Wednesday, December 5, 2018

Recipe - Using a Managed Service Account with Windows 2016

1. On the domain controller make sure you have installed the AD module feature and then

New-ADServiceAccount -Name msasql -Enabled $true

New-ADServiceAccount -name msasql -DNSHostName
 -PrincipalsAllowedToRetrieveManagedPassword "Domain Computers"

Replace Domain Computers with the computers that can manage the password

If you get access denied then try this first:

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10)) 


Add-ADComputerServiceAccount -Identity mia-sql -ServiceAccount msasql

3. Go to the computer where you will use the managed account. Make sure you have installed the AD Power Shell feature and then
Install-ADServiceAccount -Identity msasql

4. Go to the SQL Configuration and change the appropriate service to use this account. Make sure you use a dollar sign e.g. contoso\msasql$ and that the password fields are blank.

If you need to roll the password use