gMSA accounts can be used as Log On accounts for Engine’s nfserverr2, nfwebcvs, and ScopeSvc services providing the following conditions:
(CE1) gMSA account must be installed on the Engine server
(CE2) gMSA account must be member of local administrators group
(CE3) gMSA account must have Read permissions for the following registry keys: HKEY_LOCAL_MACHINE\SECURITY\POLICY and HKEY_LOCAL_MACHINE\SECURITY
It is recommended to firstly install Continuity Engine cluster (Primary + standby nodes) using the defaults, i.e. Local System account. Then, post installation, reconfigure Engine services to use the gMSA account.
If EMS service is configured with a gMSA account (EMS1), then, before installing Engine on the Primary server, assure conditions (CE1) and (CE2) and (CE3) are met for the target (Primary) server
deploy Continuity Engine cluster using its default configured services log on account (Local System)
by default, Engine services are configured with Local System account during the installation on Primary server. Considering the above (CE1), (CE2 ) and (CE3) conditions are met:
On Primary: configure Engine services to run under the gMSA log on account
On standby Secondary/Tertiary:
make Secondary/Tertiary active
check that (CE1), (CE2) and (CE3) conditions are fulfilled
configure Engine services to run under the gMSA log on account
Adding or Configuring User Account for Tasks when NFServerR2 is configured with gMSA account requires that gMSA account is allowed to Replace a process level token (configured in Local Security Policies → Local Policies → User Right Assignment). This configuration must be done on all the Engine nodes.
gMSA accounts are not supported (cannot be configured as Run As) by DNSUpdate task
gMSA accounts are not supported by Engine plugin configuration
gMSA account is not preserved during EMS and Engine upgrades: they’re replaced with the defaults.