Broken gMSA on a single domain controller

Brass Contributor

I have a mysterious problem that i cant seem to resolve. 


We use Defender for Identity on our domain controllers, and we recently(couple of months ago) Not only upgraded all our domain controllers to 2019, but we also provisioned a gMSA account to handle the MDI agents. 


The kdskey was verified present, and days/weeks/months has gone beyond the mandatory 10 hours. I used the "domain controllers" as the security group, making sure all the domain controllers are in the default OU. Also tested with other groups where servers are present, but for some unknown reason, 1 domain controller refuse to allow this msa serviceaccount to be installed.


Even created multiple MSA with only the dedicated server as the %allowedcomputer" to retrieve password. Created new kdskeys, reset password for the msa, restarted several times. but i cant seem to figure out what is the problem with this particular domain controller. (and i dont want to reinstall it remotely)


the wonderful Group Managed Service Accounts Overview | Microsoft Docs on the troubleshooting part says "not yet available"


the Security-nelogon event says: 

"Netlogon failed to add gMSA_MDI as a managed service account to this local machine. Unknown NTSTATUS Error code: 0xc00706d9"


"Netlogon failed to retrieve the password for account gMSA_MDI in domain NULL. Object Name not found."


"Netlogon failed to add gMSA_MDI as a managed service account to this local machine. {Access Denied}
A process has requested access to an object, but has not been granted those access rights."


and im at at a loss as to why. I tried MS support on Defender for Identity, and went through many sessions, but since the error was not MDI related, they closed the case.


Any ideas anyone?




0 Replies