![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 39%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENT%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 4%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
Hello Nguyen, Tien Lam,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I will try to clarify your doubts regarding this issue. So, the gMSA supports multiple hosts and is intended for scenarios like high availability, where multiple agents may run across several servers. On your second server, by selecting "Create gMSA," the installer checks Active Directory. If the specified gMSA already exists, it does not overwrite or recreate it, but ensures the new server is given necessary permissions to use the account. This avoids any interruption or interference with your initial agent/server and maintains seamless service sharing. Using "Use custom gMSA" is generally reserved for scenarios where you manage the gMSA manually, usually for more advanced, custom environments.
So, On your second server, during the configuration step (the screen shown in your image), you can choose Create gMSA which will be the best option to not Impact the First Server.
- System Detection: The provisioning agent installer (
AADConnectProvisioningAgentSetup.exe) is designed to check if a gMSA with the default name (e.g.,provAgentgMSA$) already exists in the domain. - Reuse and Enrollment: If the installer detects the existing account, it will not create a new gMSA. Instead, it performs two essential actions:
- It enrolls the second server (the host computer) to the existing gMSA's security principal list. This allows the second server to retrieve and use the gMSA's credentials securely.
- It ensures the existing gMSA has the necessary Active Directory permissions (e.g.,
UserGroupCreateDeletefor Cloud HR provisioning) to function on the new server.
- Since the second server is simply joining the list of permitted users for the existing gMSA, there is no negative impact on the first server. Both servers will run the
Microsoft Azure AD Connect Provisioning Agentservice using the same, shared gMSA, providing the desired HA.
You can follow the below doc for details the agent installation process, including the gMSA configuration for high availability deployments: https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-install
More details at: https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-prerequisites?tabs=public-cloud
https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/gmsa-cloud-sync
NOTE: Multiple agents are supported for Workday inbound provisioning and provide HA automatically, no primary/secondary configuration required.
Hope this helps! If it answered your question, please consider clicking Accept Answer and Upvote. This will help us and others in the community as well.
If you need more info, feel free to ask in the comments. Happy to help!
Regards,
Monalisha