How To Register .ai Domain
Introduction
A Group Managed Service Account (gMSA) can be used for services running on multiple servers such equally a server farm. ADFS, IIS and systems behind a Network Load Residue (NLB) are skillful examples of these. You lot tin can as well apply a gMSA to run services on a single server.
The master benefit from an identity perspective is that there is no password to manage for this account. The gMSA is configured on the servers and Windows handles the password management of the business relationship.
This makes the solution easier to manage since at that place is no user interaction required to cycle the password on a regular basis. This would normally involve changing the password in Agile Directory and then updating the individual services with the new password to ensure continuation of services.
This also eliminates service accounts with static passwords that are set upon creation, and then never cycled once more, which I discover is the norm with many customers to date. The reason for this is the attempt involved in updating the countersign on multiple systems without causing downtime. Another common finding is that accounts were created long ago and current support staff are not sure on which systems the account are used. You won't have the aforementioned experience when using a gMSA since the gMSA is configured to run on specific systems, which can exist easily reviewed and updated during the account lifecycle.
The gMSA cannot be used to log on to any computers in the domain. This ensure the service account is only used for information technology'south intended purpose of running a service.
Key Distribution Services KDS Root Cardinal
Domain Controllers require a root key to generate the password for gMSA accounts. I am not going into technical details on the root primal, delight refer to the references at the end of this article for more detailed information if required.
The root key but needs to exist created once, thus if there are already gMSA accounts in the domain, then in that location is no need to create the root key. I will show you lot how to determine if the root key exists.
To determine if the root key exists I run Get-KdsRootKey in my forest root domain and child domain using Windows PowerShell. I accept a 2 domain forest configuration. You will not meet any output from the control when the root central does non be:
I will now create the KDS Root Key past running Add-KdsRootKey -EffectiveImmediately on my root domain using Windows PowerShell:
The output result is a Guid value which indicates control completed successfully. Now when I run Become-KdsRootKey I will see the root key values in the output:
The KDS Root Key can also be viewed using the Agile Directory Sites and Services Console. In the console, select View then select Show Services Node:
You will find the root central under the Master Root Keys node:
It is important to annotation that the root primal will only be visible in the root domain of the wood, not in any of the child domains. You besides cannot create a root key in a child domain. In the below instance I used Windows PowerShell to view the root key in my child domain and the output did non display the root fundamental. I also tried creating a root primal while logged onto the child domain and received an error message:
Yous will need to wait x hours before new gMSA accounts can be created. This is a prophylactic measure to ensure all Domain Controllers converge their replication before allowing the creation of a gMSA. This prevents password generation earlier all Domain Controllers are capable of answering the password requests.
Create a Grouping Managed Service Account (gMSA)
The root fundamental is available in my root domain and I have waited the required x hours. I will at present exist able to create a gMSA in the root domain and in the kid domain.
When creating the gMSA you need to specify the reckoner accounts that will be allowed to make use of the gMSA. The gMSA will not work on any computers that are not specified in the PrincipalsAllowedToRetrieveManagedPassword aspect. You can specify the computer accounts using a comma separated list, or you tin can specify a security group, and then add the calculator accounts to the security group instead. I volition demonstrate both.
To create a new gMSA in my root domain and specify the computer names I will run the following command:
New-ADServiceAccount -Name gmsa-Test01 -DNSHostName gmsa-Test01.thelabx.co.za -PrincipalsAllowedToRetrieveManagedPassword S01SRV0001$, S01SRV0002$
The gMSA account was created and can exist seen in the Managed Service Accounts container:
Let'due south view some of the properties for the gMSA business relationship using Windows PowerShell. The control I apply is as follows:
Get-ADServiceAccount gmsa-test01 -Properties * | FL DNSHostName,KerberosEncryptionType,ManagedPasswordIntervalInDays,Name,PrincipalsAllowedToRetrieveManagedPassword,SamAccountName
The PrincipalsAllowedToRetrieveManagedPassword attribute contains the distinguishedName values for the reckoner accounts that nosotros specified during cosmos. The computer names specified has to be valid computer objects. The cosmos will fail if non-existing calculator names are specified.
Take note of the default values for following attributes which we did not specify during creation:
- KerberosEncryptionType
- ManagedPasswordIntervalInDays
- SamAccountName
The default value for KerberosEncryptionType is RC4, AES128 and AES256. This can be updated after the account is created. You lot may desire to specify the account to use only the highest level of encryption.
The default value for ManagedPasswordIntervalInDays is xxx days. This can only be specified when you create the account and cannot exist modified later. This value determines the password change interval. Ensure you specify the required value during creation should yous wish to apply a custom countersign age for the business relationship.
The SamAccountName attribute defaults to the Name aspect that we specified during creation. This can likewise exist updated later or you lot tin can specify the SamAccountName value that you want to use when creating the business relationship. Also take note of the $ (dollar) sign at the stop of the name, like to figurer objects. This is the business relationship name that you will use when y'all configure the services to use the gMSA.
Let's create some other gMSA and specify some additional parameters. I will too specify a security group for the PrincipalsAllowedToRetrieveManagedPassword aspect instead of computer accounts.
