Wednesday, July 10, 2019

How To Configure Managed Service Accounts Windows Server 2016


Managed Service Account (MSA) Is a new type of Active Directory Account type where AD responsible for changing the account password every 30 days.

With MSA no one needs to set up the account password or even know it, the entire password management process Is managed by Active Directory.
In my example, I’ll use the Managed Service Account to run my IIS Application Pool.
Requirements
To use MSA, Active Directory forest level will have to be set to Windows Server 2012 at a minimum.
You will need Active Directory Management Tools to run the cmdlets In this post
Before we start
I have to say that before I wrote this article I visited a few blogs and most of them overcomplicated the process, This post will show you how to deploy MSA In 10 minutes.
Just make sure to test it in the lab before deploying Into production.
Master Root key
The first step In the MSA deployment process Is to create a Master root Key using the cmdlet below.

Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10)) -Verbose


Create Service Account
To create and configure the service. I’ll use 4 cmdlets.
The first cmdlet will create the account and also create a DNS name for the account.

New-ADServiceAccount sms -DisplayName "WDS Service" -DNSHostName sms.test.local

Once the account has been created, I will grant the Server (WDS) 
access to it, which mean the Server (WDS) will have permission to 
request a password reset every 30 days from Active Directory.

I could add multiple server names If needed.

Set-ADServiceAccount sms -PrincipalsAllowedToRetrieveManagedPassword wds$

With the cmdlet below, I can test the account (return result should be true).

Test-ADServiceAccount sms |fl

And the final cmdlet will Install the Service Account on the WDS Server.

install-ADServiceAccount sms


Set Windows Service
To setup Windows Server service to use the managed Service account, I’ll open the service and use the format below

Test\sms$ without typing the password.



If the account needs the log in as a service right you will see the prompt below.



Once configured, I can start the service



Just remember that If the service account needs to be part of the Domain Admins group or any other group you will need to add the service to the group as well.
SET IIS Application Pool
Next, I’ll configure IIS Application Pool to use the Service Account.

Using the Application Pools menu and right click on the DefaultAppPool



Select Advanced Settings



In the Advanced Setting -> Process Model -> Identity I’ll change the account



No need to type the password



As you can see below, The Application Pool started and Is using the Service Account.


Get-ADServiceAccount -Filter *

Rollback
To remove the Service Account from Active Directory, I’ll use the cmdlet below:

Remove-adservcieaccount sms

To remove the account from a Windows service, I’ll run the line below (from command line) with the service name


sc config audiosvr obj= test\Admin password=Password123

No comments:

Post a Comment