Forum Discussion

19873306's avatar
19873306
Copper Contributor
Sep 14, 2020

ATP and group managed service account not working on RODC

We have ATP sensors set up on our domain controllers. A group managed service account (gMSA) is being used.  There are a few read only domain controllers that can't seem to read the password, even though the servers are in the group that can read the GMSA user password. The GMSA account is set with permissions for 'log in as service'.  Any suggestions on what to look for? 

 

Errors from the sensor log:

2020-09-14 22:02:11.7896 Debug DirectoryServicesClient SetState Creating
2020-09-14 22:02:11.8346 Info ImpersonationManager CreateImpersonatorAsync started [UserName=<MSA-ACCOUNT> IsGroupManagedServiceAccount=True]
2020-09-14 22:02:11.8846 Info ImpersonationManager CreateImpersonatorAsync finished [UserName=<MSA-ACCOUNT> IsSuccess=False]
2020-09-14 22:02:11.8846 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=servername.domain.corp Domain=domain.corp UserName=<MSA-ACCOUUNT> ]
2020-09-14 22:02:12.0846 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=<serverwhereATPfailing.domain.corp]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2020-09-14 22:02:12.0946 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IImpersonationManager impersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

 

 

Sensor

15 Replies

Sort By
  • starman2heven's avatar
    starman2heven
    Brass Contributor
    Dec 07, 2023
    I have a similar issue, I have already opened a case, but 24 hours still no reply from Microsoft support.
    • 19873306's avatar
      19873306
      Copper Contributor
      Sep 15, 2020

      EliOfek Server 2019.  I saw the patch for 2012, but it doesn't apply here.

       

      • pugazhendhi's avatar
        pugazhendhi
        Brass Contributor
        Sep 17, 2021
        Is any patch need to install before start ATP installation?

        For my case, we have tried to install ATP after installed OS and promoted as RODC, but the service is not getting start. After installed all latest patches, it's automatically started. No change made.

Resources