failed changing windows service credentials to gmsa

Christopher Koroluk 1 Reputation point
2021-11-30T22:27:06.06+00:00

I have tried to recreate the KDS keys. I dont see the user being created in my AD.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,718 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Christopher Koroluk 1 Reputation point
    2021-12-01T16:39:23.273+00:00

    Hi @sikumars-msft

    I am trying to install the Azure AD connect service, but am getting the error "failed changing windows service credentials to gmsa" when going through the installation and the gmsa user section.

    I also get the error "Unable to create gMSA because KDS may not be running on domain controller"

    I have followed the instructions listed here https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/azure-ad-hybrid-sync-agent-install-welcome

    0 comments No comments

  2. Siva-kumar-selvaraj 15,566 Reputation points
    2021-12-01T20:47:07.433+00:00

    Hello @Christopher Koroluk ,

    Thanks for the update.

    Based on the above article, it appears that you are having problems using Azure AD connect Cloud Sync Provisioning rather than traditional Azure AD connect; please correct me if I am mistaken.

    However, regardless of whether you use Cloud Sync or traditional Azure AD connect, you must have generated the KDS Root Key by using the cmdlet Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10)) as explained here prior to use the GMSA account.

    If you have previously generated a KDS root key, use the Get-KdsRootKey cmdlet to validate existing root keys on a couple of DCs to ensure there is no discrepancy due to a DC replication issue. Also, ensure the KDSSVC service is running on the Domain Controller without any problems.

    Furthermore, if you are attempting to utilize an existing GMSA account, use the following cmdlet Test-ADServiceAccount -Identity serviceAccountgMSA$ = True to test GMSA service account for sync agent.

    If none of the methods listed above help you narrow down the problem, then I would recommend you to contact MS Support because this would need active troubleshooting and live data collecting to gain further understanding to determine why the KDS service is not responding.

    I hope this was useful.

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  3. Daniel Ainsworth 1 Reputation point
    2022-03-21T18:21:56.367+00:00

    Hello,

    I had an issue like this and wanted to spread the answer around to save others a headache. If you are able to create a GMSA account and it tests out valid and true with Get-KdsRootKey and Test-ADServiceAccount -Identity serviceAccountgMSA$ and the Microsoft Key Distribution Service is running on the DC, but it still doesn't let the GMSA service login to start the service:

    Make sure your FOREST functional level (schema level) is at least server 2012. This is a stealth requirement for GMSA to work, but you can still create the accounts without an error even if it isn't set yet.

    Active Directory Domains and Trusts > Right click the app root (not the domain name) > Raise Forest Functional Level

    You may or may not need to delete and recreate your GMSA account after this change

    0 comments No comments