1. On the domain controller make sure you have installed the AD module feature and then
New-ADServiceAccount -Name msasql -DNSHostName msasql.adatum.com
-PrincipalsAllowedToRetrieveManagedPassword "Domain Computers"
-Enabled $True
If you require a SPN you can also use the -ServicePrincipalName parameter.
Replace "Domain Computers" with the computers that are going to run the service using the managed service account. If you are creating a group MSA then this would be the name of the group.
If you get "access denied" or a missing key message, then try this first:
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
2. On the domain controller add the new service account as the service account for the server where it will be used:
Add-ADComputerServiceAccount -Identity lon-exch -ServiceAccount msasql
The -Identity is the server, the -ServiceAccount is the MSA
3. Go to the computer where you will use the managed account. Make sure you have installed the AD Power Shell feature and then
Install-ADServiceAccount -Identity msasql
4. Go to the SQL Configuration and change the appropriate service to use this account.
Make sure you use a dollar sign e.g. adatum\msasql$ and that the password fields are blank.
If you need to roll the password use:
References:
https://serverfault.com/questions/503823/set-dns-host-name-for-managed-service-account
https://trevorsullivan.net/2012/10/15/powershell-creating-active-directory-managed-service-accounts/
https://docs.microsoft.com/en-us/powershell/module/activedirectory/reset-adserviceaccountpassword?view=winserver2012-ps
