Forum Discussion

Copper Contributor

Feb 15, 2022

Solved

MDI GMSA Forest/Multi Domain

Trying to get a GMSA to work in Child Domain. I have it setup, working, with sensor Running in the Forest Root. I followed the advise to create a Universal Group and add Domain Controllers in Fores...

Martin_Schvartzman
Feb 16, 2022
EliOfek CHRIS_chipotle

The official statement states that the gMSAs' boundary is the domain and not the forest (https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts#BKMK_Intro)

Having said that, we've accomplished to get it to work with a domain trust but not in a root-child scenario.

EliOfek

Microsoft

Feb 15, 2022

Did you go over this page already ?
https://docs.microsoft.com/en-us/defender-for-identity/directory-service-accounts

Specifically starting this anchor:
https://docs.microsoft.com/en-us/defender-for-identity/directory-service-accounts#how-to-create-a-gmsa-account-for-use-with-defender-for-identity

CHRIS_chipotle

Copper Contributor

Feb 16, 2022

Yesterday, I added Domain Controllers from Child Domain to Forest Root Universal Group. Kerberos tickets have been updated.
Installed MDI Sensor, error that the Password Cannot be Retrieved from Forest Root GMSA.
All steps from URL's above have been followed.
With GMSA being Domain centric, there is no way to test the GMSA and Child Domain Controllers.
Logon As a Service will not work due to GMSA being in a different domain.

I am looking for anyone who has got a GMSA to work in a multi-domain environment and how they were able to successfully test it.

EliOfek
Microsoft
Feb 16, 2022
CHRIS_chipotle This document I referred to was written after testing, we verified it can work.

We also have some customers who use it.

Martin_Schvartzman Any idea why it won't work for him?
- Martin_Schvartzman
  Microsoft
  Feb 16, 2022
  EliOfek CHRIS_chipotle
  
  The official statement states that the gMSAs' boundary is the domain and not the forest (https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts#BKMK_Intro)
  
  Having said that, we've accomplished to get it to work with a domain trust but not in a root-child scenario.
  - CHRIS_chipotle
    Copper Contributor
    Feb 17, 2022
    Martin_Schvartzman
    Thanks for that answer Martin.
    I talked to a MS MDI Engineer yesterday and we talked about how the sensor will check all the credentials in the portal until it finds a valid set.
    What I am seeing in the logs is expected behavior for the failed passwords in the various domains I have setup for MDI (there are 6 currently).
    I was hoping the Forest GSMA would help with that, but it seems likes its more work than I need currently.