On Wojcieh.net blog I found really nice tutorial how to create application user in Active Directory. So I’d like to write few words about alternative way to create application users, by using MSA or with Windows Server 2012 gMSA.
What is MSA ?
With Windows Server 2008 R2 Microsoft introduced “Managed Service Accounts” – to simplify account management for accounts, that used by applications on a different servers. In the old times, administrators were creating standard domain users, add this users to local administrators group on the remote computers, assign the “Logon as a service” right and for most of the time set the password to never expire. Moreover if one wanted to be more secure, the “Deny log on locally” right should also be modified. With MSA this was simplified and MSA offers automatic password management (passwords are updated automatically every 30 days) and simplified SPN management which can be delegated to other administrators.
More about accounts you can read on Technet.
What are the limitations of MSA ?
One of the advantages or disadvantages is that one MSA is bound only one computer and it cannot be used on other computers. This is good or bad depends on point of view. The functionality to share one MSA accross multiple computers was introduced in Windows 2012 and it’s called gMSA and will be covered later in this post.
The supported technologies shows the following table from Microsoft Technet site
|Technology||Can use MSA||Notes|
|Microsoft Exchange||Yes||Exchange Server does not allow you to send e-mails from a managed service account on behalf of a service or application. To overcome this limitation, use the managed service account to run the service, but create a separate conventional user account for the service and configure the service to send e-mails using this accounts.|
|Microsoft IIS||Yes||You can configure IIS application pools to run managed service accounts.|
|AD LDS||Yes||Specific procedures are required to enable AD LDS support.|
In fact one can configure MS SQL server using MSA, but only for standalone instance and this solution won’t be supported by MS.
Managed service accounts can be used on computers with operating system at least Windows 7 or Windows Server 2008 R2. To use MSA on Windows 2003/2008 mixed-mode domain one need to extend schema using adprep command. To do so perform following steps
1. Run adprep /forestprep at the forest level.
2. Run adprep /domainprep in every domain where you want to create and use managed service accounts.
3. Deploy a domain controller running one of the following operating systems in the domain:
– Windows Server 2008 R2
– Windows Server 2008 with the Active Directory Management Gateway Service
– Windows Server 2003 with the Active Directory Management Gateway Service
Here is the link to FAQ about Managed Service Accounts.
However, nowadays the MSA are the past and with new version of Windows Server, Windows Server 2012, gMSA were introduced.
gMSA – group managed service account.
Group managed service accounts provide same functionality as MSA(sMSA – single managed service accounts), but they can be shared across multiple servers.
Requirements for deploying gMSA can be found here.
Two most important ones are :
- Active Directory schema need to be extended to Windows 2012
- Key Distribution Services KDS Root Key must be deployed
With gMSA tasks using Task Scheduler are now supported, however still failover clusters do not support gMSAs. However, services that run on top of the Cluster service can use a gMSA or a sMSA if they are a Windows service, an App pool, a scheduled task, or natively support gMSA or sMSA
In the next post I’ll show you how to deploy gMSA and use on Windows 2012.
Below some more useful links related to MSA and gMSA.
Ask DS Team: Managed Service Accounts: Understanding, Implementing, Best Practices, and Troubleshooting
Service Accounts Step-by-Step Guide
Ask PFE Windows Server 2012: Group Managed Service Accounts
Getting Started with Group Managed Service Account
Quick How-To: Managed Service Accounts