Share via

Install-ADServiceAccount fail with unspecified error creating gMSA

Marco Mangiante 21 Reputation points
2022-12-06T18:20:08.753+00:00

Hello,

I tried the script inside how-to-prerequisites to create a gMSA to test Azure AD Connect cloud sync; the script is this: 

$Name = 'aadsyncgMSA'  
$Description = "Azure AD Cloud Sync service account for LAB-DC1 server"  
#$Server = "LAB-DC1.marcosoft.local"  
$Server = "aadsyncgMSA.marcosoft.local"  
$Principal = Get-ADGroup 'Domain Computers'  
  
# Create service account in Active Directory  
New-ADServiceAccount -Name $Name `  
-Description $Description `  
-DNSHostName $Server `  
-ManagedPasswordIntervalInDays 30 `  
-PrincipalsAllowedToRetrieveManagedPassword $Principal `  
-Enabled $True `  
-PassThru

when I try the command Install-ADServiceAccount -Identity $Name I otain the error "Cannot install service account. Error Message: 'An unspecified error has occurred'"; I found that some people use the Set-ADServiceAccount -Identity $Name -PrincipalsAllowedToRetrieveManagedPassword $Principal but when I use the cmdlet to test Test-ADServiceAccount -Identity aadsyncgMSA | Format-List what I obtain is "WARNING: Test failed for Managed Service Account aadsyncgMSA. If standalone Managed Service Account, the account is linked to another computer object in the Active Directory. If group Managed Service Account, either this computer does not have permission to
use the group MSA or this computer does not support all the Kerberos encryption types required for the gMSA. See the MSA operational log for more information."; I also found in the event viewer, in the Security-Netlogon section, that when I give the install command there are 2 errors:

ID 9000: Netlogon failed to retrieve the password for account aadsyncgMSA in domain NULL. Object Name not found.
ID 9002: Netlogon failed to add aadsyncgMSA as a managed service account to this local machine. {Access Denied}
A process has requested access to an object, but has not been granted those access rights.

Any idea to try to solve this issue?

Windows for business | Windows Server | User experience | PowerShell
Microsoft Security | Microsoft Entra | Microsoft Entra ID

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kenneth Henseler 21 Reputation points
    2022-12-15T01:29:51.413+00:00

    Sounds like the server(s) where you're trying to install the gMSA, Domain Computers = ALL Computers (workstations and servers) joined to domain, have not yet been restarted or had their Kerberos tickets purged so they're aware of being a member of the...

    I have two recommendations:

    1. Don't use "Domain Computers" as your $Principal. You should create a new Global Security Group for this purpose, adding the relevant Computer objects that need to use the gMSA as members to the group.
    2. Once computer added to the group, either restart computer or use the following command to purge existing Kerberos tickets: klist purge -li 0x3e7

    After restart or klist purge, try re-running your Install-ADServiceAccount cmdlet. Should work this time!

    4 people found this answer helpful.
    0 comments
  2. Gianfranco Cisneros Barreiro 20 Reputation points
    2025-02-27T04:02:33.4733333+00:00

    Hello,

    I just run into this issue but if anyone is experiencing the same the fix is:

    • Set-ADServiceAccount -Identity [ServiceAccountName] -KerberosEncryptionType AES256

    Cheers!

    4 people found this answer helpful.
    0 comments
  3. Brahim O 1 Reputation point
    2025-10-20T21:10:56.8633333+00:00

    gMSA Troubleshooting Summary – SQL Server Enrollment Issue:

    • A specific gMSA (gmsaSQLdev) failed to enroll on a target server for SQL Server.
    • Event Logs showed:
      • Event ID 9000: Netlogon failed to retrieve the password (domain NULL).
        • Event ID 9002: Failed to add gMSA to the local machine (NTSTATUS 0x8009000d).

    Initial Investigation

    • Compared with a working gMSA used for Scheduled Tasks.
    • Verified both accounts were of type msDS-GroupManagedServiceAccount.
    • Activated Net logon logs: cnltest /dbflag:0x2080ffff Confirmed:
      • Server was in the correct host group.
      • KDS root key was present and replicated.
      • SPNs were correctly configured.
      • No replication or DNS issues.

    Key Finding

    • The same server successfully enrolled a different gMSA (UAT) after being added to its host group.
    • This isolated the issue to the DEV gMSA object itself, not the server.

    Resolution

    • Executed a password reset for the problematic gMSA: Reset-ADServiceAccountPassword -Identity gmsaSQLdev + repadmin /syncall <ADDCs>
    • Restarted the server and reinstalled the gMSA.
    • Enrollment succeeded and SQL Server was able to use the gMSA.

    Conclusion

    • The issue was caused by a corrupted or inaccessible managed password for the gMSA.
    • Resetting the password triggered regeneration and resolved the problem.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.