Setting up Group Managed Service Account on Windows Server 2012 R2
Posted
by
Moo MinTroll
on Server Fault
See other posts from Server Fault
or by Moo MinTroll
Published on 2014-06-06T15:09:38Z
Indexed on
2014/06/06
15:28 UTC
Read the original article
Hit count: 902
Filed under:
windows-server-2012
|service-accounts
I have a Windows 2012 R2 domain controller called cox.win.testlab. I have set up a group of hosts where I would like to use a gMSA (Group Managed Service Account). This group is called SQLManagedHosts.
I created the account by following these steps in Powershell on the domain controller:
PS C:\Windows\system32> Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
Guid
----
9b68b1e7-db76-c4e4-4978-63c2965e5596
PS C:\Windows\system32> New-ADServiceAccount mSQL -DNSHostName cox.win.testlab -PrincipalsAllowedToRetrieveManagedPassword SQLManagedHosts
PS C:\Windows\system32> Get-ADServiceAccount msql
DistinguishedName : CN=mSQL,CN=Managed Service Accounts,DC=win,DC=testlab
Enabled : True
Name : mSQL
ObjectClass : msDS-GroupManagedServiceAccount
ObjectGUID : cf9df74a-38e0-4d7a-856e-9af882b08800
SamAccountName : mSQL$
SID : S-1-5-21-3443997112-87545443-1733229669-1602
UserPrincipalName :
On one of the hosts listed in SQLManagedHosts, I ran:
PS C:\Windows\system32> Install-ADServiceAccount msql
Install-ADServiceAccount : Cannot install service account. Error Message: 'An unspecified error has occurred'.
At line:1 char:1
+ Install-ADServiceAccount msql
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (mSQL:String) [Install-ADServiceAccount], ADException
+ FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveDirectory.Management.Commands.InstallADServiceAccount
Any ideas why it might be failing? All servers involved are Windows Server 2012 R2.
© Server Fault or respective owner
