I am trying to install the Azure AD provision agent to do AD connect. Everything goes well until the final Confirm step. Within the wizard I receive the error "Failed changing Windows service credentials to gMSA. Please check the logs for more detailed information...."
My logs show an access denied error but I am not sure what needs access. everything I used is enterprise admin or created by the wizard itself. I have setup KDS root keys. I have verified the account created provagentgMSA is installed with test-adserviceaccount. not sure what I am missing. Below is the logs of the wizard install.
[17:53:06.231] [ 1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.ActiveDirectory.SynchronizationAgent.Setup.UI.WizardPages.ConfigureActiveDirectoryPageViewModel.TestConnectivityAndGetDomains in Page:"Connect Active Directory"
[17:53:06.232] [ 1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:87049
[17:53:19.213] [ 5] [INFO ] ValidateCustomGMSA:: Validating entered service account is gmsa: Sbhsadmin$
[17:53:19.231] [ 5] [INFO ] ValidateCustomGMSA:: entered service account: Sbhsadmin$ does not exist or not a gmsa.
[17:53:30.611] [ 23] [INFO ] ValidateCustomGMSA:: Validating entered service account is gmsa: provagentgMSA$
[17:53:30.634] [ 23] [INFO ] ValidateCustomGMSA:: Successfully validated provagentgMSA$ as gMSA.
[17:53:30.638] [ 1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.ActiveDirectory.SynchronizationAgent.Setup.UI.WizardPages.ConfigureActiveDirectoryPageViewModel.TestConnectivityAndGetDomains in Page:"Connect Active Directory"
[17:53:30.638] [ 1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:93095
[17:54:36.554] [ 1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.ActiveDirectory.SynchronizationAgent.Setup.UI.WizardPages.ConfirmPageViewModel.Confirm in Page:"Agent configuration"
[17:54:36.554] [ 1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:103475
[17:54:36.568] [ 23] [INFO ] GetDomainController: find a DC in CMHC.US with minimum version WindowsServer2012
[17:54:36.569] [ 23] [INFO ] IsServiceAccountGMSA:: Checking if service account is gmsa
[17:54:36.569] [ 23] [INFO ] Get current service credentials.
[17:54:36.658] [ 23] [INFO ] IsServiceAccountGMSA:: Service account: CMHC.US\provagentgMSA$ is a gmsa.
[17:54:36.658] [ 23] [INFO ] Setting log folder permissions on gmsa.
[17:54:36.670] [ 23] [INFO ] Changing service credentials to account: CMHC.US\provagentgMSA$.
[17:54:36.682] [ 23] [INFO ] Current service account is using gmsa. Skipping changing service credentials.
[17:54:36.682] [ 23] [INFO ] Restarting the agent to refresh new service account to: CMHC.US\provagentgMSA$
[17:54:37.454] [ 23] [ERROR] Exception while changing service credentials to gmsa and restarting service. Exception: System.ComponentModel.Win32Exception (0x80004005): Access is denied