for the service accounts. When I enter the gmsa accounts (no password) I cannot continue the installation because no password was entered. Clearly the setup wizard can't handle gmsa account credential, no wonder it was in the first version (before UR1) not capable to.

Is there an installation ISO or archive for SCOM 2019 available with integrated UR1, ..2 or ..3? Was this issue in the setup wizard fixed there? Where can I download it?

Cheers
Jens

Answer 1

Hello all!

I found a solution to this problem, that might also work for you guys. I tried an idea extracting the AD-managed passwords and installing the new management server treating the gMSA-accounts like simple domain accounts. It was successful.

This means even with the installer that doesn’t contain update rollups to handle gMSA accounts for installation, a management server can still be added to the management group using gMSA accounts.

I remembered an article that demonstrated, how to retrieve a gMSA’s clear text password. https://adsecurity.org/?p=4367

Based on this I scripted the installation with Powershell (it uses the DSInternals Powershell module). I know it’s not the most elegant script, but it worked.

$gmsa_AA = Get-ADServiceAccount -Identity gmsa_scom_aa$ -Properties 'msDS-ManagedPassword'
$mp_AA = $gmsa_AA.'msDS-ManagedPassword'
$cp_AA = ConvertFrom-ADManagedPasswordBlob $mp_AA

$gmsa_DAS = Get-ADServiceAccount -Identity gmsa_scom_das$ -Properties 'msDS-ManagedPassword'
$mp_DAS = $gmsa_DAS.'msDS-ManagedPassword'
$cp_DAS = ConvertFrom-ADManagedPasswordBlob $mp_DAS


$gmsa_DWW = Get-ADServiceAccount -Identity gmsa_scom_dww$ -Properties 'msDS-ManagedPassword'
$mp_DWW = $gmsa_DWW.'msDS-ManagedPassword'
$cp_DWW = ConvertFrom-ADManagedPasswordBlob $mp_DWW

$gmsa_DWR = Get-ADServiceAccount -Identity gmsa_scom_dwr$ -Properties 'msDS-ManagedPassword'
$mp_DWR = $gmsa_DWR.'msDS-ManagedPassword'
$cp_DWR = ConvertFrom-ADManagedPasswordBlob $mp_DWR

$arglist= @("/install /silent /components:OMServer,OMReporting /SqlServerInstance:SQLSRV-SCOM\SCOM /SqlInstancePort:1433 /DatabaseName:OperationsManager /DWSqlServerInstance:SQLSRV-SCOM\SCOM /DWSqlInstancePort:1433 /DWDatabaseName:OperationsManagerDW /ActionAccountUser:DOMAIN\gmsa_scom_aa$ /ActionAccountPassword:"+$cp_AA.CurrentPassword+" /DASAccountUser:DOMAIN\gmsa_scom_das$ /DASAccountPassword:"+$cp_DAS.CurrentPassword+" /DatareaderUser:DOMAIN\gmsa_scom_dwr$ /DatareaderPassword:"+$cp_DWR.CurrentPassword+" /DataWriterUser:DOMAIN\gmsa_scom_dww$ /DataWriterPassword:"+$cp_DWW.CurrentPassword+" /AcceptEndUserLicenseAgreement:1 /SRSInstance:SCOMSRV-REP\MSSQLSERVER /SendODRReports:0 /EnableErrorReporting:Never /SendCEIPReports:0 /UseMicrosoftUpdate:1")
    Start-Process -FilePath $env:systemdrive\SCOM2019\setup.exe -ArgumentList $arglist -wait

With this script the installation went through and after it finished, I immediately installed UR3 and the new management server is running well and smoothly.

!!! In order to access the gMSA's password the user used to carry-out the installation needs to be member of the group that is in my case the gMSA's "PrincipalsAllowedToRetrieveManagedPassword" group. !!!

Also, keep in mind, that gMSA-accounts have a limited password age and the password will be changed automatically. Hence, you might want to check how much time you have left to expiry. If the password changes during the install process or before you install the UR3, that might mess-up quite a few things.

Answer 2

Answer 3

You can't use gMSAs straight from the installer, you have to first run installation with regular accounts, update to latest UR and then follow the "migrate to gMSAs" procedure. Yes, that's a shame.