Setting up Group Managed Service Account on Windows Server 2012 R2
I have a Windows 2012 R2 domain controller called cox.win.testlab
. I have set up a group of hosts where I would like to use a gMSA (Group Managed Service Account). This group is called SQLManagedHosts
.
I created the account by following these steps in Powershell on the domain controller:
PS C:\Windows\system32> Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
Guid
----
9b68b1e7-db76-c4e4-4978-63c2965e5596
PS C:\Windows\system32> New-ADServiceAccount mSQL -DNSHostName cox.win.testlab -PrincipalsAllowedToRetrieveManagedPassword SQLManagedHosts
PS C:\Windows\system32> Get-ADServiceAccount msql
DistinguishedName : CN=mSQL,CN=Managed Service Accounts,DC=win,DC=testlab
Enabled : True
Name : mSQL
ObjectClass : msDS-GroupManagedServiceAccount
ObjectGUID : cf9df74a-38e0-4d7a-856e-9af882b08800
SamAccountName : mSQL$
SID : S-1-5-21-3443997112-87545443-1733229669-1602
UserPrincipalName :
On one of the hosts listed in SQLManagedHosts, I ran:
PS C:\Windows\system32> Install-ADServiceAccount msql
Install-ADServiceAccount : Cannot install service account. Error Message: 'An unspecified error has occurred'.
At line:1 char:1
+ Install-ADServiceAccount msql
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (mSQL:String) [Install-ADServiceAccount], ADException
+ FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveDirectory.Management.Commands.InstallADServiceAccount
Any ideas why it might be failing? All servers involved are Windows Server 2012 R2.
If you have only recently created the SQLManagedHosts security group and added your computer objects to it, you will have to restart the server for group membership to take effect. Since the server is not a member of the security group if you don't, retrieving the managed password will fail.
You will need to keep this in mind when planning security groups for group MSAs.