MicrosoftUsing gMSA account is not so great idea.
You will lose the ability to provision HV Clusters from the VMM console . Why - Well even from the trace you are not sure what context was used to provision the cluster.
You can't use the gMSA account for authentication towards the Hyper-V servers or other services. It is a great idea but still no implemented correctly .
Even in Rollup update 1 it is not working . Good luck reinstalling VMM servers over and over again just for a single password protection. MS did a great job introducing gMSA account a few years ago and apart from ADFS implementation it is not used commonly in their products
The error message:
The cluster operation failed before cluster creation. cleaning up cluster in DB (catch CarmineException) [[(CarmineException#[1b5]) { Microsoft.VirtualManager.Utils.CarmineException: Failed to create the process to execute the task. Error: A required privilege is not held by the client Check if the user has permission on the VMM server and retry the operation.
Using the same VMM server/Database and configuration without gMSA account (re-install the VMM with the same db) fixed the problem.
gMSA account and Access account has the same privilege access on the HV Servers.
BrandonWilson - Great article creating the gMSA account but with some imperfections. First the Computer accounts need to be added with $
The Kerberos Encryption is great option but without any additional explanation it doesn't make any sense. Why we need to change the Encryption level ? What is the current one ?
Oh, and by the way. You will still need a separate account with permissions to your hosts , so good luck explaining the difference between the gMSA and regular "service" account to the IT security.
