How To Configure Managed Service Accounts Windows Server 2016

In this article, I’ll show you how to deploy and configure Managed Service Accounts with Windows Server 2016 and Active Directory.

Managed Service Account (MSA) Is a new type of Active Directory Account type where AD responsible for changing the account password every 30 days.

With MSA no one needs to set up the account password or even know it, the entire password management process Is managed by Active Directory.

In my example, I’ll use the Managed Service Account to run my IIS Application Pool.

Requirements

To use MSA, Active Directory forest level will have to be set to Windows Server 2012 at a minimum.

You will need Active Directory Management Tools to run the cmdlets In this post

Before we start

I have to say that before I wrote this article I visited a few blogs and most of them overcomplicated the process, This post will show you how to deploy MSA In 10 minutes.

Just make sure to test it in the lab before deploying Into production.

Master Root key

The first step In the MSA deployment process Is to create a Master root Key using the cmdlet below.

Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10)) -Verbose

Create a Service Account

To create and configure the service. I’ll use 4 cmdlets.

The first cmdlet will create the account and also create a DNS name for the account.

New-ADServiceAccount sms -DisplayName "WDS Service" -DNSHostName sms.test.local

Once the account has been created, I will grant the Server (WDS) access to it, which mean the Server (WDS) will have permission to request a password reset every 30 days from Active Directory.

I could add multiple server names If needed.

Set-ADServiceAccount sms -PrincipalsAllowedToRetrieveManagedPassword wds$

With the cmdlet below, I can test the account (return result should be true).

Test-ADServiceAccount sms |fl

And the final cmdlet will Install the Service Account on the WDS Server.

install-ADServiceAccount sms

Set Windows Service

To setup Windows Server service to use the managed Service account, I’ll open the service and use the format below

Test\sms$ without typing the password.

If the account needs the log in as a service right you will see the prompt below.

Once configured, I can start the service

Just remember that If the service account needs to be part of the Domain Admins group or any other group you will need to add the service to the group as well.

SET IIS Application Pool

Next, I’ll configure the IIS Application Pool to use the Service Account.

Using the Application Pools menu and right-click on the DefaultAppPool

Select Advanced Settings

In the Advanced Setting -> Process Model -> Identity I’ll change the account

No need to type the password

As you can see below, The Application Pool started and Is using the Service Account.

Get-ADServiceAccount -Filter *

Rollback

To remove the Service Account from Active Directory, I’ll use the cmdlet below:

Remove-adservcieaccount sms

To remove the account from a Windows service, I’ll run the line below (from the command line) with the service name

sc config audiosvr obj= test\Admin password=Password123

Processing…
Success! You're on the list.

Posted

in

by

Comments

4 responses to “How To Configure Managed Service Accounts Windows Server 2016”

  1. Steve Avatar
    Steve

    Thank you, clear useful article

  2. Lalitha Avatar
    Lalitha

    Hi While creating the kds root key I am having this error “this request is not supported”. Can you please help.

  3. LJSP Avatar
    LJSP

    Lalitha, run powershell as admin

  4. Srinivas Avatar
    Srinivas

    One quick question here please. Consider that “same MSA” is being used for IIS and Database connectivity for DB engine, Jobs. If MSA password got changed then IIS has to reset to get affect and
    Database jobs are failed due to disconnect as MSA password change (could be few seconds), have to rerun them all again.
    Good no. of database jobs will run 24×7 and end-users will use web applications 24×7
    How to make IIS and SQL Server Jobs run successfully while MSA password change happens anytime?