cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

MDI GMSA Forest/Multi Domain

CHRIS_chipotle
Copper Contributor

‎Feb 15 2022 02:15 PM

‎Feb 15 2022 02:15 PM

MDI GMSA Forest/Multi Domain

Trying to get a GMSA to work in Child Domain.  I have it setup, working, with sensor Running in the Forest Root.

I followed the advise to create a Universal Group and add Domain Controllers in Forest Root and Child Domain,  DC's have been restarted.

GMSA in Forest Root has been configured with Universal Group to Retrieve Password.

A couple of issues, a GMSA is only Domain centric, Test-ADServiceAccount will not work in Child Domain.

Sensor Setup in Child Domain has been installed, but sensor will not start.

Microsoft.Tri.Sensor.Log shows that the GMSA failed to retrieve password

 

I have read this, but there is no proof that this actually works.

Has anyone actually got the MDI Sensor to work in a multi-domain environment?  If so, can you provide your testing steps and if any of your steps were different from below?

 

Thanks.

 

2,484 Views
0 Likes
6 Replies
Reply
6 Replies
CHRIS_chipotle

‎Feb 16 2022 05:29 AM

‎Feb 16 2022 05:29 AM

Re: MDI GMSA Forest/Multi Domain

Yesterday, I added Domain Controllers from Child Domain to Forest Root Universal Group. Kerberos tickets have been updated.
Installed MDI Sensor, error that the Password Cannot be Retrieved from Forest Root GMSA.
All steps from URL's above have been followed.
With GMSA being Domain centric, there is no way to test the GMSA and Child Domain Controllers.
Logon As a Service will not work due to GMSA being in a different domain.

I am looking for anyone who has got a GMSA to work in a multi-domain environment and how they were able to successfully test it.
0 Likes
Reply
Eli Ofek

‎Feb 16 2022 05:49 AM

‎Feb 16 2022 05:49 AM

Re: MDI GMSA Forest/Multi Domain

@CHRIS_chipotle This document I referred to was written after testing, we verified it can work.

We also have some customers who use it.

@Martin_Schvartzman  Any idea why it won't work for him?

0 Likes
Reply
best response confirmed by CHRIS_chipotle (Copper Contributor)
Martin_Schvartzman

‎Feb 16 2022 09:56 AM

‎Feb 16 2022 09:56 AM

Solution

Re: MDI GMSA Forest/Multi Domain

@Eli Ofek @CHRIS_chipotle 

The official statement states that the gMSAs' boundary is the domain and not the forest (https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-star...

Having said that, we've accomplished to get it to work with a domain trust but not in a root-child scenario.

0 Likes
Reply
CHRIS_chipotle

‎Feb 17 2022 04:52 AM

‎Feb 17 2022 04:52 AM

Re: MDI GMSA Forest/Multi Domain

@Martin_Schvartzman 

Thanks for that answer Martin.

I talked to a MS MDI Engineer yesterday and we talked about how the sensor will check all the credentials in the portal until it finds a valid set.

What I am seeing in the logs is expected behavior for the failed passwords in the various domains I have setup for MDI (there are 6 currently).

I was hoping the Forest GSMA would help with that, but it seems likes its more work than I need currently.

 

 

0 Likes
Reply