Original: Chapter 1 securing Your Server and Network (3): Using Managed Service Account
Source: http://blog.csdn.net/dba_huangzj/article/details/38017703, Special catalogue:http://blog.csdn.net/dba_huangzj/ article/details/37906349
No person shall, without the consent of the author, be published in the form of "original" or used for commercial purposes, and I am not responsible for any legal liability.
Previous article: http://blog.csdn.net/dba_huangzj/article/details/37927319
Objective:
The Managed Services account (Managed Servcie accounts) appears from Windows Server R2, which is designed to make the Active Directory account used to run the service more manageable. Prior to this, you must create a user of the same type as the domain account used as the service account, but you will need to disable password policy to prevent the service from running incorrectly due to password expiration. However, disabling password policies can also reduce security.
To address these issues, a managed service account was created, which is an Active Directory account that is bound to a specific computer, its password is automatically managed by the Active Directory, and the password can be changed periodically without affecting the operation of the service. It also simplifies service Principal name (the spn/service principal name, the client's unique identity, which is described in detail later).
Realize:
The managed services account must be running on Windows Server 2008r2 or Win 7 and need to hit a hot fix: http://support.microsoft.com/kb/2494158. Also, creating a managed service account requires a PowerShell implementation, and the PowerShell snap-in (snap-in) is installed on the Active Directory:
1. If the PowerShell snap-in is not installed, you can open Server Manager on the Active Directory, right-click the Features node, select Add features, and on the remote server administration tools → role management tools → ad DS and ad LDS tools node, tick the Windows PowerShell's Active Directory module "and install it, such as:
2. Open PowerShell with an account with sufficient privileges in the Active Directory to import the ActiveDirectory module:
Import-module ActiveDirectory
If the above warning occurs because the ADWS service does not start, this problem generally occurs in the virtual machine, the temporary solution is to enter in PowerShell
Restart-service Adws
The fundamental solution is to set the ADWS service to delayed startup.
3. Create a Managed Account:
New-adserviceaccount-name sql-srv1-enabled $true
Where Sql-srv1 is the name of the account created.
4. Associate the newly added account to the SQL Server computer, this example is associated with the machine named "Sql-a".
Add-adcomputerserviceaccount-identity sql-a-serviceaccount SQL-SRV1
5. The managed service account must be installed on a server running SQL Server, so open PowerShell on sql-a, import the ActiveDirectory module first (step 2), and enter the following command:
Install-adserviceaccount-identity SQL-SRV1
If this process is an error, you can enter it in PowerShell on Sql-a (that is, on the domain member server):
Import-module servermanageradd-windowsfeature Rsat-ad-powershell
Then import the template according to the command in step 2, and then enter:
Install-adserviceaccount-identity SQL-SRV1
Can
6. Be careful not to create a managed account name that is more than 15 characters or there will be a bug.
Now you can use this account as the service account number, the account name must use the $ symbol, for example: (domain\sql-srv1$). Leave the Password and Confirm password blank. Refer to the http://blog.csdn.net/dba_huangzj/article/details/37924127 configuration, you need to be reminded that the first place in the Windows Service Manager to configure the account, and not directly in the SQL Configuration in Server Configuration Manager, otherwise error.
After you configure in Service Manager, you can restart the SQL Server service in SQL Server Configuration Manager without having to configure it again:
Principle:
The managed service account is bound to a separate machine and is used only by the service, so it cannot be used to log on or be used for the Cluster service because the cluster requires that the service account be able to span multiple cluster nodes. However, unlike a local built-in account, the name of the managed account is found on the network and can be used to access network shared resources.
When you create a managed account on the Active Directory, you do not need to specify a password, and the password is automatically managed by the Active Directory. and automatically refreshed according to the password policy (default 30 days), the SQL Server service is not affected during the period.
Once created, you can see your account in the "Managed Service Accounts" node in the Active Directory Users and Computers tool, but only if you can't change it, all you need to do is use PowerShell.
In the above procedure, the use of the New-adserviceaccount command may result in an access is denied error, which is caused by the user Account Control (username Control,uac) policy. You can use the Domain Administrator account login operation, or temporarily disable admin Approval Mode.
Disable Admin Approval Mode to run "secpol.msc" in the domain manager, then locate the configuration in, and then disable, and then restart the computer.
More information:
If you no longer use the Managed services account, you should remove it:
To remove a managed account:
Run on the corresponding server:
Uninstall-adserviceaccount-identity SQL-SRV1
Run on ad:
Remove-adserviceaccount-identity SQL-SRV1
More information can be accessed:
Service Accounts Step-by-Step Guide http://technet.microsoft.com/en-us/library/dd548356%28WS.10%29.aspx
Filed under: http://blog.csdn.net/dba_huangzj/article/details/38037457
Chapter 1 Securing Your Server and Network (3): Using Managed Service Account