5

I have a Windows 2012 R2 domain controller called cox.win.testlab. I have set up a group of hosts where I would like to use a gMSA (Group Managed Service Account). This group is called SQLManagedHosts.

I created the account by following these steps in Powershell on the domain controller:

PS C:\Windows\system32> Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))

Guid
----
9b68b1e7-db76-c4e4-4978-63c2965e5596

PS C:\Windows\system32> New-ADServiceAccount mSQL -DNSHostName cox.win.testlab -PrincipalsAllowedToRetrieveManagedPassword SQLManagedHosts

PS C:\Windows\system32> Get-ADServiceAccount msql

DistinguishedName : CN=mSQL,CN=Managed Service Accounts,DC=win,DC=testlab
Enabled           : True
Name              : mSQL
ObjectClass       : msDS-GroupManagedServiceAccount
ObjectGUID        : cf9df74a-38e0-4d7a-856e-9af882b08800
SamAccountName    : mSQL$
SID               : S-1-5-21-3443997112-87545443-1733229669-1602
UserPrincipalName :

On one of the hosts listed in SQLManagedHosts, I ran:

PS C:\Windows\system32> Install-ADServiceAccount msql
Install-ADServiceAccount : Cannot install service account. Error Message: 'An unspecified error has occurred'.
At line:1 char:1
+ Install-ADServiceAccount msql
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (mSQL:String) [Install-ADServiceAccount], ADException
    + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveDirectory.Management.Commands.InstallADServiceAccount

Any ideas why it might be failing? All servers involved are Windows Server 2012 R2.

Mark Allison
  • 2,098
  • 7
  • 26
  • 45

3 Answers3

1

If you have only recently created the SQLManagedHosts security group and added your computer objects to it, you will have to restart the server for group membership to take effect. Since the server is not a member of the security group if you don't, retrieving the managed password will fail.

You will need to keep this in mind when planning security groups for group MSAs.

Patrick
  • 364
  • 1
  • 6
0

You cannot use gMSA for SQL services, it's unsupported. You must instead use MSA.

Source: http://blogs.msdn.com/b/sqlosteam/archive/2014/02/19/msa-accounts-used-with-sql.aspx

Daniel
  • 6,780
  • 5
  • 31
  • 60
  • Yes I know that but I would like to try with various different services. Any ideas why it won't install? – Mark Allison Jun 06 '14 at 20:44
  • I see. Sorry then, I cannot help you there. – Daniel Jun 09 '14 at 10:12
  • I also tried with the SQLWmi interface with powershell using the `SetServiceAccount()` method but I got this error: `Exception calling "SetServiceAccount" with "2" argument(s): "Set service account failed. "` – Mark Allison Jun 16 '14 at 14:35
0

I'm not sure why it could be failing but when I was messing the gMSAs and SQL I was using this GUI and it worked fine.

GMSA GUI