Chapter 1 Securing Your Server and Network (3): Use the managed service account, chaptersecuring

Chapter 1 Securing Your Server and Network (3): Use the managed service account, chaptersecuring
Source: Workshop

Without the consent of the author, no one shall be published in the form of "original" or used for commercial purposes. I am not responsible for any legal liability.

Previous Article: http://blog.csdn.net/dba_huangzj/article/details/37927319

 

Preface:

 

The Managed service Account (Managed Servcie Account) appears from Windows Server 2008 R2. It aims to make it easier to manage the Active Directory Account that runs the service. Before that, you must create users of the same type as the domain account used as the service account. However, you must disable the password policy to avoid service operation errors caused by password expiration. However, disabling the password policy reduces security.

To solve these problems, a managed service account is an Active Directory account bound to a specific computer. Its password is automatically managed by the Active Directory, in addition, you can change the password periodically without affecting the service operation. In addition, the Service Principal Name can be simplified (the SPNs/Service entity Name, the unique identifier of the client, which will be detailed later ).

 

Implementation:

 

The managed service account must run on Windows Server 2008R2 or Windows 7 or above and need to be patched with a hotfix: http://support.microsoft.com/kb/2494158. In addition, you need to use PowerShell to create a managed service account, and install the PowerShell Management Unit (Snap-In) on the Active Directory ):

1. if the PowerShell Management Unit is not installed, open the Server Manager in the Active Directory, right-click the function node, and select Add function ], on the remote server management tools → role management tools → ad ds and ad lds tools, select and install the Active Directory module of Windows PowerShell, for example:

 

 

2. Open PowerShell with an account with sufficient permissions under the Active Directory and import the ActiveDirectory module:

Import-Module ActiveDirectory

If the above warning occurs because the ADWS service is not started, this problem usually occurs in the virtual machine. The temporary solution is to enter

restart-service adws

The fundamental solution is to set the adws service to a delayed startup.

3. Create a managed account:

New-ADServiceAccount -Name SQL-SRV1 -Enabled $true

Where the SQL-SRV1 is the name of the created account.

 

4. Associate the newly added account with the SQL Server computer, this example is associated with the machine named SQL-A.

Add-ADComputerServiceAccount -Identity SQL-A -ServiceAccount SQL-SRV1

5. The managed service account must be installed on a Server running SQL Server, so open PowerShell ON THE SQL-A, pilot into the ActiveDirectory module (step 2), and then enter the following command:

Install-ADServiceAccount -Identity SQL-SRV1

If this process reports an error, you can enter:

Import-Module ServerManagerAdd-WindowsFeature RSAT-AD-PowerShell

Then import the template according to the command in step 2, and then enter:

Install-ADServiceAccount -Identity SQL-SRV1

You can,

 

 

6. Do not create a hosting account with more than 15 characters. Otherwise, a Bug may occur.

Now you can use this account as a service account, the account name must use the $ symbol, for example: (DOMAIN \ SQL-SRV1 $ ). Leave the password and confirm password empty. Refer to the http://blog.csdn.net/dba_huangzj/article/details/37924127 for configuration, You need to note that here first in the Windows Service Manager Configuration account, rather than directly configured in the SQL Server Configuration Manager, otherwise the error is reported.

 

After configuration in the Service Manager, restart the SQL Server service in the SQL Server Configuration Manager. You do not need to configure it again:

 

Principle:

 

Managed Service accounts are bound to individual machines and used only for services. Therefore, they cannot be used for Logon or cluster services, because a cluster requires a service account to be able to span multiple cluster nodes. However, unlike a local built-in account, the managed account name is found on the network and can be used to access Shared Resources on the network.

When you create a managed account in the Active Directory, you do not need to specify a password. The password is automatically managed by the Active Directory. The password policy (30 days by default) is automatically refreshed without affecting the SQL Server service.

After creating the account, you can view your account on the "Managed Service Accounts" node in the "Active Directory users and computers" tool in the Active Directory, powerShell is required for all operations.

 

In the above process, the New-ADServiceAccount command may cause Access is denied error, which is caused by the User Account Control (UAC) policy, you can use the domain administrator account to log on, or temporarily disable Admin Approval Mode.

To disable Admin Approval Mode, you can run [secpol. msc] in the Domain manager, find the configuration in, disable it, and restart the computer.

For more information:

 

If you no longer use a managed service account, you should remove it:

Remove a managed account:

Run the following command on the corresponding server:

Uninstall-ADServiceAccount -Identity SQL-SRV1

 

Run on AD:

Remove-ADServiceAccount -Identity SQL-SRV1

 

For more information, visit:

Service Accounts Step-by-Step Guide http://technet.microsoft.com/en-us/library/dd548356%28WS.10%29.aspx