In this article, I’ll show you how to deploy and configure Managed Service Accounts with Windows Server 2016 and Active Directory.
Managed Service Account (MSA) Is a new type of Active Directory Account type where AD responsible for changing the account password every 30 days.
With MSA no one needs to set up the account password or even know it, the entire password management process Is managed by Active Directory.
In my example, I’ll use the Managed Service Account to run my IIS Application Pool.
To use MSA, Active Directory forest level will have to be set to Windows Server 2012 at a minimum.
You will need Active Directory Management Tools to run the cmdlets In this post
Before we start
I have to say that before I wrote this article I visited a few blogs and most of them overcomplicated the process, This post will show you how to deploy MSA In 10 minutes.
Just make sure to test it in the lab before deploying Into production.
Master Root key
The first step In the MSA deployment process Is to create a Master root Key using the cmdlet below.
Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10)) -Verbose
Create a Service Account
To create and configure the service. I’ll use 4 cmdlets.
The first cmdlet will create the account and also create a DNS name for the account.
New-ADServiceAccount sms -DisplayName "WDS Service" -DNSHostName sms.test.local
Once the account has been created, I will grant the Server (WDS) access to it, which mean the Server (WDS) will have permission to request a password reset every 30 days from Active Directory.
I could add multiple server names If needed.
Set-ADServiceAccount sms -PrincipalsAllowedToRetrieveManagedPassword wds$
With the cmdlet below, I can test the account (return result should be true).
Test-ADServiceAccount sms |fl
And the final cmdlet will Install the Service Account on the WDS Server.
Set Windows Service
To setup Windows Server service to use the managed Service account, I’ll open the service and use the format below
Test\sms$ without typing the password.
If the account needs the log in as a service right you will see the prompt below.
Once configured, I can start the service
Just remember that If the service account needs to be part of the Domain Admins group or any other group you will need to add the service to the group as well.
SET IIS Application Pool
Next, I’ll configure the IIS Application Pool to use the Service Account.
Using the Application Pools menu and right-click on the DefaultAppPool
Select Advanced Settings
In the Advanced Setting -> Process Model -> Identity I’ll change the account
No need to type the password
As you can see below, The Application Pool started and Is using the Service Account.
Get-ADServiceAccount -Filter *
To remove the Service Account from Active Directory, I’ll use the cmdlet below:
To remove the account from a Windows service, I’ll run the line below (from the command line) with the service name
sc config audiosvr obj= test\Admin password=Password123