Original source: http://blog.csdn.net/dba_huangzj/article/details/38017703, featured folder:http://blog.csdn.net/dba_huangzj/article/details/37906349
Without the author's permission. No matter what person should not be published in the form of "original", but also for commercial purposes, I am not responsible for any legal liability.
Previous article: http://blog.csdn.net/dba_huangzj/article/details/37927319
Objective:
The Managed Services account number (Managed servcie accounts) appears from Windows Server R2. Its purpose is to make the active folder account for performing services easier to manage. Before this. You must create a user of the same type as the domain account used as the service account, but you need to disable the password policy to prevent the service execution error from occurring due to password expiration. However, disabling the password policy also reduces security.
To address these issues, a managed service account appears. It is an account that is bound to the active folder on a specific computer, and its password is actively managed by the active folder itself, and can be changed periodically without affecting the execution of the service password.
It also simplifies the service Principal name (the spn/services principal names.) The client's unique identity, which might be described in detail).
Realize:
The managed services account must be executed in Windows Server 2008r2 or Win 7 or above and need to hit a hot fix: http://support.microsoft.com/kb/2494158.
The other. Creating a Managed service account requires a PowerShell implementation, and the PowerShell snap-in (snap-in) is installed on the active folder:
1. Assume that the PowerShell snap-in is not installed. The ability to open the Server Manager on the active folder, right-click the Features node, select Join features, and tick the Windows PowerShell active on the remote server administration tools → role management tools → ad DS and ad LDS tools node Directory module and install it. For example, with:
2. Open PowerShell with an account with sufficient privileges under the active folder to import the ActiveDirectory module:
Import-module ActiveDirectory
Assume that the warning above occurs. Because the ADWS service does not start, such problems generally come out of the virtual machine today. The temporary solution is to enter in PowerShell
Restart-service Adws
The fundamental solution is to set the ADWS service to delayed startup.
3. Create a Managed Account:
New-adserviceaccount-name sql-srv1-enabled $true
The SQL-SRV1 is the name of the account created.
4. Associate the newly added account to the SQL Server computer, this example is associated with the machine named "Sql-a".
Add-adcomputerserviceaccount-identity sql-a-serviceaccount SQL-SRV1
5. The managed service account must be installed on the server that is executing SQL Server, so open PowerShell on sql-a and import the ActiveDirectory module first (step 2). Then enter the following command:
Install-adserviceaccount-identity SQL-SRV1
Assuming this process is an error, you can enter in PowerShell on Sql-a (that is, on the domain member server):
Import-module servermanageradd-windowsfeature Rsat-ad-powershell
Then import the template in accordance with the command in step 2. Re-enter:
Install-adserviceaccount-identity SQL-SRV1
We can,
6. Be careful not to create a managed account name that is more than 15 characters or there will be a bug.
Now you can use this account as the service account number, account name must use the $ symbol, for example: (domain\sql-srv1$). Password and Confirm password leave blank. Refer to http://blog.csdn.net/dba_huangzj/article/details/37924127 for configuration. It is necessary to be reminded that the account is configured in the Service Manager on Windows and not directly in SQL Server Configuration Manager. Otherwise the error.
After the configuration is complete in Service Manager. Restarting the SQL Server service in SQL Server Configuration Manager is possible without having to configure it again:
Principle:
The managed service account is bound to a separate machine and is used only by the service, so it cannot be used to log on or be used for the Cluster service because the cluster needs to have a service account that can span multiple cluster nodes.
However, unlike the local built-in account, the name of the managed account is found on the network. Can be used to access network shared resources at the same time.
When you create a managed account on the active folder, you do not need to specify password. Password will be actively managed by the active folder itself. It also proactively refreshes itself according to the password policy (default 30 days). The SQL Server service does not affect the period.
After the creation is complete. You can see your account in the "Managed Service Accounts" node in the Active Directory Users and Computers tool in the Activity folder. But only to see can not change, all operations need to use PowerShell.
In the above procedure, the use of the New-adserviceaccount command may result in a denial of access (denied) error, due to user Account Control (username Control,uac) policy. Be able to log in using the domain administrator account, or temporarily disable admin Approval Mode.
Disable Admin Approval Mode to perform "secpol.msc" in the domain manager. Then locate the configuration in. And then disable and then restart the computer.
A lot of other information:
If you no longer use the Managed services account, you should remove it:
To remove a managed account:
Execute on the appropriate server:
Uninstall-adserviceaccount-identity SQL-SRV1
Execute on AD:
Remove-adserviceaccount-identity SQL-SRV1
A lot of other information can be asked:
Service Accounts Step-by-Step Guide http://technet.microsoft.com/en-us/library/dd548356%28WS.10%29.aspx
Filed under: http://blog.csdn.net/dba_huangzj/article/details/38037457
Chapter 1 Securing Your Server and Network (3): Using Managed Service Account