question

10824625 avatar image
0 Votes"
10824625 asked CyrAz commented

SCOM 2019 integrated UR3 install media? gMSA Problem in SCOM 2019 setup wizard

Hello!

I have SCOM 2019 UR3 running in our environment. The service accounts are implemented as Group Managed Service Accounts. Now, I need to install the Report Server. In the setup wizard it asks for the service accounts. When I enter the gmsa accounts (no password) I cannot continue the installation because no password was entered. Clearly the setup wizard can't handle gmsa account credential, no wonder it was in the first version (before UR1) not capable to.

Is there an installation ISO or archive for SCOM 2019 available with integrated UR1, ..2 or ..3? Was this issue in the setup wizard fixed there? Where can I download it?

Cheers
Jens

msc-operations-manager
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

10824625 avatar image
0 Votes"
10824625 answered CyrAz commented

Hello all!

I found a solution to this problem, that might also work for you guys. I tried an idea extracting the AD-managed passwords and installing the new management server treating the gMSA-accounts like simple domain accounts. It was successful.

This means even with the installer that doesn’t contain update rollups to handle gMSA accounts for installation, a management server can still be added to the management group using gMSA accounts.

I remembered an article that demonstrated, how to retrieve a gMSA’s clear text password. https://adsecurity.org/?p=4367

Based on this I scripted the installation with Powershell (it uses the DSInternals Powershell module). I know it’s not the most elegant script, but it worked.

 $gmsa_AA = Get-ADServiceAccount -Identity gmsa_scom_aa$ -Properties 'msDS-ManagedPassword'
 $mp_AA = $gmsa_AA.'msDS-ManagedPassword'
 $cp_AA = ConvertFrom-ADManagedPasswordBlob $mp_AA
    
 $gmsa_DAS = Get-ADServiceAccount -Identity gmsa_scom_das$ -Properties 'msDS-ManagedPassword'
 $mp_DAS = $gmsa_DAS.'msDS-ManagedPassword'
 $cp_DAS = ConvertFrom-ADManagedPasswordBlob $mp_DAS
    
    
 $gmsa_DWW = Get-ADServiceAccount -Identity gmsa_scom_dww$ -Properties 'msDS-ManagedPassword'
 $mp_DWW = $gmsa_DWW.'msDS-ManagedPassword'
 $cp_DWW = ConvertFrom-ADManagedPasswordBlob $mp_DWW
    
 $gmsa_DWR = Get-ADServiceAccount -Identity gmsa_scom_dwr$ -Properties 'msDS-ManagedPassword'
 $mp_DWR = $gmsa_DWR.'msDS-ManagedPassword'
 $cp_DWR = ConvertFrom-ADManagedPasswordBlob $mp_DWR
    
 $arglist= @("/install /silent /components:OMServer,OMReporting /SqlServerInstance:SQLSRV-SCOM\SCOM /SqlInstancePort:1433 /DatabaseName:OperationsManager /DWSqlServerInstance:SQLSRV-SCOM\SCOM /DWSqlInstancePort:1433 /DWDatabaseName:OperationsManagerDW /ActionAccountUser:DOMAIN\gmsa_scom_aa$ /ActionAccountPassword:"+$cp_AA.CurrentPassword+" /DASAccountUser:DOMAIN\gmsa_scom_das$ /DASAccountPassword:"+$cp_DAS.CurrentPassword+" /DatareaderUser:DOMAIN\gmsa_scom_dwr$ /DatareaderPassword:"+$cp_DWR.CurrentPassword+" /DataWriterUser:DOMAIN\gmsa_scom_dww$ /DataWriterPassword:"+$cp_DWW.CurrentPassword+" /AcceptEndUserLicenseAgreement:1 /SRSInstance:SCOMSRV-REP\MSSQLSERVER /SendODRReports:0 /EnableErrorReporting:Never /SendCEIPReports:0 /UseMicrosoftUpdate:1")
     Start-Process -FilePath $env:systemdrive\SCOM2019\setup.exe -ArgumentList $arglist -wait


With this script the installation went through and after it finished, I immediately installed UR3 and the new management server is running well and smoothly.


!!! In order to access the gMSA's password the user used to carry-out the installation needs to be member of the group that is in my case the gMSA's "PrincipalsAllowedToRetrieveManagedPassword" group. !!!

Also, keep in mind, that gMSA-accounts have a limited password age and the password will be changed automatically. Hence, you might want to check how much time you have left to expiry. If the password changes during the install process or before you install the UR3, that might mess-up quite a few things.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

10824625 avatar image
0 Votes"
10824625 answered

116787-using-gmsa-for-scom-installation.png



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CyrAz avatar image
0 Votes"
CyrAz answered 10824625 commented

You can't use gMSAs straight from the installer, you have to first run installation with regular accounts, update to latest UR and then follow the "migrate to gMSAs" procedure. Yes, that's a shame.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Well, that's exactly the issue here. How do I then add management or report servers to my SCOM management group after I migrated service accounts to gMSA without rolling the gMSA implementation for the whole SCOM management group back to service accounts?

It should somehow be possible to have an UR1+ integrated installer, right?

0 Votes 0 ·

That's indeed exactly the issue here, and the answer is ashaming : you need to keep regular service accounts somewhere for these scenarios where you add servers to the deployment.
Yes, it should... but that's not the case at the moment.
You can always upvote this Uservoice suggestion : https://systemcenterom.uservoice.com/forums/293064-general-operations-manager-feedback/suggestions/43609641-update-the-scom-installer-to-incorporate-group-man , but I doubt it will make much of a difference :/

1 Vote 1 ·

Done.. gave it 3 votes and left a comment. I also wrote an email to Kevin Holman. Maybe he knows a workaround. Meanwhile I have an idea that I want to try. If successful, I'll share. In the end the problem is that we don't enter the shared password for the gMSA account. What if we actually did? Would it work? Trying that out soon.

0 Votes 0 ·