Forum Discussion
MDI GMSA Forest/Multi Domain
Trying to get a GMSA to work in Child Domain. I have it setup, working, with sensor Running in the Forest Root.
I followed the advise to create a Universal Group and add Domain Controllers in Forest Root and Child Domain, DC's have been restarted.
GMSA in Forest Root has been configured with Universal Group to Retrieve Password.
A couple of issues, a GMSA is only Domain centric, Test-ADServiceAccount will not work in Child Domain.
Sensor Setup in Child Domain has been installed, but sensor will not start.
Microsoft.Tri.Sensor.Log shows that the GMSA failed to retrieve password
I have read this, but there is no proof that this actually works.
Has anyone actually got the MDI Sensor to work in a multi-domain environment? If so, can you provide your testing steps and if any of your steps were different from below?
Thanks.
The official statement states that the gMSAs' boundary is the domain and not the forest (https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts#BKMK_Intro)
Having said that, we've accomplished to get it to work with a domain trust but not in a root-child scenario.
- EliOfek
Microsoft
Did you go over this page already ?
https://docs.microsoft.com/en-us/defender-for-identity/directory-service-accounts
Specifically starting this anchor:
https://docs.microsoft.com/en-us/defender-for-identity/directory-service-accounts#how-to-create-a-gmsa-account-for-use-with-defender-for-identity- Yesterday, I added Domain Controllers from Child Domain to Forest Root Universal Group. Kerberos tickets have been updated.
Installed MDI Sensor, error that the Password Cannot be Retrieved from Forest Root GMSA.
All steps from URL's above have been followed.
With GMSA being Domain centric, there is no way to test the GMSA and Child Domain Controllers.
Logon As a Service will not work due to GMSA being in a different domain.
I am looking for anyone who has got a GMSA to work in a multi-domain environment and how they were able to successfully test it.- EliOfek
CHRIS_chipotle This document I referred to was written after testing, we verified it can work.
We also have some customers who use it.
Martin_Schvartzman Any idea why it won't work for him?
