MDI GMSA Forest/Multi Domain

Copper Contributor

Trying to get a GMSA to work in Child Domain.  I have it setup, working, with sensor Running in the Forest Root.

I followed the advise to create a Universal Group and add Domain Controllers in Forest Root and Child Domain,  DC's have been restarted.

GMSA in Forest Root has been configured with Universal Group to Retrieve Password.

A couple of issues, a GMSA is only Domain centric, Test-ADServiceAccount will not work in Child Domain.

Sensor Setup in Child Domain has been installed, but sensor will not start.

Microsoft.Tri.Sensor.Log shows that the GMSA failed to retrieve password


I have read this, but there is no proof that this actually works.

Has anyone actually got the MDI Sensor to work in a multi-domain environment?  If so, can you provide your testing steps and if any of your steps were different from below?




6 Replies
Yesterday, I added Domain Controllers from Child Domain to Forest Root Universal Group. Kerberos tickets have been updated.
Installed MDI Sensor, error that the Password Cannot be Retrieved from Forest Root GMSA.
All steps from URL's above have been followed.
With GMSA being Domain centric, there is no way to test the GMSA and Child Domain Controllers.
Logon As a Service will not work due to GMSA being in a different domain.

I am looking for anyone who has got a GMSA to work in a multi-domain environment and how they were able to successfully test it.

@CHRIS_chipotle This document I referred to was written after testing, we verified it can work.

We also have some customers who use it.

@Martin_Schvartzman  Any idea why it won't work for him?

best response confirmed by CHRIS_chipotle (Copper Contributor)

@Eli Ofek @CHRIS_chipotle 

The official statement states that the gMSAs' boundary is the domain and not the forest (

Having said that, we've accomplished to get it to work with a domain trust but not in a root-child scenario.


Thanks for that answer Martin.

I talked to a MS MDI Engineer yesterday and we talked about how the sensor will check all the credentials in the portal until it finds a valid set.

What I am seeing in the logs is expected behavior for the failed passwords in the various domains I have setup for MDI (there are 6 currently).

I was hoping the Forest GSMA would help with that, but it seems likes its more work than I need currently.