Forum Discussion
MDI GMSA Forest/Multi Domain
The official statement states that the gMSAs' boundary is the domain and not the forest (https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts#BKMK_Intro)
Having said that, we've accomplished to get it to work with a domain trust but not in a root-child scenario.
Microsofthttps://docs.microsoft.com/en-us/defender-for-identity/directory-service-accounts
Specifically starting this anchor:
https://docs.microsoft.com/en-us/defender-for-identity/directory-service-accounts#how-to-create-a-gmsa-account-for-use-with-defender-for-identity
- Yesterday, I added Domain Controllers from Child Domain to Forest Root Universal Group. Kerberos tickets have been updated.
Installed MDI Sensor, error that the Password Cannot be Retrieved from Forest Root GMSA.
All steps from URL's above have been followed.
With GMSA being Domain centric, there is no way to test the GMSA and Child Domain Controllers.
Logon As a Service will not work due to GMSA being in a different domain.
I am looking for anyone who has got a GMSA to work in a multi-domain environment and how they were able to successfully test it.- EliOfek
CHRIS_chipotle This document I referred to was written after testing, we verified it can work.
We also have some customers who use it.
Martin_Schvartzman Any idea why it won't work for him?
- Martin_Schvartzman
The official statement states that the gMSAs' boundary is the domain and not the forest (https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts#BKMK_Intro)
Having said that, we've accomplished to get it to work with a domain trust but not in a root-child scenario.
