群組多媒體受管理的服務帳號概觀Group Managed Service Accounts Overview

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本主題中的 IT 專業人員藉由描述實用的應用程式介紹群組管理服務 Account 變更 Microsoft 實作及硬體與軟體需求。This topic for the IT professional introduces the group Managed Service Account by describing practical applications, changes in Microsoft's implementation, and hardware and software requirements.

描述的功能Feature description

獨立管理服務帳號,這是管理的在 Windows Server 2008 R2 和 Windows 7 中,都是管理的受管理的網域帳號,可提供自動密碼管理簡化的 SPN 管理,包括的其他系統管理員委派。Standalone Managed Service Accounts, which were introduced in Windows Server 2008 R2 and Windows 7, are managed domain accounts that provide automatic password management and simplified SPN management, including delegation of management to other administrators.

群組管理服務 Account 提供相同網域中的功能,但也到多部伺服器擴充功能。The group Managed Service Account provides the same functionality within the domain but also extends that functionality over multiple servers. 連接到服務,伺服器發電廠,例如網路負載平衡裝載時支援互加好友的驗證,驗證通訊協定要求服務的所有執行個體使用相同的原則。When connecting to a service hosted on a server farm, such as Network Load Balance, the authentication protocols supporting mutual authentication require that all instances of the services use the same principal. 管理服務 Account 的群組做為服務原則,當 Windows 作業系統管理帳號,而非只依賴上系統管理員,管理密碼的密碼。When group Managed Service Account are used as service principals, the Windows operating system manages the password for the account instead of relying on the administrator to manage the password.

Microsoft 金鑰 Distribution 服務 (kdssvc.dll) 提供機制安全地取得最新的按鍵或按鍵識別碼的 Active Directory 帳號特定的按鍵。The Microsoft Key Distribution Service (kdssvc.dll) provides the mechanism to securely obtain the latest key or a specific key with a key identifier for an Active Directory account. 金鑰 Distribution 服務共用用來建立按鍵 account 的密碼。The Key Distribution Service shares a secret which is used to create keys for the account. 這些按鍵會定期變更。These keys are periodically changed. 適用於群組管理服務 Account 網域控制站計算鍵來散發服務,此外提供給其他屬性管理服務 Account 群組的密碼。For a group Managed Service Account the domain controller computes the password on the key provided by the Key Distribution Services, in addition to other attributes of the group Managed Service Account. 成員主機可以取得連絡網域控制站的目前與先前密碼值。Member hosts can obtain the current and preceding password values by contacting a domain controller.

實用的應用程式Practical applications

群組管理服務帳號提供單一身分方案伺服器發電廠,或在之後的網路負載平衡系統上執行的服務。Group Managed Service Accounts provide a single identity solution for services running on a server farm, or on systems behind Network Load Balance. 藉由提供群組 MSA 方案,可以設定服務的新群組 MSA 主體和密碼管理由 Windows。By providing a group MSA solution, services can be configured for the new group MSA principal and the password management is handled by Windows.

使用一組管理服務 Account、 服務或服務的系統管理員不需要管理密碼同步之間服務執行個體。Using a group Managed Service Account, services or service administrators do not need to manage password synchronization between service instances. 群組管理服務 Account 支援的主機保留離線延伸的期間和管理成員主機服務的所有執行個體。The group Managed Service Account supports hosts that are kept offline for an extended time period, and management of member hosts for all instances of a service. 這表示您可以將支援單一的身分,而不需要知道的服務連接到執行個體 client 現有的電腦可以驗證的伺服器發電廠部署。This means you can deploy a server farm that supports a single identity to which existing client computers can authenticate without knowing the instance of the service to which they are connecting.

容錯 gMSAs 不支援。Failover clusters do not support gMSAs. 不過,上方叢集服務執行的服務,可以使用 gMSA 或 sMSA 如果他們的 Windows 服務,應用程式集區排定的工作,或原生支援 gMSA 或 sMSA。However, services that run on top of the Cluster service can use a gMSA or a sMSA if they are a Windows service, an App pool, a scheduled task, or natively support gMSA or sMSA.

軟體需求Software requirements

64\ 位元架構,才能執行的 Windows PowerShell 命令可用來管理管理服務帳號群組。A 64-bit architecture is required to run the Windows PowerShell commands which are used to administer group Managed Service Accounts.

受管理的服務 account 是仰賴 Kerberos 支援加密類型。使用的 Kerberos DC 建立伺服器的 client 電腦進行驗證時 Kerberos 服務票證受加密俠和伺服器支援。A managed service account is dependent upon Kerberos supported encryption types.When a client computer authenticates to a server using Kerberos the DC creates a Kerberos service ticket protected with encryption both the DC and server supports. DC 使用 account 的 msDS-SupportedEncryptionTypes 屬性來判斷加密伺服器支援,如果有任何屬性,假設 client 的電腦不支援較加密類型。The DC uses the account's msDS-SupportedEncryptionTypes attribute to determine what encryption the server supports and, if there is no attribute, it assumes the client computer does not support stronger encryption types. 如果主機設定為無法支援 RC4,將永遠無法驗證。If the host is configured to not support RC4, then authentication will always fail. 基於這個原因,好一段應該永遠明確設定 MSAs。For this reason, AES should always be explicitly configured for MSAs.

注意

開始使用 Windows Server 2008 R2、DES 預設停用。Beginning with Windows Server 2008 R2, DES is disabled by default. 如需支援的加密類型的詳細資訊,請查看變更 Kerberos 驗證For more information about supported encryption types, see Changes in Kerberos Authentication.

群組管理服務帳號並非適用於 Windows Server 2008 R2 之前的 Windows 作業系統。Group Managed Service Accounts are not applicable to Windows operating systems prior to Windows Server 2008 R2.

伺服器管理員資訊Server Manager information

實作 MSA 和群組 MSA 使用伺服器管理員或 Install-WindowsFeature cmdlet 所需的任何設定步驟。There are no configuration steps necessary to implement MSA and group MSA using Server Manager or the Install-WindowsFeature cmdlet.

也了See also

下表提供額外的資源管理服務帳號,並群組管理服務帳號相關的連結。The following table provides links to additional resources related to Managed Service Accounts and group Managed Service Accounts.

內容類型Content type 資訊尋找參考資料References
Product 評估Product evaluation 適用於帳號受管理的服務的新功能What's New for Managed Service Accounts

管理的服務帳號適用於 Windows 7 和 Windows Server 2008 R2 的文件Managed Service Accounts Documentation for Windows 7 and Windows Server 2008 R2

服務帳號 Step\ by\ 步驟指南Service Accounts Step-by-Step Guide
規劃Planning 未提供Not yet available
部署Deployment 未提供Not yet available
作業Operations 管理服務帳號 Active Directory 中Managed Service Accounts in Active Directory
疑難排解Troubleshooting 未提供Not yet available
評估Evaluation 開始使用群組管理帳號服務Getting Started with Group Managed Service Accounts
工具和設定Tools and settings 管理服務帳號在 Active Directory Domain ServicesManaged Service Accounts in Active Directory Domain Services
社群資源Community resources 了解受管理的服務帳號:、 實作最佳做法,和疑難排解Managed Service Accounts: Understanding, Implementing, Best Practices, and Troubleshooting
相關的技術Related technologies Active Directory Domain Services 概觀Active Directory Domain Services Overview