Cloud Sync is the lightest solution for interconnecting an on-premises Active Directory with a Microsoft 365 tenant. Cloud Sync is very convenient because it does not require the use of an on-premises SQL database and offers simple fault tolerance through the installation of multiple Cloud Sync agents on your on-premises servers. During these installations, you may encounter an issue when using the same GMSA account on multiple servers. The procedure below explains how to do this.
Installation of the first cloud sync agent
Start installation of cloud sync agent.
Select the first option “Microsoft Entra Cloud sync”.
Connect to your M365 tenant with an administrator account.
Connect to your on-premises Active Directory with an administrator account and select “Create MSA” option.
Select your active directory domain(s).
Verify the status of the new windows service “Microsoft Azure AD Connect Provisioning Agent”.
A GMSA account has just been created with the name “provAgentgMSA”.
The first server (SERVAD1 in this sample) can use this gMSA account.
$gmsa = Get-ADServiceAccount -filter "name -like 'prov*'"
$gmsaObject = Get-ADObject -Identity $gmsa.ObjectGUID -Properties msDS-GroupMSAMembership
$gmsaObject."msDS-GroupMSAMembership"
On the cloud side, the agent is present and active.
Installation of the second or more agent
Before installing the second agent, the second server (SERVAD2 in this sample) must be allowed to use the gMSA account created during the installation of the first agent.
Use powershell command to do this.
Note: Use the SamAccountName of the gMSA account and not the name “provAgentgMSA”.
Set-ADServiceAccount -Identity pGMSA_1ae6b021$ -PrincipalsAllowedToRetrieveManagedPassword "servad1$","servad2$"
Next, install the gMSA account on the second server with the powershell command install-AdServiceAccount.
Install-ADServiceAccount -identity pGMSA_1ae6b021$You can then start installation of the second agent by selecting the existing gMSA SanAccountName without any issues.
Then, the second agent is going to be available and active on the cloud side.
By Lionel TRAVERSE
Microsoft 365 Certified Administrator Expert / Microsoft Certified Trainer