I have a mysterious problem that i cant seem to resolve.
We use Defender for Identity on our domain controllers, and we recently(couple of months ago) Not only upgraded all our domain controllers to 2019, but we also provisioned a gMSA account to handle the MDI agents.
The kdskey was verified present, and days/weeks/months has gone beyond the mandatory 10 hours. I used the "domain controllers" as the security group, making sure all the domain controllers are in the default OU. Also tested with other groups where servers are present, but for some unknown reason, 1 domain controller refuse to allow this msa serviceaccount to be installed.
Even created multiple MSA with only the dedicated server as the %allowedcomputer" to retrieve password. Created new kdskeys, reset password for the msa, restarted several times. but i cant seem to figure out what is the problem with this particular domain controller. (and i dont want to reinstall it remotely)