Windows Authentication for SQL Managed Instance - LsaCreateTrustedDomainEx 0x549

Windows Authentication for SQL Managed Instance has been released in August 2022.

Windows Authentication for Azure AD principals for SQL Managed Instance is now Generally Available - Microsoft Community Hub

One of the two options available to achieve this is “Incoming trust-based authentication flow”.

How to set up Windows Authentication for Azure Active Directory with the incoming trust-based flow - Azure SQL Managed Instance | Microsoft Learn

When executing Set-AzureAdKerberosServer command to add the Trusted Domain Object, you may get below error message.

Set-AzureAdKerberosServer -Domain $domain `
   -DomainCredential $domainCred `
   -UserPrincipalName $cloudUserName `
   -SetupCloudTrust

Error message:

Set-AzureADKerberosServer : LsaCreateTrustedDomainEx 0x549

This can happen when running this command on a Child Domain when on a multidomain forest scenario.

The solution is running this command on Root Domain. On Child Domain, it is necessary to run same command without the -SetupCloudTrust parameter.

As a summary, this is the procedure to create TDO on a multidomain forest :

• ROOT Domain (include -SetupCloudTrust parameter)

Set-AzureAdKerberosServer -Domain $domain `
   -DomainCredential $domainCred `
   -UserPrincipalName $cloudUserName `
   -SetupCloudTrust

• CHILD domain (don’t include -SetupCloudTrust parameter)

Set-AzureAdKerberosServer -Domain $domain `
   -DomainCredential $domainCred `
   -UserPrincipalName $cloudUserName

Thank you!