question

MarcinPaterek-0697 avatar image
0 Votes"
MarcinPaterek-0697 asked MarcinPaterek-0697 answered

How to use gMSA account with Task Scheduler and Powershell to manage DHCP filters

Hello,

I am struggling to keep DHCP filters in sync between multiple DHCP servers, each of them is running on a domain controller. I wrote a simple script to get filters from master DHCP server and push them to other DHCP servers:

 $aDhcpServers = Get-DhcpServerInDC
 New-Variable -Name sDhcpMasterServer -Value "master.server.fqdn" -Option Constant
    
 $aDhcpMacFilters = Get-DhcpServerv4Filter -ComputerName $sDhcpMasterServer
 foreach($DhcpServer in $aDhcpServers) {
        
     #Don't overwrite ourself
     if($DhcpServer.DnsName -notmatch "$sDhcpMasterServer") { 
         Invoke-Command -ComputerName $DhcpServer.DnsName -ScriptBlock {
             #Clear remote entries
             Get-DhcpServerv4Filter | Remove-DhcpServerv4Filter
                
             #Add array of MacFilters to remote filter
             $args[0] | Add-DhcpServerv4Filter
         } -ArgumentList (,$aDhcpMacFilters)
     }
 }


Then I created a gMSA and added it to DHCP Administrators group, also granting Log on as a batch job privilege on domain controllers. The master DHCP server is allowed to retrieve gMSA password. The account is being used in a scheduled task that simply executes the script and (in theory) should push the changes from master DHCP to other DHCP servers.

However, that's not the case. The script is being executed, but no changes are made to DHCP filters on other servers (Task exit code is 0). When the same script is executed with Domain Admin credentials, it works fine. I suspect the problem is with Powershell Remoting using gMSA credentials, but I can't find any documentation regarding this matter.

windows-server-powershellwindows-dhcp-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarcinPaterek-0697 avatar image
0 Votes"
MarcinPaterek-0697 answered

Okay, so I finally managed to resolve this issue. The initial script was failing due to the fact that the script executed remotely by Task Scheduler is being ran in the NoLanguage mode (https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_language_modes) which prevents using ScriptBlocks. I ended up defining new JEA role with a custom cmdlet to run the desired code, and changed my Task Scheduler task to use this cmdlet along with gMSA account. I believe the whole solution is a little outside of this question scope so I won't post the exact code here.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Hi,

Based on your situation, as you said, it seems the problem is related with gMSA credentials. Since there is no exact error message, it is hard for us to analyze from forum support level. If you want to find the root cause, I would suggest you open a case with Microsoft where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.

Here is the link:

https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.