Maroli ICT

GMSA: SERVER PREPARATION AND MODIFY THE INSTALL

In my previous blogs I talked about what Group Managed Service accounts are, what you need to have enabled in your Active Directory and the AD objects we needed before we can even think about using them to ease our SQL installation.

But we are not there yet. In this blog post I will talk about further AD Actions and what you can do to install your server immediately with that GMSA account.

As we saw previously, we have a GMSA account now, a Group where we need to put the computeraccounts in and something arranged for getting our Service Principle Names. 

The next step is that we add the computeraccount to the group and have make sure the computer we are using is aware of that. Therefore we can fire up the next powershell command (best option is to do this on the server where you want to use your Group Managed Service Account, if this gives errors, you probably have firewall issues):

add-adgroupmember -identity <> -members <>

If you want to do this for a foreign doman, you can add -Server <Domain name>. 

Now the computer is added to the group for using the GMSA account, the computer must know this. We noticed, that for Windows 2016 this almost is direct, for Windows 2012R2 it is not. But, in most cases you see that Microsoft recommends to reboot  your system. I wan’t stop you from doing this, but it might come in handy that there is a command which you can use to throw away all your kerberos tickets for the computer and retrieve a new set. The command is:

klist purge li 0x3e7

This can do the trick also.

Now it is time to modify your installation routines. You can install your server by using a configuration file. In the configuration file there are entries for the Service account name of SQL Server. A GMSA account can be entered there like <domain>\<GMSAAccountName>$. You can use the same account for the agent also, but I would suggest to not use this. This would users of sqlagent enforce to use a proxy account. 

Next time I will tell something about setting up delegations to other SQL Server services.