Problem with gMSA in multi-domain environment RRS feed

  • Question

  • Hello,

    I have a problem using gMSAs for Windows Containers. I followed the guide https://github.com/Microsoft/Virtualization-Documentation/tree/live/windows-server-container-tools/ServiceAccounts and successfully have this up and running in my Azure sandbox environment with a simple AD domain. 

    However in our company environment it is more tricky as we have a schema domain (root.fum) with only Server 2008 DCs and a connected domain (global.fum) with Server 2012 DCs. I can create the gMSAs in global.fum and use them e.g. for a scheduled task in my Container host, so they work to a degree. I can also create a Container using the gMSA but the first curious thing is that nltest /parentdomain returns root.fum and net user /domain tfenster also fails looking for that user on a root.fum DC. I looked into the CredentialSpec file and found

        "CmsPlugins":  [
        "DomainJoinConfig":  {
                                 "DnsTreeName":  "global.fum",
                                 "DnsName":  "root.fum",
                                 "NetBiosName":  "FUM-GLOBAL"
        "ActiveDirectoryConfig":  {
                                      "GroupManagedServiceAccounts":  [
                                                                              "Name":  "sa_navall_dc_1",
                                                                              "Scope":  "global.fum"
                                                                              "Name":  "sa_navall_dc_1",
                                                                              "Scope":  "FUM-GLOBAL"

    If I manually change that to 

    "DnsName":  "global.fum",

    then nltest /parentdomain returns global.fum as expected and net user /domain tfenster sucessfully fetches the information for my user (tfenster) from a global.fum DC. However if I then try to call a cmdlet from Dynamics NAV called New-NAVServerUser with my user "FUM-GLOBAL\tfenster" as Account param I get

    [ac85d8af64fa...]: PS C:\Users\ContainerAdministrator\Documents> New-NAVServerUser -WindowsAccount "FUM-GLOBAL\tfenster" NAV
    New-NAVServerUser : The Windows account could not be mapped to a valid security identifier (SID).
        + CategoryInfo          : NotSpecified: (0:Int32) [New-NAVServerUser], NavCommandException
        + FullyQualifiedErrorId : MicrosoftDynamicsNavServer$NAV,Microsoft.Dynamics.Nav.Management.Cmdlets.NewNavServerUser

    If I enable netlogon debug logging, then I see the following

    06/20 09:54:23 [SESSION] [15292] FUM-GLOBAL: NlDiscoverDc: Found DC \\s00-dc1.global.fum
    06/20 09:54:26 [MSA] [15292] NetpGetGroupMSAPassword calling for CCG.  CCGGetRollingPassword for SA_NAVALL_DC_1$ returns 0x00000000.
    06/20 09:54:26 [SESSION] [15292] FUM-GLOBAL: NlSessionSetup: Negotiated flags with server are 0x612fffff
    06/20 09:54:26 [SESSION] [15292] FUM-GLOBAL: NlSetStatusClientSession: Set connection status to 0
    06/20 09:54:26 [DNS] [15292] Set DnsForestName to: root.fum.
    06/20 09:54:26 [DOMAIN] [15292] Setting LSA NetbiosDomain: FUM-GLOBAL DnsDomain: global.fum. DnsTree: root.fum. DomainGuid:c469e9bf-5a58-4beb-b8bf-059c5c04212e
    06/20 09:54:26 [DOMAIN] [15292]    DnsTree changed from global.fum to root.fum.
    06/20 09:54:26 [CRITICAL] [15292] NlUpdatePrimaryDomainInfo: Cannot LsarSetInformationPolicy 0xc00000bb
    06/20 09:54:26 [CRITICAL] [15292] FUM-GLOBAL: NlUpdateDomainInfo: Can't NlUpdatePrimaryDomainInfo 0xc00000bb
    06/20 09:54:26 [CRITICAL] [15292] FUM-GLOBAL: NlSessionSetup: NlUpdateDomainInfo failed 0xC00000BB

    So it seems to me like for whatever reason the container is correctly calling the global.fum dc s00-dc1.global.fum (we've set this as dnshostname when creating the gMSA) and is also successfully getting the password for my gMSA. But then for whatever reason it tries to switch the DNS forest and that fails. My questions are:

    • Does anyone have an idea what might cause that switch?
    • Does anyone know if this should be supported? It would however be problematic because as mentioned root.fum is strictly 2008 and I therefore can't create gMSAs there. So I really am looking for an answer for the first question to maybe change whatever the reason for that is

    Any other ideas how to solve this problems are also very much appreciated. Would really love to introduce Windows Container in our company infrastructure but this is quite a blocker...

    Tuesday, June 20, 2017 9:30 AM

All replies

  • I finally found a solution for this: I had to enable this setting (https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/network-access-allow-anonymous-sidname-translation) on my container host and then it just worked
    Monday, January 15, 2018 11:26 AM