I'm trying to add an AD Managed Service Account and my first attempt was as follows:
New-ADServiceAccount -DNSHostName VM-Backup-Service -Name "VM Backup" -samAccountName VM_Backup -Path "OU=AD_Managed_Service_Accounts,DC=company,DC=local"
This command basically hung, I think because I pointed DNSHostName to something non-existent because I didn't do enough reading. I then tried to correct it and point it at the master DC using it's FQDN:
New-ADServiceAccount -DNSHostName AUDC.company.local -Name "VM Backup" -SamAccountName VM_Backup -Path "OU=AD_Managed_Service_Accounts,DC=company,DC=local"
The problem I have now is that AD says the account already exists:
New-ADServiceAccount : The specified account already exists
Which would be no big problem, if I could actually find said account in order to remove it before re-adding it correctly. I've tried tracking it down with:
Get-ADServiceAccount -filter 'samAccountName -like "*VM_Backup*"'
Get-ADUser -filter 'samAccountName -like "*VM_Backup*"'
And the following returns nothing, which implies there are no Service Accounts in the domain?
Get-ADServiceAccount -filter *
If anyone has suggestions for ways to track it down, it would be much appreciated. The only hints I have is that I know I specified the samAccountName in the commands above, and the snippet of the CN=VM Backup that is returned when it says the account already exists:
New-ADServiceAccount : The specified account already exists
At line:1 char:1
+ New-ADServiceAccount -DNSHostName yyy-server-001.companydomain.local ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceExists: (CN=VM Backup,OU...ompany,DC=local:String) [New-ADServiceAccount], ADIde
ntityAlreadyExistsException
+ FullyQualifiedErrorId : ActiveDirectoryServer:1316,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAcc
ount
Best Answer
So I believe there were multiple parts to solving this:
The DC had only recently been rebuilt (following an AD corruption). Turns it it allows time for convergence between DC's before allowing service accounts to be created (https://social.technet.microsoft.com/Forums/windows/en-US/82617035-254f-4078-baa2-7b46abb9bb71/newadserviceaccount-key-does-not-exist?forum=winserver8gen). As there was only one DC in this environment, convergence was not an issue, so I ran the command suggested in the article (as per below). Either this step alone, or in concert with step 1, was sufficient to resolve the issue. Why AD thought the object existed prior to these steps rather than just rejecting the command outright, I have no clue.
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))