0

I have two Server 2019 domain controllers with DHCP services running in load-balance mode, which synchronizes leases but not scope options or reservations unless instructed to do so via PowerShell. So all I want to do is schedule Invoke-DhcpServerv4FailoverReplication -Force to run every 10 minutes.

I did not imagine it would be so difficult. I have a PowerShell script at C:\Scripts\Sync-DhcpReservations.ps1 with the following code:

$ErrorActionPreference="Continue"
Start-Transcript -Path 'C:\Scripts\output.txt' -Append

Import-Module DhcpServer
Invoke-DhcpServerv4FailoverReplication -Force

Stop-Transcript

When I set this up to run in a scheduled task under the NT_AUTHORITY\SYSTEM account, it failed, and the transcript output indicated denied permissions on the other domain controller. This makes perfect sense (SYSTEM only has privileges on itself), so I created a group managed service account:

New-ADServiceAccount -Name DC_gMSA -DNSHostName DC_gMSA.domain.net -PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers"

Fine. Test-ADServiceAccount DC_gMSA returns a true result on both domain controllers. So then I configured the scheduled task to use this gMSA:

$Action = New-ScheduledTaskAction -Execute 'powershell.exe' `
-Argument '-NoProfile -NonInteractive -ExecutionPolicy Bypass -File "C:\Scripts\Sync-DhcpReservations.ps1"'

$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 10) `
-RepetitionDuration (New-TimeSpan -Days 9999)

$Principal = New-ScheduledTaskPrincipal -UserId 'DOMAIN\DC_gMSA$' -LogonType Password -RunLevel Highest

$Settings = New-ScheduledTaskSettingsSet -MultipleInstances IgnoreNew

Register-ScheduledTask -Action $Action -Trigger $Trigger -Settings $Settings -Principal $Principal `
-TaskName 'Replicate DHCP Scope Options' -TaskPath \

End result: the task will not even start. It fails with 101 and 104 events, indicating that the gMSA does not have permission to execute the task. I get no PowerShell transcript because the script was never invoked.

Apparently gMSA are created in all the most powerful AD groups, including Enterprise Admins. In any case, I've looked at the NTFS permissions and I do not believe they are the problem.

Has anyone faced a similar issue?

Vaito
  • 21
  • 4
  • I've used this for this purpose - https://gallery.technet.microsoft.com/scriptcenter/Auto-syncing-of-configurati-6eb54fb0 – joeqwerty Nov 20 '20 at 23:05

1 Answers1

0

For posterity: I've resolved the issue.

First, I had already configured but neglected to mention that the gMSA needs "logon as batch" to execute a script.

Second, gMSA aren't created as a part of any groups except Domain Computers. I was looking at the ACL on the service account, not the group membership. So I fixed that.

Third, I had to reboot both DCs before the gMSA's privileges took effect.

Vaito
  • 21
  • 4