Many applications like SQL Server and IIS uses services accounts that should be configured to start with domain user accounts with SPN functionalities and it’s some times hard to manage this accounts and ensure availability of services when we reset passwords.
Using Managed Services Accounts will improve the administration process of this services and ensure the availability of related applications.
System Requirements
To use managed services accounts :- Services must run on Windows Server 2008 R2 or Windows 7 computers
- Domain level Windows Server 2008 R2 support natively automated management for passwords and SPN for those services accounts
- If the domain functional level is not yet Windows Server 2008 R2 but the AD Schema is updated to Windows Server 2008 R2, managed services account can be used, but just automated password management will be available
- To use Managed Services Accounts on Windows Server 2008 or Windows Server 2003 domains or mixed domains we should firstly :
- run adprep /forestprep at the forest level
- run adpprep /domainprep on every domain that will use Managed Services Accounts
- Install a Windows Server 2008 R2 domain controller or Windows Server 2008 with AD Management Gateway Service or Windows Server 2003 with AD Management Gateway Service, AD Management Gateway Service will give us the ability to use PowerShell commands needed for Managed Services Accounts administration.
- Computers that will host services configured with managed services accounts must have .NET Framework and AD Windows PowerShell module installed
Installing system requirements on Windows Server 2008 R2
1
| Start Server Manager  |
| 2 | Select Features and then click on Add Feature  |
| 3 | Select .NET Framework 3.5.1 features  |
| 4 | Select Active Directory module for Windows PowerShell under Remote Server Administration Tools | Role Administration Tools | AD DS and AD LDS Tools  |
| 5 | Click Next  |
| 6 | Click Install  |
| 7 | Restart the server if necessary |
Install System Requirements on Windows 7
- Download Remote Server Administration Tools for Windows 7
- Install the update
- Add .NET Framework 3.5.1 and AD module for Windows PowerShell features
- Restart the computer
Create and configure a Managed Service Account
| 1 | Start Windows PowerShell for AD  |
| 2 | Create the managed services account by running the following command : New-AddServiceAccount <Nom Du Compte> -AccountPassword (ConvertTo-SecureString –AsPlainText “<mot de passe>” –Force) –Enabled $true –Path “CN=Managed Service Accounts,DC=<Domain Name>,DC=COM”  |
| 3 | Associate the managed service account with the client computer by running the following command : Add-ADComputerServiceAccount –Identity <Nom Ordinateur> –ServiceAccount <Nom du compte>  |
| 4 | Install the managed service account on the client computer (this command should be run on the computer that will hot the service) Install-ADServiceAccount –Identity <Nom du compte>  |
| 5 | Verify that the msDS-HostServiceAccount attribute for the computer account was updated by the managed service account. use ADSI Edit to verify this value.  |
Using the Managed Service Account
After the creation of the Managed Service Account and it’s association with the computer account we can use it to start services on that computer.For this case we will use it to start SQL Server Reporting Services
| 1 | From the Services management console double click on the SQL Server Reporting Services  |
| 2 | On the Log On tab check This account and click Browse to find the managed service account created on the previous step. Leave the password as blank and click Ok NB : verify that the name of the account finish with $  |
| 3 | Start the service  |
| 4 | Verify that the service is started |
Aucun commentaire:
Enregistrer un commentaire