Information Technology Reference
In-Depth Information
permissions on the service accounts it uses, depending on exactly which features and capa-
bilities of SQL Server are installed.
Managed Service Accounts (MSAs)
were introduced in Windows Server 2008 R2 and Windows
7. MSAs are Active Directory accounts that are tied to a specific computer. MSAs have long
complex passwords, and they are maintained automatically. MSA passwords are changed on
the same schedule as the computer account and through the same mechanism.
In addition to complex passwords that are automatically maintained, MSAs can't be used
for interactive logon, nor can they be locked out. Normally, the MSA password is generated
and set automatically, but it can be set to an explicit value by an administrator. However, they
can be reset on demand to a new generated value.
EXAM TIP
the password associated with an MSa is automatically updated every 30 days. this is likely
to find its way into the conditions for an exam question, so it's good to remember that
number.
Creating an MSA
MSAs are created in the Manage Service Accounts container of Active Directory and have an
object class of msDS-ManagedServiceAccount. MSAs require a minimum Active Directory
domain functional level of Windows Server 2008 R2 to allow for automatic management of
the Service Principal Name and password of the MSA, and can be installed only on Windows
Server 2008 R2, Windows 7, and later releases of Windows and Windows Server. If your do-
main is not at least Windows Server 2008 R2 level, but your schema is updated to Windows
Server 2008 R2, automatic password management works, but automatic SPN management
does not.
MSAs can be created only by using the ActiveDirectory module of Windows PowerShell.
This module requires Windows PowerShell version 2.0 or later and can be installed on
Windows Server 2008 R2 or later servers, or Windows 7 or later clients with Remote Server
Administration Tools (RSAT) installed.
You can create an MSA by following these steps:
Open a Windows PowerShell prompt with elevated privilege.
1.
2.
Import the ActiveDirectory module. (This step is required only on Windows Server
2008 R2 and Windows 7. Later releases automatically load the module.)
Import-Module ActiveDirectory
3.
Create the MSA account (Windows Server 2012 R2).
New-ADServiceAccount -Name <
MSAAccountName
> -RestrictToSingleComputer -Enabled $True
