Forum Discussion

Copper Contributor

Feb 15, 2022

Solved

MDI GMSA Forest/Multi Domain

Trying to get a GMSA to work in Child Domain. I have it setup, working, with sensor Running in the Forest Root. I followed the advise to create a Universal Group and add Domain Controllers in Fores...

Martin_Schvartzman
Feb 16, 2022
EliOfek CHRIS_chipotle

The official statement states that the gMSAs' boundary is the domain and not the forest (https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts#BKMK_Intro)

Having said that, we've accomplished to get it to work with a domain trust but not in a root-child scenario.

EliOfek

Microsoft

Feb 16, 2022

CHRIS_chipotle This document I referred to was written after testing, we verified it can work.

We also have some customers who use it.

Martin_Schvartzman Any idea why it won't work for him?

Martin_Schvartzman

Microsoft

Feb 16, 2022

EliOfek CHRIS_chipotle

The official statement states that the gMSAs' boundary is the domain and not the forest (https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts#BKMK_Intro)

Having said that, we've accomplished to get it to work with a domain trust but not in a root-child scenario.

CHRIS_chipotle
Copper Contributor
Feb 17, 2022
Martin_Schvartzman
Thanks for that answer Martin.
I talked to a MS MDI Engineer yesterday and we talked about how the sensor will check all the credentials in the portal until it finds a valid set.
What I am seeing in the logs is expected behavior for the failed passwords in the various domains I have setup for MDI (there are 6 currently).
I was hoping the Forest GSMA would help with that, but it seems likes its more work than I need currently.