Using gMSA accounts in a multiforest environment with one way trusts

%3CLINGO-SUB%20id%3D%22lingo-sub-2557390%22%20slang%3D%22en-US%22%3EUsing%20gMSA%20accounts%20in%20a%20multiforest%20environment%20with%20one%20way%20trusts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2557390%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20an%20environment%20set%20up%20with%20a%20Red%20Forest%20and%205%20separate%20forests.%26nbsp%3B%20Each%20has%20a%20one%20way%20outgoing%20trust%20to%20the%20red%20forest.%26nbsp%3B%20i%20have%20set%20up%20a%20gMSA%20account%20for%20the%20sensor%20for%20each%20forest%20with%20all%20DCs%20in%20that%20forest%20being%20able%20to%20retrieve%20that%20forest's%20gMSA%20password.%26nbsp%3B%20but%20i%20am%20receiving%20many%20errors%20across%20the%20environment%20about%20cross%20forest%20DCs%20not%20being%20able%20to%20retrieve%20gMSA%20passwords%20from%20their%20adjacent%20forests.%26nbsp%3B%20How%20would%20i%20resolve%20this%3F%26nbsp%3B%20Do%20i%20need%20every%20forest%20to%20have%20a%20two%20way%20trust%20to%20the%20Red%20forest%20and%20use%20the%20red%20forest%20gMSA%20for%20all%20sensors%3F%26nbsp%3B%20i%20am%20missing%20something%20and%20dont%20know%20what%20it%20is.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2559675%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20gMSA%20accounts%20in%20a%20multiforest%20environment%20with%20one%20way%20trusts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2559675%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3EMaking%20GMSA%20work%20across%20partial%20trust%20environments%20can%20be%20tricky%20to%20troubleshoot%20through%20a%20forum%20post%2C%20I%20suggest%20to%20open%20a%20support%20ticket%20where%20our%20support%20team%20can%20help%20by%20engaging%20both%20an%20MDI%20expert%20and%20an%20AD%20expert%20on%20this%20one%20to%20make%20sure%20it%20is%20done%20well.%3CBR%20%2F%3EIn%20general%2C%20each%20sensor%20in%20a%20forest%20needs%20the%20permissions%20to%20pull%20the%20password%20for%20all%20GMSAs%20on%20all%20the%20other%20forests%2C%20then%20it%20should%20work%2C%20if%20it%20does%20not%2C%20we%20need%20to%20find%20out%20what%20is%20blocking%20it.%3CBR%20%2F%3EMake%20sure%20to%20attach%20the%20failing%20sensor%20logs%20when%20you%20open%20the%20support%20case.%3C%2FLINGO-BODY%3E
Visitor

We have an environment set up with a Red Forest and 5 separate forests.  Each has a one way outgoing trust to the red forest.  i have set up a gMSA account for the sensor for each forest with all DCs in that forest being able to retrieve that forest's gMSA password.  but i am receiving many errors across the environment about cross forest DCs not being able to retrieve gMSA passwords from their adjacent forests.  How would i resolve this?  Do i need every forest to have a two way trust to the Red forest and use the red forest gMSA for all sensors?  i am missing something and dont know what it is. 

1 Reply
Hi,
Making GMSA work across partial trust environments can be tricky to troubleshoot through a forum post, I suggest to open a support ticket where our support team can help by engaging both an MDI expert and an AD expert on this one to make sure it is done well.
In general, each sensor in a forest needs the permissions to pull the password for all GMSAs on all the other forests, then it should work, if it does not, we need to find out what is blocking it.
Make sure to attach the failing sensor logs when you open the support case.