New-ADServiceAccount -Name gmsa-Test02 -DNSHostName gmsa-Test02.thelabx.co.za –KerberosEncryptionType AES256 –ManagedPasswordIntervalInDays 60 –SamAccountName testacc02 -PrincipalsAllowedToRetrieveManagedPassword G-gMSA-TestAccount
Permit's view some of the properties for the second gMSA account using Windows PowerShell. I use the same control that I used to view the properties of the first account, ensuring I specify the SamAccountName to display the right account:
Get-ADServiceAccount testacc02 -Backdrop * | FL DNSHostName,KerberosEncryptionType,ManagedPasswordIntervalInDays,Name,PrincipalsAllowedToRetrieveManagedPassword,SamAccountName
We can at present see that the account was created with the appropriate values that we specified during creation and is no longer using the default values as with the first account. The Proper noun and SamAccountName values are not the same since the SamAccountName value matches what nosotros specified during creation.
The PrincipalsAllowedToRetrieveManagedPassword aspect now contains the distinguishedName of the security group that we specified. Now I tin can add or remove computer accounts to the security grouping, instead of updating the gMSA account directly. Protect and inspect the security group for membership changes to forestall unauthorized computers being allowed to utilize the gMSA.
Update gMSA attributes
As indicated, some attributes can exist updated later on the gMSA is created. I will now update the first gMSA account by modifying the computers that tin use the gMSA and also updating the KerberosEncryptionType value. I will also change the SamAccountName and add together two ServicePrincipalNames (SPN's) to demonstrate how this is done, because some services like SQL requires SPN's to be defined.
The update command will look equally follows:
Set-ADServiceAccount gmsa-test01 -SamAccountName gmsa-newname -KerberosEncryptionType AES128 -PrincipalsAllowedToRetrieveManagedPassword S01SRV0003$ -ServicePrincipalNames @{Add="MSSQLSvc/ITFarm1.contoso.com:1433″, "MSSQLSvc/ITFarm1.contoso.com:INST01"}
Take notation that the format of the data provided for -ServicePrincipalNames is unlike when using the Set-ADServiceAccount compared to using the New-ADServiceAccount
Employ comma seperate listing when using New-ADServiceAccount for example: -ServicePrincipalNames value1, value2, value3, value4
Utilise the following syntax with the Fix-ADServiceAccount control:
-ServicePrincipalNames @{Add=value1,value2,…}
-ServicePrincipalNames @{Remove=value3,value4,…}
-ServicePrincipalNames @{Replace=value1,value2,…}
-ServicePrincipalNames $null
When viewing the backdrop we should now see these new values assigned to the gMSA. Run the command over again using the new SamAccountName value assigned to the gMSA and also include the ServicePrincipalNames property
Get-ADServiceAccount gmsa-newname -Properties * | FL DNSHostName,KerberosEncryptionType,ManagedPasswordIntervalInDays,Proper noun,PrincipalsAllowedToRetrieveManagedPassword,SamAccountName,ServicePrincipalNames
The attributes have been updated successfully except that the PrincipalsAllowedToRetrieveManagedPassword value now only contains a single server. The previous value which independent two servers was replaced and so now instead of having iii servers in the list, we end up with the 1 server that we specified with the Set-ADServiceAccount command.
Nosotros can fix this by specifying the full list of servers:
Ready-ADServiceAccount gmsa-newname$ -PrincipalsAllowedToRetrieveManagedPassword S01SRV0001$, S01SRV0002$, S01SRV0003$
Cross-domain usage
I haven't establish any detailed documents in regards to cross-domain usage of a gMSA business relationship and accept not been able to test in different scenarious.
I take nonetheless successfully deployed Azure ATP in my two domain forest. I created the gMSA in the root domain and configured Azure ATP to use this account to connect to Agile Directory. The Azure ATP service started successfully on the kid domain Domain Controller. The child domain Domain Controller is using the root domain gMSA to read objects in the kid domain. Read the postal service hither.
Endmost thoughts
Opting to use gMSA instead of a normal service business relationship wherever possible eliminates the demand to manage the passwords for these accounts. You will no longer take service accounts with static passwords that are not inverse on a regular basis.
The accounts cannot be used to log onto any servers and can merely run services equally intended. The PrincipalsAllowedToRetrieveManagedPassword aspect on the account will provide a articulate indication of where the service business relationship is intended to be used, no guesswork required. Now it will be an like shooting fish in a barrel job to clean upward unused accounts.
A gMSA tin be used with Scheduled Tasks, then get ahead and run your maintenance tasks with a gMSA. The password will automatically change and at that place is no need to update the countersign on the individual tasks.
Azure Advertisement Connect, On Demand Assessments, Azure Avant-garde Threat Protection (Azure ATP), SQL, IIS, Organisation Centre Operations Manager 2019 UR1 (SCOM 2019 UR1) and ADFS supports Group Managed Service Accounts.
References
Group Managed Service Accounts Overview
Create the Fundamental Distribution Services KDS Root Key
Getting Started with Group Managed Service Accounts
Set-ADServiceAccount
Source: https://azurecloudai.blog/2020/04/15/create-a-group-managed-service-account-gmsa/
Posted by: bellladjecamis.blogspot.com
0 Response to "How To Register .ai Domain"
Post a Comment