Edit

Share via

Microsoft Entra Hybrid Sync Agent Installation Issues - Unable to create gMSA because KDS may not be running on domain controller

  • Article

This troubleshooting guide focuses on when you can't install the service account after many retries. This situation blocks you from installing the Microsoft Entra Connect Provisioning Agent.

Prerequisites

To install Cloud Provisioning Agent, the following prerequisites are required: Prerequisites for Microsoft Entra Connect cloud sync.

Unable to create gMSA because KDS may not be running on domain controller

While installing Cloud Provisioning Agent, you may get the following error:

Unable to create gMSA because KDS may not be running on domain controller. Please create/run KDS manually.

To locate the 9001 and 9002 EventIDs, go to Applications and Services Logs > Microsoft > Windows > Security - Netlogon.

Screenshot of the Event 9001 window. You can't use the account as an M S A locally, because the machine doesn't support all account encryption types.

Screenshot of the Event 9002 window. Netlogon couldn't add the account as a managed service account (M S A) to the local machine.

Use the following command to retrieve the server settings for the supported encryption types:

C:\windows\system32>reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters
    SupportedEncryptionTypes    REG_DWORD    0x7ffffff8

Within the command, the DWORD 0x7ffffff8 represents AES128_HMAC_SHA1 AES256_HMAC_SHA1.

In the Active Directory Users and Computers snap-in (dsa.msc), open the provAgentgMSA properties of the domain controller:

  1. Select the Attribute Editor tab.
  2. Choose the msDS-SupportedEncryptionTypes attribute, and select Edit.

Screenshot of the provisioning agent g M S A properties dialog box, Attribute Editor tab. The Integer Attribute Editor dialog box is on top.

Verify that there's a mismatch between the encryption types that the server offers and that the accounts accept.

To resolve the issue, remove the RC4 from the provAgentgMSA account by running the following command in a domain controller:

Set-ADServiceAccount -Identity provAgentgMSA -KerberosEncryptionType AES128,AES256

Next, reboot the Provisioning agent server and reinstall the agent.

For more information on this issue, see Cannot install service account. The provided context did not match the target.

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.