May 13 2022 05:19 AM - edited May 13 2022 05:21 AM
Hello,
I want to Install the MDI Sensors on Domain Controllers:
DC01 "objectVersion 87" Server 2016 Datacenter -
DC02 "objectVersion 87" Server 2016 Datacenter -
When I use a regular user with credentials. MDI services work without problems on both Servers.
When I use gMSA account for MDI sensor on DC02. MDI Sensor is not starting. Error 1067
The Problem is MDI Sensor with gMSA Account works on DC01. But on DC02 it is not starting.
Powershell script I used for gMSA Account:
New-ADServiceAccount -Name username -DNSHostName username.domain.local –KerberosEncryptionType AES256 –ManagedPasswordIntervalInDays 60 –SamAccountName username -PrincipalsAllowedToRetrieveManagedPassword DC01, DC02
I have checked:
Test-ADServiceAccount -Identity username
PS C:\Windows\system32> Test-ADServiceAccount -Identity username
True
Event Viewer on DC01:
The Open Procedure for service ".NETFramework" in DLL "C:\Windows\system32\mscoree.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
The Open Procedure for service "WmiApRpl" in DLL "C:\Windows\system32\wbem\wmiaprpl.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
The Same Errors I have seen also in DC02. But It works without Problem.
I don't know if these errors related to MDI issue?!
Any Idea?
Regards,
Farhad
May 16 2022 12:04 AM
Verify that the gMSA has the Logon as a Service rights assignment as described in https://docs.microsoft.com/en-us/defender-for-identity/directory-service-accounts#verify-that-the-gm...
May 16 2022 12:22 AM
May 16 2022 01:57 AM
Please open a support case. They should be able to help you troubleshot the issue.