A small problem with Managed Service Accounts

I am very fortunate to always have the latest versions of Microsoft stuff to play with such as SQL Server 2008 R2, but occasionally something doesn’t work, and so I need to tell the relevant product team what the problem is.

In this case I was trying to get the SQL Server 2008 R2 November CTP to run with the new Managed Service Accounts in Windows Server 2008 R2 Active Directory.  They are a bit like the NTAUTHORITY/LocalService account in that they don’t have passwords that you need to specify to the service, however they are a totally different beast in that they are domain accounts  designed to be used for services, like IIS 7.5. Essentially the passwords are managed internally by active directory and are designed for use with Kerberos. For more on this have a look at this article on TechNet 

However they are so new there is no way you can create one without using PowerShell (with the active directory module loaded)..

New-ADServiceAccount SQLService

Then you tell AD where you want to use the account on the server SQL08R2Demo..

Add-ADComputerServiceAccount -Identity SQL08R2DEMO -ServiceAccount SQLService

finally you deploy it to the computer that will use it

Install-ADServiceAccount -Identity SQLService

Now you can see this account in Active Directory under the new managed service account folder..

ad service account 2

I can now use an account like this to run IIS by going to services and running IIS with the new account (note you don’t supply a password for this account).

However when Iu try and use it to run a SQL Server service, it doesn’t show up in the SQL Server configuration tool as it doesn’t see this kind of account at all even though you can search the managed service accounts folder.  Of course if I go into services proper I can change SQL Server services to use it…

ad service account 9

but that is not supported, as it will foul up the permissions needed to do things like backup. BTW I didn’t supply the dollar sign suffix

so I have found something wrong and now I need to tell someone to fix it and the place where you do that for Microsoft stuff , irrespective of whether or not you work for them is on Connect (http://www.connect.microsoft.com).

You register suggestions and bugs by first searching to see if it’s there already and then you can create your own..


Here’s that bug, and notice that no one’s voted on it yet.  Votes are primarily there to influence feature requests, but bear in mind that what you or I consider to be a bug, maybe there by design and so could in fact really be a feature request. Anyway the more votes there are coupled with the severity of the problem the more likely it will be fixed

So if you think something needs to be changed then use the site as the product teams are pretty good but are not known for their telepathic abilities.

In the meantime I hope that this gets fixed for the release of SQL Server 2008 R2.


Update 28 November 2011

Managed Service Accounts didn't get supported in SQL Server 2008 R2, but are a feature in SQL Server 2012 as per this TechNet article.  The method is exactly the same



Technorati Tags: Connect,Microsoft bug reporting,managed service accounts,active directory,windows server 2008 R2,SQL Server 2008 R2