- Create the gMSA and link the security principal to a new security group, See the following for more information on initial configuration:
https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts - Assign the RMAD server(s) machine accounts as members of the linked security principal from step 1
- Ensure you install the gMSA account on the RMAD server by running the following Powershell command on the RMAD server:
Install-AdServiceAccount <gMSA AccountName> - Run the following Powershell command on the RMAD server to test that the gMSA was installed properly:
Test-AdServiceAccount <gMSA AccountName> - Create the Active Directory group "RMAD Backup Operators" and add the gMSA account to this group directly
- If using pre-installed agents, uninstall and reinstall the agents. This is required to populate the RMAD Backup Operators group SID locally on the DCs
- Configure the collection properties to set the backup agent access account
When entering the gMSA credentials, input the username as "domain\gmsa$", where gmsa is the service account login name followed by the $ sign, and leave the password fields blank.
Take consideration that some items are not possible to configure when using the minimum permissions group, such as "Ensure Forest Recovery Agent is deployed". This setting requires that you have DC Administrator access, and access to the admin$ share.
If you want to have this set up, the gMSA will need to be a member of Domain Admins, instead of RMAD Backup Operators.