Kevin Remde's IT Pro Weblog
For those of you who are not familiar with these things called Managed Service Accounts, let’s first talk about the problem that the solve. But let’s first set the stage with a couple of assumptions:
“Um.. Kevin.. Yes to the first one.. but definitely not the second one.”
“Because then the services won’t start.”
Bingo. And even worse, it doesn’t show up as a problem until days or weeks later when for some reason (an update, perhaps?) you have to restart a server. Suddenly things are broken, and you’re not sure why… until you find that the service that Exchange or IIS was depending on didn’t start. So unless you’re really good at also going to each and every server and each and every service definition to reset the passwords there, you’re going to have problems.
Managed Service Accounts take the concerns of having to set/reset passwords out of your hands. They are special Active Directory accounts that manage their passwords automatically for you; by default having 120 character complex passwords that reset themselves every 30-days, and having no rights to log-on locally.
Currently (and I say that because I don’t know if this is going to be different in Windows Server 2012) you 1) create the account, and then 2) install the account to a server using PowerShell.
For complete details on Managed Service Accounts, see these pages:
So, back to Casy’s question: Can you use Managed Service Accounts on Server 2003 or Server 2003 R2?
Well… I should probably clarify something here. Managed Service Accounts require the Active Directory schema to be updated to the Server 2008 R2 version, but they don’t strictly require the domain functional level to be raised – meaning that you can use them even if you’re still running domain controllers that are Windows Server 2003 SP2, Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 SP2. (You will need to do adprep /forestprep and adprep /domainprep. See AdPrep for details.) Plus, the Active Directory Management Gateway Service would have to be installed on those older Domain Controllers to allow them to manage Managed Service Accounts.
“Okay.. so they can exist in a domain that has older domain controllers. But can I install them and use them on older servers or workstations?”
No. Sorry. “To use managed service accounts and virtual accounts, the client computer on which the application or service is installed must be running Windows Server 2008 R2 or Windows 7.” (From the Service Accounts Step-by-Step Guide, “Requirements for using managed service accounts and virtual accounts” section.)
I hope that clarifies things for you.
Are you using Managed Service Accounts? Have they been useful to you? Please share your thoughts in the comments.
I was dm'ing back and forth with @shawntravers about this the other day, really awesome!
So what services support using managed service account? Can I use them with all Microsoft products? Scvmm, SQL, exchange...., Can I use them with 3rd party programs? Backup exec? Do applications need to be managed service account aware?
Aaron - Yes, yes, yes, and mo. :) You can use them wherever you would have previously used a domain account. And no, your application doesn't know or care that it's using a special account.
(And let me add an apology to you for not seeing and approving your comment sooner. I missed the e-mail notification from the blog application.)