Using Group Managed Service Accounts with SQL Server

Problem

In my previous tip about Using Managed Service Accounts with SQL Server, we discussed how to create and use these accounts. But what if you have Failover Cluster Instances or Always On Availability Groups and you want to gain the benefits of using a Managed Service Account?

In this tip, we will look at how group Managed Service Accounts (gMSA) can help solve these problems.

Solution

Whereas SQL Server 2012 only supports the use of Managed Service Accounts (MSA), SQL Server 2014 introduced support for group Managed Service Accounts when running on Windows Server 2012 R2 and above.

Group Managed Service Accounts solve the problem of one-to-one relationships between MSA and Computer. Use Active Directory Security Groups to allow a one-to-many relationship between an account and the computers.

Group Managed Service Account Prerequisites

Prerequisites for Managed Service Accounts with SQL Server:

  • Domain Functional Level of 2012 or higher
  • SQL Server 2014 or higher
  • Window Server 2012 R2 Operating System
  • Active Directory PowerShell module installed

With Windows Server 2012 R2, install KB 2998082 for SQL Server to use a gMSA as its service account.

Prior to being able to create a gMSA in the domain, the Key Distribution Service needs to have a root key in place to function. Issue the following PowerShell command:

Test-KdsRootKey -KeyId (Get-KdsRootKey).KeyId
Testing for KDS Root Key - Description: Check to see if KDS Root Key exists.

If there is not a valid KDS Root Key then use the following to create one:

Add-KdsRootKey -EffectiveImmediately 

Be aware that even with the EffectiveImmediately configuration switch it can take up to ten hours for the key to become active and allow the creation of the group Managed Service Accounts.

Creating Group Managed Service Accounts

Use the Active Directory PowerShell module to create Group Managed Service Accounts. There is no facility to do this in the Active Directory Users and Computers admin tool. Install the PowerShell module on the workstation used to create the accounts and the servers where the accounts will be used.

Installing Active Directory PowerShell Module

Use the following PowerShell command to install the AD PowerShell module on a server:

Install AD PowerShell Module - Description: Installation of AD PowerShell module via PowerShell.

If needed, download the install for Remote Server Administration Tools (RSAT) onto a Windows 10 workstation.

Creating Active Directory Group

This is where group Managed Service Accounts (gMSA) differ from Managed Service Accounts (MSA). Use the following process to facilitate the one-to-many relationship between gMSA and computers:

  1. Create Active Directory Security Group
  2. Add computer objects to Security Group
  3. Create gMSA and specify Security Group to link the account and computers

The following commands create the group, add the computer objects as members of the newly created group, then check the group members. Alternatively, use the Active Directory Users and Computers admin tool.

New-ADGroup -Name gsg_gMSA01 -Description “Security group for gMSA01 computers” -GroupCategory Security -GroupScope Global
Add-ADGroupMember -Identity gsg_gMSA01 -Members winsql-0$, winsql-01$
Get-ADGroupMember -Identity gsg_gMSA01
distinguished name

There are two important things to account for in this process:

  • When adding computer objects the name of the computer account needs to be suffixed with a $
  • Restart the computer needs to force group membership

Creating the gMSA

Complete prerequisites then create the account using PowerShell using the following command:

New-ADServiceAccount -Name gMSA01 -PrincipalsAllowedToRetrieveManagedPassword gsg_gMSA01 -Enabled:$true -DNSHostName gMSA01.demo.lab01 -SamAccountName gMSA01 -ManagedPasswordIntervalInDays 30
managed service accounts

The group created earlier has the PrincipalsAllowedToRetrieveManagedPassword parameter and password rotation specified. The SQL Server services can now use the gMSA.

Installing and Using Group Managed Service Accounts

Once created, install MSA on the needed servers. To use PowerShell, install the Active Directory PowerShell module for SQL Server. Make sure the AD PowerShell cmdlets are installed; you can now log in to the server.

Install-ADServiceAccount -Identity gmsa01
Test-ADServiceAccount -Identity gmsa01
Install and Test gMSA - Description: Install and Test that the group Managed Service Account is in place.

Once the gMSA is set up and linked to the computer, it is time to use this as the service account for SQL Server. There are two options for updating the service account details. The first is to use the SQL Server Configuration Manager tool. In this instance you will need to make sure that the “Service Accounts” object type is selected for account validation:

Select Service Accounts object type - Description: Selecting the Service Accounts object type is needed in order to do name validation via the Service Configuration Management tool.

