question

Serenityadmin-3283 avatar image
0 Votes"
Serenityadmin-3283 asked DanielAinsworth-6754 answered

Azure Active Directory Provision Agent Install failing

I am trying to install the Azure AD provision agent to do AD connect. Everything goes well until the final Confirm step. Within the wizard I receive the error "Failed changing Windows service credentials to gMSA. Please check the logs for more detailed information...."

My logs show an access denied error but I am not sure what needs access. everything I used is enterprise admin or created by the wizard itself. I have setup KDS root keys. I have verified the account created provagentgMSA is installed with test-adserviceaccount. not sure what I am missing. Below is the logs of the wizard install.

[17:53:06.231] [ 1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.ActiveDirectory.SynchronizationAgent.Setup.UI.WizardPages.ConfigureActiveDirectoryPageViewModel.TestConnectivityAndGetDomains in Page:"Connect Active Directory"
[17:53:06.232] [ 1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:87049
[17:53:19.213] [ 5] [INFO ] ValidateCustomGMSA:: Validating entered service account is gmsa: Sbhsadmin$
[17:53:19.231] [ 5] [INFO ] ValidateCustomGMSA:: entered service account: Sbhsadmin$ does not exist or not a gmsa.
[17:53:30.611] [ 23] [INFO ] ValidateCustomGMSA:: Validating entered service account is gmsa: provagentgMSA$
[17:53:30.634] [ 23] [INFO ] ValidateCustomGMSA:: Successfully validated provagentgMSA$ as gMSA.
[17:53:30.638] [ 1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.ActiveDirectory.SynchronizationAgent.Setup.UI.WizardPages.ConfigureActiveDirectoryPageViewModel.TestConnectivityAndGetDomains in Page:"Connect Active Directory"
[17:53:30.638] [ 1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:93095
[17:54:36.554] [ 1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.ActiveDirectory.SynchronizationAgent.Setup.UI.WizardPages.ConfirmPageViewModel.Confirm in Page:"Agent configuration"
[17:54:36.554] [ 1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:103475
[17:54:36.568] [ 23] [INFO ] GetDomainController: find a DC in CMHC.US with minimum version WindowsServer2012
[17:54:36.569] [ 23] [INFO ] IsServiceAccountGMSA:: Checking if service account is gmsa
[17:54:36.569] [ 23] [INFO ] Get current service credentials.
[17:54:36.658] [ 23] [INFO ] IsServiceAccountGMSA:: Service account: CMHC.US\provagentgMSA$ is a gmsa.
[17:54:36.658] [ 23] [INFO ] Setting log folder permissions on gmsa.
[17:54:36.670] [ 23] [INFO ] Changing service credentials to account: CMHC.US\provagentgMSA$.
[17:54:36.682] [ 23] [INFO ] Current service account is using gmsa. Skipping changing service credentials.
[17:54:36.682] [ 23] [INFO ] Restarting the agent to refresh new service account to: CMHC.US\provagentgMSA$
[17:54:37.454] [ 23] [ERROR] Exception while changing service credentials to gmsa and restarting service. Exception: System.ComponentModel.Win32Exception (0x80004005): Access is denied

azure-active-directoryazure-ad-cloud-provisioning
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Have you tried creating a new KDS key? It's possible that the original key is corrupt.

0 Votes 0 ·

Multiple times. I have created new ones. Deleted old ones from AD Sites and Services. I tested the new keys with Test-KDSrootkey and they tested true. Same with the Test-ADserviceaccount provagentgmsa. Not sure whats going on.

Background -
This is a new DC. The previous DC has AD connect installed and configured. but it is a Server 2012 6.2 version. So its pre R2 and doesnt support a lot of 365 integration like SSO and gMSA.

I setup the new server 2019 to eventually replace the old DC. But I cant get the provision agent on the new server. I upgdated the forest and domain functional levels to 2012 as well.

0 Votes 0 ·

I messed around a bit more recreating KDS keys. Testing the AD Service accounts. Custom service accounts. Nothing helped.

I then tried installing the ADsync agent. The same one that is installed on another DC in my environment.

That failed as well. Also with access denied permissions error on a different MSA account. Not sure what needs to be changed here.

If I go to services and try to start the provision agent service manually it fails with access denied. The Log On tab is all greyed out and I cant edit it. ( I dont want to edit it since the gMSA account is what is there. Just a note). I have edited local policy to allow access for the provagentgMSA account to have access to logon as a service but it still fails with Access Denied.

Is there a specific setting I can check or change to allow permissions for this account to start this service?

0 Votes 0 ·
Serenityadmin-3283 avatar image
0 Votes"
Serenityadmin-3283 answered

Adding the provagentgMSA account to the folder permissions where the service resides was not enough. Neither was adding the account to the local security policy as able to log on as service. I had to add the gMSA account to the administrators Domain group as well. Once I did that I had to uninstall the agent and start over. It worked after that.

Not sure why that was the specific fix but it is working now.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanielAinsworth-6754 avatar image
0 Votes"
DanielAinsworth-6754 answered

Hello,

I had an issue like this and wanted to spread the answer around to save others a headache. If you are able to create a GMSA account and it tests out valid and true with Get-KdsRootKey and Test-ADServiceAccount -Identity serviceAccountgMSA$ and the Microsoft Key Distribution Service is running on the DC, but it still doesn't let the GMSA service login to start the service:

Make sure your FOREST functional level (schema level) is at least server 2012. This is a stealth requirement for GMSA to work, but you can still create the accounts without an error even if it isn't set yet.

Active Directory Domains and Trusts > Right click the app root (not the domain name) > Raise Forest Functional Level

You may or may not need to delete and recreate your GMSA account after this change

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.