For testing, I created a gMSA and it worked perfectly. So I began the process of creating many gMSA accounts and replacing all the existing "user service accounts" in our network.
I've migrated several and now I'm seeing problems. Basically, when a process attempts to "work with" the gMSA, sometimes it just freezes the process causing timeouts.
Example scenarios:
- Running Test-ADServiceAccount usually completes in less than 1 second. When the problem occurs, the command takes 5-10 minutes to complete. No error message, just slow
- Edit a service's "log on as" account setting, and click OK. Saving the change happens instantly, but when the problem happens, clicking "OK" after changing the account settings locks up the MMC for over 10 minutes and it becomes unresponsive. If during this time, you attempt to access the service control manager (using sc.exe or another computer, that program will hang too). I suspect SCM is hung. I don't know how long it hangs up, I waited over 10 minutes and closed the process.
- Clustering: a generic service resource is running under a gMSA. It usually works as you'd expect, but when the problem occurs, moving the resource to another node causes a "online pending" for several minutes before it fails. Clustering tries several times, and it eventually starts. If you are moving several roles (such as pausing the node to install Windows Updates), any services that the cluster attempts to start after it begins starting the gMSA service will also hang for several minutes, and eventually fail! This causes an outage, and there is nothing you can do. You can't take anything offline, and you can't move the roles to another server until it times out. I suspect the SCM is hung on that node.
This problem comes and goes. I've seen all the above problems on freshly installed servers and servers that were running fine using gMSA yesterday.
Any help would be appreciated. All systems Windows 2012 R2 with up-to-date patches.
I should mention that I did NOT run Install-ADServiceAccount because it seems to be unnecessary with gMSA. Plus, the Test-ADServiceAccount always returns true.
-Tony
