2

Can gMSA accounts be used across two trusted domains? Say there is a DomainA which has gMSA account, and security group that is allowed to retrieve password for the gMSA account. And there is a server that belongs to DomainB that is part for DomainA\SecurityGroup.

When running Install-ADServiceAccount, I get:

Install-ADServiceAccount : Cannot install service account. Error Message: 'An unspecified error has occurred'.

I can retrieve the account from DomainA using Get-ADServiceAccount by specifying -Server parameter. Then pipe that into Install-ADServiceAccount and get above error.

When piping the account to Test-ADServiceAccount I get this:

Test-ADServiceAccount : Object reference not set to an instance of an object.

Stanislaw Wozniak
  • 37
  • 1
  • 2

2 Answers2

0

No, at least not that I've found. I think there's something in the API that makes it send the request for the password to only its own domain's DCs.

Jordan Mills
  • 86
  • 1
  • 2
0

I have used gMSA accounts across a domain trust. The gMSA principal needs to be a group in the same domain, but as long as the group is type Domain Local, you can add computers from the other domain as members to that group, and they are then able to retrieve the password successfully.

devons
  • 1
  • 1