Escrow Account
I. Application Scenarios
1.1) After importing user and computer resources, the Active Directory exists the corresponding user account and computer account, the password of the user account can be managed by PSO,GPO, and the computer account also has the corresponding password information. For example, in the "Computers" OU, you can see that the default domain-joined computers are moved here (the Add domain redirects to the specified OU command: redircmp ou= new computer ou,dc=contoso,dc=com), Right-click "Reset Account" to reset the password for your computer account. The password for the computer account is maintained by Active Directory and is changed every 30 days
1.2) In addition to user and computer accounts, there are service account types for the application. (such as crm,sharepoint, such as application servers, such as the designated running accounts, services, script tasks scheduled to run the account), we can use ordinary domain users as an application account, which can be a good solution for high availability between multiple servers, load balancer use the same domain account, and the domain account can be controlled, However, synchronization issues occur once the domain account password is changed.
1.3) Enable the managed account from Windows Server R2, which combines the characteristics of both the user account and the computer account to maintain the password (periodically modified, synchronized) by the Active Directory. Limit is only available on one server (WIN2012R2 can be used on multiple servers, load balancer)
Two. Configuration process
Resetting your account is the password for resetting your computer account.
650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M01/82/EA/wKioL1dk5eSSC7jcAAElefZAljY519.jpg "title=" 1.jpg " alt= "Wkiol1dk5essc7jcaaelefzaljy519.jpg"/>
Viewing the property editor, you can see that the last modification time of the password was recorded when the account was just reset
650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M01/82/EA/wKioL1dk5y_BEXKaAADZRmnTNQk593.jpg "title=" 2.jpg " alt= "Wkiol1dk5y_bexkaaadzrmntnqk593.jpg"/>
The service can specify the running account
650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M00/82/EB/wKiom1dk6nXybTPQAACPQqJXH5g218.jpg "title=" 3.jpg " alt= "Wkiom1dk6nxybtpqaacpqqjxh5g218.jpg"/>
Install the IIS service, open the default site, and you can see that the process is the default process
650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M02/82/EA/wKioL1dk8kCR2Z2QAAJ3c7sd3lw581.jpg "title=" 4.jpg " alt= "Wkiol1dk8kcr2z2qaaj3c7sd3lw581.jpg"/>
Modify process has been run by custom domain account
650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M02/82/EB/wKiom1dk83Tj7mo-AAJytnadbhM165.jpg "style=" float: none; "title=" 5.jpg "alt=" Wkiom1dk83tj7mo-aajytnadbhm165.jpg "/>
Once modified, the process is replaced by a custom domain user running
650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M00/82/EA/wKioL1dk83XSFTARAAJrCUsLAwE091.jpg "style=" float: none; "title=" 6.jpg "alt=" Wkiol1dk83xsftaraajrcuslawe091.jpg "/>
The biggest problem with using a domain account to run an account is that once the password is regularly modified, the program will not work.
650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M01/82/EA/wKioL1dk9TqR2LflAAG0zL1Baec770.jpg "title=" 7.jpg " alt= "Wkiol1dk9tqr2lflaag0zl1baec770.jpg"/>
Enable managed account, default is 10 days after enable, this is changed to enable now
650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M00/82/EA/wKioL1dk-FHxjGCOAAArf6PvrTc364.jpg "title=" 8.jpg " alt= "Wkiol1dk-fhxjgcoaaarf6pvrtc364.jpg"/>
Create escrow account gMSA1 effective and accept server as fs1.contoso.com
650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M00/82/EB/wKiom1dk-MexR4jNAAAojDCFbII126.jpg "title=" 9.jpg " alt= "Wkiom1dk-mexr4jnaaaojdcfbii126.jpg"/>
View the generated managed account gMSA1
650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M01/82/EA/wKioL1dk-VjCbPYzAACc3AlFOL4563.jpg "style=" float: none; "title=" 10.jpg "alt=" Wkiol1dk-vjcbpyzaacc3alfol4563.jpg "/>
650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M01/82/EB/wKiom1dk-Vnhj1jRAAD8wTEenY4628.jpg "style=" float: none; "title=" 11.jpg "alt=" Wkiom1dk-vnhj1jraad8wteeny4628.jpg "/>
Add a managed account, on top of the FS server, add the PowerShell module for Active Directory
650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M00/82/EA/wKioL1dk-oSw7xAuAAFuY8pHwDU013.jpg "title=" 12.jpg "alt=" Wkiol1dk-osw7xauaafuy8phwdu013.jpg "/>
Installing a Managed Account
650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M02/82/EA/wKioL1dk-u-gu0FdAAAlyq_oE-g057.jpg "title=" 13.jpg "alt=" Wkiol1dk-u-gu0fdaaalyq_oe-g057.jpg "/>
Next we test for success on the application server FS1. Note that the managed services account does not have to be password
650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M00/82/EB/wKiom1dk_IzzoZifAAIBChhDa6g759.jpg "title=" 14.jpg "alt=" Wkiom1dk_izzozifaaibchhda6g759.jpg "/>
650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M02/82/EA/wKioL1dk_MSTHBVZAAJhrnZjlWE444.jpg "title=" 15.jpg "alt=" Wkiol1dk_msthbvzaajhrnzjlwe444.jpg "/>
This article from "Johnlu Microsoft technology Blog" blog, declined reprint!
Learning summary-active Directory Domain Services Administration 03-managed accounts