Forum Discussion
Issue with gMSA when installing Cloud Sync
We are trying to install Cloud Sync to make use of the group writeback. However, we get the same error message every time we try to complete the installation
[ 8] [INFO ] GrantAllActiveDirectoryPermissions: Granting password writeback permissions on domain xxx for password writeback.
Granting write permissions for 'user' attribute of (lockoutTime, pwdLastSet) object type on domain xxx for password writeback.
[ 8] [ERROR] An exception occured while configuring permissions on gmsa. Exception System.ArgumentException: The specified name is not a forest, Active Directory domain controller, ADAM instance, or ADAM configuration set.
Parameter name: context
at System.DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass.FindByName(DirectoryContext context, String ldapDisplayName)
at Microsoft.Online.DirSync.Common.DomainAccountUtility.GetSchemaGuid(Dictionary`2 schemaGuids, Forest forest, String ldapDisplayName, Boolean isProperty)
at Microsoft.Online.Deployment.Framework.ActiveDirectory.ActiveDirectoryPermissionsHelper.GrantDesiredPermissionsToDomain(String domainFQDN, NetworkCredential domainAdminCredential, SecurityIdentifier sid, IDictionary`2 objectClassToAttributeMapping, ActiveDirectoryRights accessType, Boolean applyToAdminSDHolder)
at Microsoft.Online.Deployment.Framework.ActiveDirectory.ActiveDirectoryPermissionsHelper.GrantPasswordWritebackPermissionsToDomain(String domainFQDN, NetworkCredential domainAdminCredential, SecurityIdentifier sid)
at Microsoft.Online.Deployment.Framework.ActiveDirectory.ActiveDirectoryPermissionsHelper.GrantAllActiveDirectoryPermissions(String domainFQDN, NetworkCredential domainAdminCredential, String syncAccountName)
at Microsoft.ActiveDirectory.SynchronizationAgent.Setup.Utility.ServiceAccountUtility.ApplyPermissionsToGMSA(WizardActiveDirectoryCredentials directoryCredentials)
We already tried:
- created a new sync server from scratch
- test the service account with "test-ADServiceAccount"
- check the encryption settings of the GMSA (the account is being created in the AD)
- removed an old orphaned GC
- tried it with a custom GMSA (same error)
- gave the server access to the GMSA via set-ADServiceAccount
Did anyone else ever had this problem or know how to fix it?
1 Reply
The error encountered during Cloud Sync installation involving the group managed service account (gMSA) is a recognized issue. It generally arises when the provisioning agent is unable to properly configure the required permissions on the gMSA. According to Microsoft’s official guidance, resolution involves verifying that all prerequisites for Entra Cloud Sync group writeback are met, ensuring the gMSA is created within the appropriate domain, and confirming that the synchronization server has the necessary rights to utilize the gMSA.
Group writeback with Microsoft Entra Cloud Sync - Microsoft Entra ID | Microsoft Learn
