Group Managed Service Accounts Overview
Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016
This topic for the IT professional introduces the group Managed Service Account by describing practical applications, changes in Microsoft's implementation, and hardware and software requirements.
Standalone Managed Service Accounts, which were introduced in Windows Server 2008 R2 and Windows 7, are managed domain accounts that provide automatic password management and simplified SPN management, including delegation of management to other administrators.
The group Managed Service Account provides the same functionality within the domain but also extends that functionality over multiple servers. When connecting to a service hosted on a server farm, such as Network Load Balance, the authentication protocols supporting mutual authentication require that all instances of the services use the same principal. When group Managed Service Account are used as service principals, the Windows operating system manages the password for the account instead of relying on the administrator to manage the password.
The Microsoft Key Distribution Service (kdssvc.dll) provides the mechanism to securely obtain the latest key or a specific key with a key identifier for an Active Directory account. The Key Distribution Service shares a secret which is used to create keys for the account. These keys are periodically changed. For a group Managed Service Account the domain controller computes the password on the key provided by the Key Distribution Services, in addition to other attributes of the group Managed Service Account. Member hosts can obtain the current and preceding password values by contacting a domain controller.
Group Managed Service Accounts provide a single identity solution for services running on a server farm, or on systems behind Network Load Balance. By providing a group MSA solution, services can be configured for the new group MSA principal and the password management is handled by Windows.
Using a group Managed Service Account, services or service administrators do not need to manage password synchronization between service instances. The group Managed Service Account supports hosts that are kept offline for an extended time period, and management of member hosts for all instances of a service. This means you can deploy a server farm that supports a single identity to which existing client computers can authenticate without knowing the instance of the service to which they are connecting.
Failover clusters do not support gMSAs. However, services that run on top of the Cluster service can use a gMSA or a sMSA if they are a Windows service, an App pool, a scheduled task, or natively support gMSA or sMSA.
A 64-bit architecture is required to run the Windows PowerShell commands which are used to administer group Managed Service Accounts.
A managed service account is dependent upon Kerberos supported encryption types.When a client computer authenticates to a server using Kerberos the DC creates a Kerberos service ticket protected with encryption both the DC and server supports. The DC uses the account's msDS-SupportedEncryptionTypes attribute to determine what encryption the server supports and, if there is no attribute, it assumes the client computer does not support stronger encryption types. If the host is configured to not support RC4, then authentication will always fail. For this reason, AES should always be explicitly configured for MSAs.
Beginning with Windows Server 2008 R2, DES is disabled by default. For more information about supported encryption types, see Changes in Kerberos Authentication.
Group Managed Service Accounts are not applicable to Windows operating systems prior to Windows Server 2008 R2.
Server Manager information
There are no configuration steps necessary to implement MSA and group MSA using Server Manager or the Install-WindowsFeature cmdlet.
The following table provides links to additional resources related to Managed Service Accounts and group Managed Service Accounts.
|Product evaluation||What's New for Managed Service Accounts
Managed Service Accounts Documentation for Windows 7 and Windows Server 2008 R2
Service Accounts Step-by-Step Guide
|Planning||Not yet available|
|Deployment||Not yet available|
|Operations||Managed Service Accounts in Active Directory|
|Troubleshooting||Not yet available|
|Evaluation||Getting Started with Group Managed Service Accounts|
|Tools and settings||Managed Service Accounts in Active Directory Domain Services|
|Community resources||Managed Service Accounts: Understanding, Implementing, Best Practices, and Troubleshooting|
|Related technologies||Active Directory Domain Services Overview|