Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, October 24, 2017 6:54 PM
I have a small virtual lab on my Windows 10 machine. The lap includes two Windows Server 2016 machines. One machine is a domain controller. One machine is domain attached server. I am exercising the MSA feature, and I'm having a rough go of it.
I can create the MSA on the domain controller with no issue:
The problem comes when I try to install the MSA on the target server:
I
am logging into the target server as a domain administrator. I don't know what is possibly denying my access.
Help,
A-
Adam
All replies (6)
Thursday, October 26, 2017 7:28 AM ✅Answered
Hi, got the same, looks like a lack of knowledge or smth. else, tried to do everything as in (https://blogs.msdn.microsoft.com/arvindsh/2014/02/03/managed-service-accounts-msa-and-sql-2012-practical-tips/)
but i've got an error just like yours.
Just figured out - you need to Allow your target computer to read MSA:
Set-ADServiceAccount -Identity %targetidentity% -PrincipalsAllowedToRetrieveManagedPassword %allowedcomputer%.
First written here:
https://community.spiceworks.com/topic/1994519-problem-installing-newly-created-service-account-on-server and point here:
https://trevorsullivan.net/2012/10/15/powershell-creating-active-directory-managed-service-accounts/
to sum up:
you first allow your computer to read new SMA, then add it to local system:
1)Set-ADServiceAccount -Identity %targetidentity% -PrincipalsAllowedToRetrieveManagedPassword %allowedcomputer%.
2)Install-ADServiceAccount %targetidentity%.
Friday, October 27, 2017 9:41 PM ✅Answered
Serge, you magical man you! If you were here, I'd give you a kiss on the cheek..
I ran the following:
##On the Domain Controller...
New-ADServiceAccount -Name svc-dbs02-eng02 -DNSHostName svc-dbs02-eng02.sandbox.local -Enabled $true
Add-ADComputerServiceAccount -Identity sbx-misc-dbs02 -ServiceAccount svc-dbs02-eng02
##On the Host Machine...
Set-ADServiceAccount -Identity 'svc-dbs02-eng02' -PrincipalsAllowedToRetrieveManagedPassword 'CN=SBX-MISC-DBS02,CN=Computers,DC=sandbox,DC=local'
Install-ADServiceAccount -Identity 'svc-dbs02-eng02'
The portion headed "On the Domain Controller" was what I ran on my DC. The portion headed "On the Host Machine" was what I ran on my database server (where I wanted the MSA created). Here is the actual call:
Here is my SQL Server instance configured to use my new MSA:
I'd read the help page on "Install-ADServiceAccount", which had the following snippet:
"To successfully install a managed service account, the service account should have the PrincipalsAllowedToRetrieveManagedPassword parameter option set first by using either the New-ADServiceAccount or Set-ADServiceAccount cmdlet first. Otherwise, installation will fail."
Meaning, you can make that call to "PrincipalsAllowedToRetrieveManagedPassword" in either the "New-ADServiceAccount" or "Set-ADServiceAccount" calls. I tested both ways, and they both worked.
Now, when I first tried your suggestion. It didn't work.When I executed the following:
Set-ADServiceAccount -Identity 'svc-dbs02-eng01' -PrincipalsAllowedToRetrieveManagedPassword 'sbx-misc-dbs02'
I would receive the following error:
"Set-ADServiceAccount : Identity info provided in the extended attribute: 'PrincipalsAllowedToRetrieveManagedPassword' could not be resolved. Reason: 'Cannot find an object with identity
'sbx-misc-dbs02' under: 'DC=sandbox,DC=local'.'."
I was only able to get this load of stuff to work when I used the distinguished name. I have no idea why that is, and I don't really care.
For folks who don't want to have to copy-and-paste the distinguished name,
$machine = hostname
$machine_distinguished_name = $(Get-ADComputer -Filter { Name -eq $machine }).DistinguishedName
Set-ADServiceAccount -Identity 'svc-dbs02-eng01' -PrincipalsAllowedToRetrieveManagedPassword $machine_distinguished_name
Here is the call in practice...
Thanks again Serge!
A-
Adam
Wednesday, October 25, 2017 2:22 AM
Hi Adam,
Please have a try running PowerShell by right clicking the icon and selecting Run as Administrator.
And instead of using Add-ADComputerServiceAccount, please try to use 'Set-ADServiceAccount' and see if it helps.
Best regards,
Wendy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, October 25, 2017 2:03 PM
Thanks for the help Wendy.
I'm launching all Powershell CLI windows with elevated Administrator permissions.
When you say, "Set-ADServiceAccount" in lieu of "Add-ADComputerServiceAccount" can you give me a call example?
The description for each commandlet...
- Set-ADServiceAccount, modifies an active directory service account
- Add-ADComputerServiceAccount, Adds one or more service accounts to an Active Directory computer.
I don't see how I'd be able to use the "Set-ADServiceAccount" commandlet to associate my MSA to a computer in AD. If you can guide me there, I'll buy you a virtual beer.
Adam
Monday, October 30, 2017 12:53 PM
Hi, Glad i've helped you!
Tuesday, November 20, 2018 1:39 PM
Thanks both of you. Need stitches after banging my head against the wall for hours trying to get this to work.