Share via

Migrating old Azure AD Connect to newly deployed Server with gMSA as the service account?

EnterpriseArchitect 4,866 Reputation points
2024-02-23T06:03:05.7+00:00

I am running Hybrid Azure AD and OnPremise AD DS with a single on-premise server. Can someone here please share the steps and the procedure to create the new gMSA for Azure AD Connect? What are the roles and the permission required for the new gMSA? I am in the process of migrating the old Azure AD Connect on Windows Server 2016 to the newly created Windows Server 2022, so any procedure and steps to configure the new Azure AD Connect server with the gMSA will be greatly appreciated.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,973 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,911 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,740 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
518 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,799 questions
0 comments
Accepted answer
  1. Thameur-BOURBITA 32,596 Reputation points
    2024-02-23T09:58:16.2266667+00:00

    Hi @EnterpriseArchitect

    Regarding service accounts used by Entra connect Server , GMSA is not supported to be used for AD DS connector. For AD DS connector you have to create a standard user. for more information about permission required for this service account used by AD DS Connector you can refer to the following link: Create the AD DS Connector account.

    GMSA is required when you want use a remote SQL instance. In this case you can use GMSA to connect on this instance. I have alreday configured it in my envirement without any issue.

    Note that You can set the service account only on first installation. You can't change the service account after installation is finished.

    If you want replace the service account used by Entra Connect server to connect on SQL instance you have to reinstall Entra Connect server: GMSA

    Screenshot that shows selecting Managed Service Account in Windows Server.

    I recommend you follow these steps that I used to replace the service account with a GMSA service account:

    • Create GMSA service account and standard user service account
    • Configure required permissions (full access) to GMSA service account to connect on SQL instance and required permission to standard service account to be used for AD DS connect : Create the AD DS Connector account.
    • Export configuration from old Entra connect server as mentioned in the following link : Migrate settings from an existing server
    • Install Entra connect server on new server as staing mode by following this configuration:

    Imported configuration from old server

    Screenshot that shows the Import synchronization settings option.

    Use GMSA to connect on SQL instance

    Screenshot that shows selecting Managed Service Account in Windows Server.

    Use Standard service account for AD DS Connector to sync objects from on-premise domain :

    Screenshot showing the "Connect Directory" page and the A D forest account window, where you can choose to create a new account or use an existing account.

    • Once the configuration of new Entra connect server with GMSA is completed you can set old server with staging mode
    • Disable staging mode on new server

    Please don't forget to accept helpful answer

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michael Morten Sonne 570 Reputation points MVP
    2024-02-23T09:02:09.91+00:00

    As i am aware, you can’t reconfigure an existing Azure AD Connect installation to use a gMSA..

    You need to deploy new *Azure AD Connect server in staging mode and configure the same with gMSA. During the installation, the service account is synched in Entra ID in order to generate a account used to in the connector of Entra ID. A lot if stuff is created when the accounts in the installations steps is configured, and I had not seen a list - there is a "Troubleshoot" script, but not complete for this here.

    Please refer to etc. this article (a bit old, but should be the same today also) which has the detailed steps/recommendations how this can be achieved.

    Also refer to this Also refer to this https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/concept-adsync-service-account which was more information related to type of service accounts which can be used in which scenarios and how. which was more information related to type of service accounts which can be used in which scenarios and how.

    I had never tryed this form for change, but that is how I see it :)

    Hope it give you some inputs and help.

    *Renamed to Microsoft Entra ID Connect Server