Group Managed Service Accounts (GMSA) and Read-Only Domain Controllers (RODC)

active-directory domain-controller managed-service-accounts rodc

Solution 1:

The "AccountPassword" attribute is ignored for gMSAs, it can be used for standard MSAs in scenarios like you describe where there is no writable access to a domain controller.

Quoting Microsoft docs: "In this case you should create the standalone MSA, link it with the appropriate computer account and assign a well-known password that needs to be passed when installing the standalone MSA on the server on the RODC-only site with no access to writable DCs."

https://docs.microsoft.com/en-us/powershell/module/activedirectory/install-adserviceaccount?view=winserver2012-ps#parameters

Related

Where is imagemagick located on an EC2 server
Using a http proxy without manually configuring the browser to use proxy server
How do I install the DFSR module for Powershell on Windows Server 2012?
How to remove a port bind still used by sshd after an improper deconnection from ssh?
How to run updates on Ubuntu command line without upgrading PHP
sftp,ssh hang from personal ubuntu to aws ubuntu ec2 but not putty on same box
Does Default Domain Policy always win? Different password policies in production domain
Does AWS Application Load Balancer scan listening ports on the EC2 web servers?
How to tell squid use Source IP address for sending requests?
ghettoVCB: ERROR: Unable to backup MACHINE-NAME due to error in VMDK backup
Use a datastore on two OSes with esxi 6.7
In IPv6 router gets the Router solicitation message, but not respond with Router advertisement