Description:
You are deploying Azure Advanced Threat Protection (AATP) or Microsoft Defender for Identity (MDI) in your Multi-Domain Single-Forest IT environment. You plan to use gMSA account for the Defender for Identity services account when communicating to Active Directory.
You have created a new universal group or domain local group and add all of the Domain Controllers in the Forest to that group. You also have created the gMSA account and configured that group to be able to retrieve password and use the gMSA account.
However when you configure MDI to use the gMSA account, the Sensor Services on the Domain Controllers cannot be start.
Resolution:
Make sure you have Restarted the Domain Controllers that you put inside the new universal or domain local group. After the Domain Controller restart, try to login and notice that Azure ATP Sensor Services will be able to start properly. Delayed start is expected for Azure ATP services.
1 comment:
No dice, did not fix it... AATPSensor service is stuck in a loop of attempting to Start and Failing with error 8995 for domain controllers not part of the domain it not in.
So my question now goes to the gMSA configuration for MDI in a Multi-Domain Forest...
A) Create single gMSA with all Domain Controllers at the Forest* level across all domains allowed to retrieve password? *Will a gMSA from a sub-domain work at the Forest level if the Forest DC is allowed to retrieve password?
B) Create a gMSA on EACH domain in the Forest with explicitly that domain's domain controllers allowed to retrieve password, and define each account in the MDI configuration?
C) Create a gMSA on EACH domain in the Forests with ALL Domain Controllers in the Forest allowed to retreive password, and define each account in the MDI configuration?
For the Domain Local or Universal Group with domain controllers, do Nested Groups work or does each group need to be defined as Allowed to Retrieve Password?
i.e. Should we add "ForestA\Domain Controllers" and "DomainB\Domain Controllers" to "AllowedMDIPrincipals" group, and set "AllowedMDIPrincipals" as Allowed to retrieve password? OR, just set the "ForestA\Domain Controllers" and "DomainB\Domain Controllers" directly the gMSA as Allowed to Retrieve Password?
For what its worth, we've been down two of these rabbit holes with Microsoft Engineers, and still have this issue with our Forest Domain Controllers and no clear answer and muddy documentation. The Child Domain is not having this issue.
Post a Comment