Home > Others

Learning summary-active Directory Domain Services Administration 03-managed accounts

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Escrow Account


I. Application Scenarios

1.1) After importing user and computer resources, the Active Directory exists the corresponding user account and computer account, the password of the user account can be managed by PSO,GPO, and the computer account also has the corresponding password information. For example, in the "Computers" OU, you can see that the default domain-joined computers are moved here (the Add domain redirects to the specified OU command: redircmp ou= new computer ou,dc=contoso,dc=com), Right-click "Reset Account" to reset the password for your computer account. The password for the computer account is maintained by Active Directory and is changed every 30 days

1.2) In addition to user and computer accounts, there are service account types for the application. (such as crm,sharepoint, such as application servers, such as the designated running accounts, services, script tasks scheduled to run the account), we can use ordinary domain users as an application account, which can be a good solution for high availability between multiple servers, load balancer use the same domain account, and the domain account can be controlled, However, synchronization issues occur once the domain account password is changed.

1.3) Enable the managed account from Windows Server R2, which combines the characteristics of both the user account and the computer account to maintain the password (periodically modified, synchronized) by the Active Directory. Limit is only available on one server (WIN2012R2 can be used on multiple servers, load balancer)


Two. Configuration process


Resetting your account is the password for resetting your computer account.

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M01/82/EA/wKioL1dk5eSSC7jcAAElefZAljY519.jpg "title=" 1.jpg " alt= "Wkiol1dk5essc7jcaaelefzaljy519.jpg"/>

Viewing the property editor, you can see that the last modification time of the password was recorded when the account was just reset

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M01/82/EA/wKioL1dk5y_BEXKaAADZRmnTNQk593.jpg "title=" 2.jpg " alt= "Wkiol1dk5y_bexkaaadzrmntnqk593.jpg"/>

The service can specify the running account

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M00/82/EB/wKiom1dk6nXybTPQAACPQqJXH5g218.jpg "title=" 3.jpg " alt= "Wkiom1dk6nxybtpqaacpqqjxh5g218.jpg"/>

Install the IIS service, open the default site, and you can see that the process is the default process

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M02/82/EA/wKioL1dk8kCR2Z2QAAJ3c7sd3lw581.jpg "title=" 4.jpg " alt= "Wkiol1dk8kcr2z2qaaj3c7sd3lw581.jpg"/>

Modify process has been run by custom domain account

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M02/82/EB/wKiom1dk83Tj7mo-AAJytnadbhM165.jpg "style=" float: none; "title=" 5.jpg "alt=" Wkiom1dk83tj7mo-aajytnadbhm165.jpg "/>

Once modified, the process is replaced by a custom domain user running

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M00/82/EA/wKioL1dk83XSFTARAAJrCUsLAwE091.jpg "style=" float: none; "title=" 6.jpg "alt=" Wkiol1dk83xsftaraajrcuslawe091.jpg "/>

The biggest problem with using a domain account to run an account is that once the password is regularly modified, the program will not work.

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M01/82/EA/wKioL1dk9TqR2LflAAG0zL1Baec770.jpg "title=" 7.jpg " alt= "Wkiol1dk9tqr2lflaag0zl1baec770.jpg"/>

Enable managed account, default is 10 days after enable, this is changed to enable now

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M00/82/EA/wKioL1dk-FHxjGCOAAArf6PvrTc364.jpg "title=" 8.jpg " alt= "Wkiol1dk-fhxjgcoaaarf6pvrtc364.jpg"/>

Create escrow account gMSA1 effective and accept server as fs1.contoso.com

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M00/82/EB/wKiom1dk-MexR4jNAAAojDCFbII126.jpg "title=" 9.jpg " alt= "Wkiom1dk-mexr4jnaaaojdcfbii126.jpg"/>

View the generated managed account gMSA1

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M01/82/EA/wKioL1dk-VjCbPYzAACc3AlFOL4563.jpg "style=" float: none; "title=" 10.jpg "alt=" Wkiol1dk-vjcbpyzaacc3alfol4563.jpg "/>

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M01/82/EB/wKiom1dk-Vnhj1jRAAD8wTEenY4628.jpg "style=" float: none; "title=" 11.jpg "alt=" Wkiom1dk-vnhj1jraad8wteeny4628.jpg "/>

Add a managed account, on top of the FS server, add the PowerShell module for Active Directory

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M00/82/EA/wKioL1dk-oSw7xAuAAFuY8pHwDU013.jpg "title=" 12.jpg "alt=" Wkiol1dk-osw7xauaafuy8phwdu013.jpg "/>

Installing a Managed Account

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M02/82/EA/wKioL1dk-u-gu0FdAAAlyq_oE-g057.jpg "title=" 13.jpg "alt=" Wkiol1dk-u-gu0fdaaalyq_oe-g057.jpg "/>

Next we test for success on the application server FS1. Note that the managed services account does not have to be password

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M00/82/EB/wKiom1dk_IzzoZifAAIBChhDa6g759.jpg "title=" 14.jpg "alt=" Wkiom1dk_izzozifaaibchhda6g759.jpg "/>


650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M02/82/EA/wKioL1dk_MSTHBVZAAJhrnZjlWE444.jpg "title=" 15.jpg "alt=" Wkiol1dk_msthbvzaajhrnzjlwe444.jpg "/>



This article from "Johnlu Microsoft technology Blog" blog, declined reprint!

Learning summary-active Directory Domain Services Administration 03-managed accounts

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
active directory administration tools microsoft word active directory domain services unavailable active directory domain services unavailable printer active directory domain services configuration wizard 2012 active directory domain services unavailable windows 10 active directory domain services is unavailable active directory domain services unavailable windows 7

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More