All,
I have a Server 2012 R2 forest with an empty root and two child domains. Everything is Server 2012 R2 end-to-end. I've installed Windows Server Backup on a DC in each domain. I've created separate gMSAs in each domain, added them to Domain Admins in their respective domains, and installed them on each of the three DCs to be backed up. I created a share on a server in one of the child domains and gave Domain Admins from each domain full control at the share and security ACL levels.
I'm creating scheduled tasks to run as gMSAs and they run powershell.exe with the arguments of "wbadmin.exe start systemstatebackup -backupTarget:\\server.contoso.com\backup -quiet"
Backups on each of the child domains work fine. However, the backup on the root DC is failing with "Error Value: 2147943785" when running as the gMSA. If I switch the user running to use my domain admin account, it runs without issue.
I've added the gMSA to the local domain admins, backup operators, administrators, even schema and enterprise admins, but nothing works. I've deleted and re-created the gMSA with different names and different principals allowed to recover the managed password.
I understand that the error value indicates the account doesn't have rights to run as a batch job, but all of the groups in which it's a member do have that right, and I've added the account explicitly to the run as a batch job list, but it still fails.
Any ideas? Is there a reason a gMSA from a parent domain couldn't talk to a child domain? The trusts are built transitive and there are no issues with communications between the two child domains.
This is a test domain, and I'd hate to burn hours to call support. Hope someone can help.
Ron Arestia, MCSA (Server 2012)