Skip to main content
SnapCenter Software 6.0

Configure gMSA on Windows Server 2016 or later

Contributors netapp-nsriram netapp-soumikd
PDFs

Windows Server 2016 or later enables you to create a group Managed Service Account (gMSA) that provides automated service account password management from a managed domain account.

Before you begin

  • You should have a Windows Server 2016 or later domain controller.

  • You should have a Windows Server 2016 or later host, which is a member of the domain.

Steps

  1. Create a KDS root key to generate unique passwords for each object in your gMSA.

  2. For each domain, run the following command from the Windows domain controller: Add-KDSRootKey -EffectiveImmediately

  3. Create and configure your gMSA:

    1. Create a user group account in the following format:

      domainName\accountName$

    2. Add computer objects to the group.

    3. Use the user group you just created to create the gMSA.

      For example,

      New-ADServiceAccount -name <ServiceAccountName> -DNSHostName <fqdn> -PrincipalsAllowedToRetrieveManagedPassword <group> -ServicePrincipalNames <SPN1,SPN2,…>

    4. Run Get-ADServiceAccount command to verify the service account.

  4. Configure the gMSA on your hosts:

    1. Enable the Active Directory module for Windows PowerShell on the host where you want to use the gMSA account.

      To do this, run the following command from PowerShell:

      PS C:\> Get-WindowsFeature AD-Domain-Services

Display Name                           Name                Install State
------------                           ----                -------------
[ ] Active Directory Domain Services   AD-Domain-Services  Available


PS C:\> Install-WindowsFeature AD-DOMAIN-SERVICES

Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    No             Success        {Active Directory Domain Services, Active ...
WARNING: Windows automatic updating is not enabled. To ensure that your newly-installed role or feature is
automatically updated, turn on Windows Update.

    2. Restart your host.

    3. Install the gMSA on your host by running the following command from the PowerShell command prompt: Install-AdServiceAccount <gMSA>

    4. Verify your gMSA account by running the following command: Test-AdServiceAccount <gMSA>

  5. Assign the administrative privileges to the configured gMSA on the host.

  6. Add the Windows host by specifying the configured gMSA account in the SnapCenter Server.

    SnapCenter Server will install the selected plug-ins on the host and the specified gMSA will be used as the service log on account during the plug-in installation.