Introduction
So been playing around with the newly release capability of our AD connector to use Group Managed Service Accounts (gMSA). Now, I am no AD expert and this article will evolve but this is a quick test I have done in my homelab AD setup.
NOTE: These are not official steps and I am not an AD expert. Please test in your SB environment and undertand and adjust each command per Microsoft and your own AD deployment guidelines.
Infrastructure
- AD Domain: abc.local
- Functional Level: Windows Server 2016
- Domain Controller (one): dc1.abc.local
- IQService: Running on domain controller “dc1”, Non TLS on Port 6050
Steps
- Generate a root key for it to be available immediately
1 |
Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) |
- Create a new managed service account called GMSA_ACCOUNT. DC1 is part of the “IQService Servers” group so we allow computers in that to retrieve password
1 |
New-ADServiceAccount GMSA_ACCOUNT -DNSHostName abc.local -PrincipalsAllowedToRetrieveManagedPassword "IQService Servers" |
This will show up the account
- Add UPN for the account as its missing at this stage by manually editing the attribute in Attribute Editor
- Run the Install-ADServiceAccount account command
1 |
Install-ADServiceAccount -identity 'CN=GMSA_ACCOUNT,CN=Managed Service Accounts,DC=abc,DC=local' |
- Add this account as a local Administrator to the machine running IQService so that it can start the service
- Run the Set-ADServiceAccount for it to allow to retrieve the password
1 |
Set-ADServiceAccount -Identity GMSA_ACCOUNT$ -PrincipalsAllowedToRetrieveManagedPassword GMSA_ACCOUNT$ |
- On the IQService service goto properties -> Log On -> Change this to use the gMSA account and click on OK. You can follow my guide on how to install IQService as well from scratch if you need.
- Give the gMSA account full rights to the IQService Folder
- Restart IQService (or DC1 for good measure).
- Now setup a AD source the normal way but slight changes for Domain Settings page (Using 389 SASL for gMSA)
- On the IQService page configure the non TLS port
- Give it a test connection and should be all GREEN 🙂
Conclusion
By following these steps, you can successfully configure gMSA in AD Connector for ISC, ensuring better security and management of service accounts. Test in your environment and adjust settings as needed.