Using gMSA with ATP results in many 2947 events

StuartSquibb 

I'm in a similar situation and really confused regarding gMSA implementation in a multi-forest environment, particularly in the case of one way trusts. To me it appears a single GMSA can only be used in a case of multiple domains/forests using two way trusts, and one can only use multiple GMSA's in the case of multiple domains/forests with NO trusts.

My current setup, each is a different forest:

Domain                       gMSA                              TRUST (all one way forest trusts)

DomainA.com            MDI-SVC-A               apps.domainb.com-->DomainA.com
DomainB.com            MDI-SVC-B               apps.domainb.com --> Domainb.com

                                                                   domainb.com --> DomainA.com

apps.DomainB.com    MDIAPPS-SVC       domainA.com-->apps.domainb.com<--Domainb.com

-There's a local security group in apps.domainb.com that contains the domain controller groups for all three domains/forests, and this is assigned to the MDIAPPS-SVC Gmsa, and every gmsa has been granted log on as a service in their respected domain 

-All sensors start on all DC's in all domains without error and portal shows no health issues

-apps.domainb.com is filled with 2947 errors stating it can't access the password of the MDI-SVC-A and MDI-SVC-B Gmsas

-domainA.com and domainB.com don't have 2947 errors, but the security log is filled with 4625 errors with logon type 5 (service) for failed logons of of the MDIAPPS-SVC account with error code 0xC000018B.  

Honestly, I don't see how this can work as long as the trusting gmsa requires log on as a service in the trusted domain, as there's simply no way to add it.