Configure gMSA on Windows Server 2012 or later

Contributors netapp-nsriram Download PDF of this page

Windows Server 2012 or later enables you to create a group Managed Service Account (gMSA) that provides automated service account password management from a managed domain account.

What you will need

  • You should have a Windows Server 2012 or later domain controller.

  • You should have a Windows Server 2012 or later host, which is a member of the domain.

Steps

  1. Create a KDS root key to generate unique passwords for each object in your gMSA.

  2. For each domain, run the following command from the Windows domain controller: Add-KDSRootKey -EffectiveImmediately

  3. Create and configure your gMSA:

    1. Create a user group account.

    2. Add computer objects to the group.

    3. Use the user group you just created to create the gMSA.

      For example,

      New-ADServiceAccount -name <ServiceAccountName> -DNSHostName <fqdn> -PrincipalsAllowedToRetrieveManagedPassword <group> -ServicePrincipalNames <SPN1,SPN2,…>
    4. Run Get-ADServiceAccount command to verify the service account.

  4. Configure the gMSA on your hosts:

    1. Enable the Active Directory module for Windows PowerShell on the host where you want to use the gMSA account.

      To do this, run the following command from PowerShell:

      PS C:\> Get-WindowsFeature AD-Domain-Services
      
      Display Name                           Name                Install State
      ------------                           ----                -------------
      [ ] Active Directory Domain Services   AD-Domain-Services  Available
      
      
      PS C:\> Install-WindowsFeature AD-DOMAIN-SERVICES
      
      Success Restart Needed Exit Code      Feature Result
      ------- -------------- ---------      --------------
      True    No             Success        {Active Directory Domain Services, Active ...
      WARNING: Windows automatic updating is not enabled. To ensure that your newly-installed role or feature is
      automatically updated, turn on Windows Update.
    2. Restart your host.

    3. Install the gMSA on your host by running the following command from the PowerShell command prompt: Install-AdServiceAccount <gMSA>

    4. Verify your gMSA account by running the following command: Test-AdServiceAccount <gMSA>

  5. Assign the administrative privileges to the configured gMSA on the host.

  6. Add the Windows host by specifying the configured gMSA account in the SnapCenter Server.

    SnapCenter Server will install the selected plug-ins on the host and the specified gMSA will be used as the service log on account during the plug-in installation.