How do we create a Group Managed Service in Active Directory to pick up the SQL Server service without using a password

How do we create a Group Managed Service in Active Directory to pick up the SQL Server service without using a password
How do we create a Group Managed Service in Active Directory to pick up the SQL Server service without using a password

To SQL Server we have to change the user that "raises" the SQL Server service from the Windows default to someone with specific rights that belongs to the Active Directory Domain. In this article we will see how we can create one Group Managed Service which will allow us to control these accounts en masse and not have the need to use a password for each one.

The installation

The actions required on the Active Directory Domain Controller

To create the Security Group we connect to the server that has the Active Directory Controller, go to Active Directory Users and Computers, right click on domain, New, Group:

How do we create a Group Managed Service in Active Directory to pick up the SQL Server service without using a password
01

We assign a name to the Group:

How do we create a Group Managed Service in Active Directory to pick up the SQL Server service without using a password
02

Then we choose right click on the Group we made, Members, Add…, as object type we define Computers, as location the Domain, the names of the servers that the managed services will use and finally we choose Check Names:

How do we create a Group Managed Service in Active Directory to pick up the SQL Server service without using a password
03

Next we need to make a key for the distribution service (KDS). We will be able to use this key after 10 hours. For the key to be created and to be effective immediately, run the following command at PowerShell:

Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))

To see that it was created normally, run the following:

Get-KdsRootKey
AttributeOfWrongFormat :
KeyValue               : {197, 92, 95, 225...}
EffectiveTime          : 5/10/2021 4:03:28 πμ
CreationTime           : 5/10/2021 2:03:28 μμ
IsFormatValid          : True
DomainController       : CN=WS3,OU=Domain Controllers,DC=dataplatform,DC=local
ServerConfiguration    : Microsoft.KeyDistributionService.Cmdlets.KdsServerConfiguration
KeyId                  : beffa3be-d2e1-989b-d545-03706e73906e
VersionNumber          : 1

To create the Group Managed Service run the following command setting:

  • name: The name we want the managed service to have.
  • DNSHostName: The DNS hostname.
  • PrincipalsAllowedToRetrieveManagedPassword: The name of the Group we created.
New-ADServiceAccount -name sqlserverserv -DNSHostName ws3.dataplatform.local -PrincipalsAllowedToRetrieveManagedPassword DBA

Also so that we don't receive messages about his registration Service Principal Name (SPN) we should allow the service account to be able to register itself with the following command:

dsacls (Get-ADServiceAccount -Identity sqlserverserv ).DistinguishedName /G "SELF:RPWP;servicePrincipalName" 

The actions required on the SQL Servers servers

To begin with, we should connect to the SQL Servers and install the feature AD DS and AD LDS Tools. To do this we go to Server Manager and we choose Add roles and features:

How do we create a Group Managed Service in Active Directory to pick up the SQL Server service without using a password
04

Then on the tab Features below the selection Remote Server Administration Tools and Role Administration Tools we will find to choose it AD DS and AD LDS Tools :

How do we create a Group Managed Service in Active Directory to pick up the SQL Server service without using a password

After the installation is complete we run the following command in PowerShell specifying its name Managed Service which we made before:

Install-ADServiceAccount sqlserverserv 

To test if it works, run the following:

Test-ADServiceAccount sqlserverserv 
True

Now it is ready and we have to go to change it in the SQL Server service.

Let's go to SQL Server Configuration Manager , select SQL Server Service, right click on SQL Server, select the tab Log On, This account, Browse, as Object Type we define Service Account, as Location we define Entire Directory and put the name of the server Check Names:

How do we create a Group Managed Service in Active Directory to pick up the SQL Server service without using a password
06

After restarting the service, we will see that it has received the new managed service successfully:

How do we create a Group Managed Service in Active Directory to pick up the SQL Server service without using a password
07

Sources:

Share it

Leave a reply