2012 R2/ADFS with Group Managed Service Account RRS feed

  • Question

  • I'm trying to configure the ADFS role on a new 2012 R2 domain controller following these steps:


    However, if I try to create a new service account using the GUI I get the following error:

    The specified service account 'CN=adfstest' did not exist. Attempt to create the group Managed Service Account failed. Error: There is no such object on the server.

    I added the KDS root key yesterday.

    If I add the service account manually:

    New-ADServiceAccount adfstest -DNSHostName fs.contoso.ie -ServicePrincipalNames http/fs.contoso.ie -Path "OU=Managed Service Accounts,DC=contoso,DC=ie"

    This works fine, but configuring the ADFS farm with this service account I get a similar error:

    PS C:\Windows\system32> Install-AdfsFarm -CertificateThumbprint xxxxxxxxxxxxxxx -FederationServ
    iceName fs.contoso.ie -GroupServiceAccountIdentifier contoso\adfstest$ | fl
    Install-AdfsFarm : The system cannot find the file specified
    At line:1 char:1
    + Install-AdfsFarm -CertificateThumbprint xxxxxxxxxxxxxxxxxxxxxxxxxx...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Install-AdfsFarm], DisplayableArgumentException
        + FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Deployment.Commands.InstallFarmCommand
    Message : Unable to retrieve group Managed Service Account information. The system cannot find the file specified
    Context : DeploymentTask
    Status  : Error

    What am I missing?

    Saturday, November 9, 2013 2:08 PM

All replies

  • I am getting the same issue, does anyone have a solution?
    Thursday, November 28, 2013 12:19 PM
  • I am having the same kinds of problems. I do see your issue looks exactly like my errors. So good news, I may be able to help with one aspect. I did not have a "managed service accounts" entry in my AD so I had to trial and error to find out the "Managed Service Accounts" (MSA from now on) entry must be a group and not an OU. so create the MSA and then your command will refer to the MSA group- here is my example-

    New-ADServiceAccount adfstest -DNSHostName center.1reeves.com -ServicePrincipalNames http/center.1reeves.com -Path "CN=Managed Service Accounts,DC=1reeves,DC=com"

    That's the good news. The bad news is I still have a problem creating the actual farm. I can create service accounts all day long.

    I have slept so I will try one more time and let you know If I get any furthere. Good luck and please post the next step if you get past this as that is now where I am having errors. I am going through the configure ADFS and the pre-req passes and then the script to be run is this-

    Import-Module ADFS

    Install-AdfsFarm `
    -CertificateThumbprint:"7E11D3624D0F5196B5D52E73983778F8E249BF24" `
    -FederationServiceDisplayName:"center" `
    -FederationServiceName:"center.1reeves.com" `

    The error ranges every time but I can see it gets stuck on installing the database for various reasons . I have spun wheels here for a while so I think the next step is to get SQL management studio and crack the installed windows internal database- I be we will find our service account is missing permissions- my plan is to manuallty add and I hope to be done- seems buggy for sure-

    Logs will be here-


    I hope that helps

    Friday, November 29, 2013 5:18 PM
  • Let me clarify- In your case, the OU would have to be deleted and recreated as a "group". Now I'm not sure the group container is correct either, I am just going off the fact that other objects like system use "group" If I am incorrect please let me know. I created a Group in AD called Managed Service accounts. and it seems to work ok. The OU did not work so well.
    Friday, November 29, 2013 5:21 PM
  • Hey Lou,

    Literally just off the phone with Microsoft PSS and we've come to the same conclusion :)

    I have now deleted the OU since it is useless. Have left it with PSS to come back with a script to create the group, I think the issue is it should have been created during the 2008 R2 prep way back but it wasn't. It has to be marked with a well known system guid that is the same across domains. Once we have that I suppose the rest will fall into place.

    Friday, November 29, 2013 5:25 PM
  • Glad to hear- Yes I have completed the ADFS install. I seemed to have more then usual issues so I posting part of the blog I am writing on my failures-

    First you have a 2012 R2 windows copy installed-

    1. Do not use SQL 2014 Beta version. I don't know why at this point but I had no luck using it
    2. If you have no Managed service account folder in ADUC, Do not create an OU. I did this and suffered for days. The object you need to create is a Group container. This is New Object->group container ->Managed Service Accounts

    3. I alos had trouble using the Windows Internal Database, I actually reinstalled the 2012 R2 OS at one point, and just decided to go with a named instance of 2012 SQL. It was successful on the install, as long as you install .net 3.5 role service.

    Ok with that off my chest, this is how I got ADFS installed clean-

    0. Make sure you have a Managed service account group object in ADUC. (not an OU) 

    1. Create a Managed Service Group account. The command I used was-

    New-ADServiceAccount adfstest -DNSHostName center.1reeves.com -ServicePrincipalNames http/center.1reeves.com -Path "CN=Managed Service Accounts,DC=1reeves,DC=com"

    2. Install SQL 2012 or (windows internal database if your brave).

    3. Add your Admin, Sql, and Group managed account as SQL admin users durring the SQL intall.

    4. Go ahead and install the ADFS role.
    5. Once the ROLE is installed there is a configuration wizzard required to complete the setup.

    6. On the ADFS configuration, I used the Sql Account as the admin account, the Group account created in step 1. This group account worked as I had also added it as an admin during the SQL install. this Group account  seemed to work and complete the installation of the ADFS role.

    I am moving on now to work on the Lync 2013 Proxy for 2012 R2. I wont include that here, but if your end goal is setting this up for Lync. I will be posting the total process on my blog at - http://digitalbamboo.wordpress.com/

    Saturday, November 30, 2013 8:53 PM
  • How did you create the managed services group container? I don't see the option.

    Yes this is for Lync 2013, I am using the ARR component right now which is fine but was hoping for an easier way to deploy reverse proxy ;)


    Ah I have tracked it using the script here:


    It must have been deleted some time back:

    CN=Managed Service Accounts\0ADEL:43a75453-3f67-4b74-9275-a0d2a14ac39c,CN=Deleted Objects,DC=contoso,DC=ie

    I've had a look in deleted objects using LDP but the object does not exist anymore. 


    With the help of PSS now recreated the container. Using adsiedit create a new container under the domain and call it "Managed Service Accounts". Then we used LDP to delete the otherwellknownobject entry from the domain and add it back using the same guid above (minus 0ADEL: and Deleted Object of course). Now the wizard can create the GMSA!

    Next step, trying to get the internal database to play along. This is the first issue:


    • Edited by wagenveld Monday, December 2, 2013 10:57 AM
    Saturday, November 30, 2013 9:28 PM
  • A green tick!

    Monday, December 2, 2013 11:14 AM
  • In my case, the container was already present, however I received the same error. Since this environment only has two domain controllers, I'm not sure why "replication" took as long as it did, but after getting this error yesterday, simply re-trying again today worked.

    Mike Crowley | MVP
    My Blog -- Baseline Technologies

    Tuesday, September 22, 2015 2:31 PM