The other option, and the one that I prefer is to make use of the Update-DbaSqlServiceAccount cmdlet from the DBATools PowerShell module. By making use of the DBATools module, you can easily script the entire process – from MSA creation all the way through to implementation.

Setting Service Accounts with DBATools

When using this cmdlet, it is important to remember to qualify the account with the domain name, as well as appending the account name with a $ (which denotes it as a gMSA).

Summary

Here we have looked at how to set up SQL Server to use a gMSA as its service account and be able to take advantage of the capabilities that come with it. This includes easy password rotation using the Reset-ADServiceAccountPassword, managing SPNs and ensuring it is restricted to the server that it is linked to.

It is important to remember, however, there are some limitations, notably that SQL Server 2014 or higher is required to support the use of gMSAs. However, unlike MSAs gMSAs can be used with Failover Cluster Instances and are a great option for Availability Group scenarios.

Next Steps

When setting up SQL Server to make use of Managed Service Accounts you should check out these additional tips that cover a range of recommended practices.

8 Comments

  1. For Availability Groups usage, we use the listener in our connection string. For Kerberos, we do a SETSPN that ties the listener to the SQL account which is now the managed service account on Server1. We cannot tie it to the Group Managed Service Account. It seems that in the case of a failover we now need to remove that SPN and add one that ties the listener to the SQL account which is on the managed service account on Server2. Thus, the failover is not as automatic. We wanted to use what seemed like 2 recommendations: Kerberos and managed service accounts, but for automatic failover they seem exclusive. Is there a way around that?

  2. Once the security group is created, computer accounts added and the Gmsa made and bound to that group. Can you then go back and add more computer accounts to the security group?
    At least in my testing I could not get this to work. For the computer in the group as time of creation all went perfect. Then went back and added another server to group after it was done and it never seemed to get installed to the new server. The test-AdserviceAccount always came up false even after reboot.

  3. Are gMSA allowed for SQL Server Agent? I am not seeing gMSA in the key MSDN articles
    1- https://learn.microsoft.com/en-us/sql/ssms/agent/select-an-account-for-the-sql-server-agent-service?view=sql-server-ver16
    2 – https://learn.microsoft.com/en-us/sql/ssms/agent/choose-the-right-sql-server-agent-service-account-for-multiserver-environments?view=sql-server-ver16
    hence, looking for some suggestion(s)
    It does seem like having the ability to run SQL Agent under gMSA carries same value as for SQL Server service.
    It releases DBA from managing passwords for service account, which in case of SQL Server fleet of an sizeable enterprise can be quite a task.

  4. I have reverted the following SQL accounts below to start using group managed service accounts (gMSA)
    MSSQLSERVER
    SQLSERVERAGENT
    ReportServer

    However when l try and connect to the SQL server using management studio from my desktop l get an error saying “The target principal name is incorrect. Cannot generate SSPI context. (Microsoft SQL Server, Error: 0)” but when l connect to via management studio on the server it works. Therefore the error is there when try and using the group managed accoungs (gMSA) but when l revert back to normal service accounts the error is not there I have.check SPN configuration and it seems to be correct. However l have run this query SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@SPID; and the results indicate that NTLM is being used instead of Kerberos. I would appreciate any assistance.

    • Did you try checking SQL Server error log?
      It logs messages during startup regarding SPN registration, followed by message indicates Kerberos authentication is available

  5. “his includes easy password rotation using the Reset-ADServiceAccountPassword, managing SPNs “

    the summary is the first time “SPN” appears on this page. where is the actual section on managing spns for gmsas?

  6. Hello,

    Nice article, indeed. Neverthless, I can’t make GMSA account work in combination with SQL Server’s ServiceBroker feature.
    Error says that GMSA account is not allowed to be granted CONNECT TO ENDPOINT permission :/

    https://dba.stackexchange.com/questions/317519/exception-during-grant-connect-on-endpoint-to-group-managed-service-account

  7. You might want to do a quick refresh on this article: With gMSA you no longer need to run this command: “Install-ADServiceAccount -Identity gmsa01”, which makes it much easier to deploy as you don’t have to install AD PowerShell stuff on each target host. Although you do need to reboot the host(s) in the security group that you grant -PrincipalsAllowedToRetrieveManagedPassword to, before they can start using the new gMSA.

Leave a Reply

Your email address will not be published. Required fields are marked *