If you try to install a group managed service account (gMSA) on a server by using the Install-ADServiceAccount cmdlet you may receive an error message saying:
Cannot install service account. An unspecified error has occured
This may happen if you didn't create the group managed service account by using the parameter -KerberosEncryptionType with value of AES128 or AES256. The Kerberos etype parameter is not mandatory and need not to be specified if you do not restrict possible Kerberos etypes on the server. But if the server, which you plan to install the service account on, restricts Kerberos encryption types to AES only, you have to configure the encryption types on the gMSA as well.
If you want to check if your server restricts the available Kerberos etypes, you can check the following local security policy value:
Security settings - Local Policies - Security Options
Network Security: Configure encryption types allowed for Kerberos
If you see that only AES encryption types are allowed in the server's policy, you must use the -KerberosEncryptionType parameter and specify either the AES128 or the AES256.