GMSA guide
Group Managed Service Accounts is a managed domain account that securely runs services, applications, and scheduler jobs. This special type of Active Directory accounts provides automatic password management, the ability to delegate control to other administrators, and simplified service principal name (SPN) management.
For the first time, this feature appeared in Windows Server 2008 R2 and Windows 7, it also provides the same functionality in the domain, but also extends the functionality to multiple servers. If the GMSA is used as a service principal, the Windows operating system will manage the account password and will not rely on an administrator to manage the password.
Application
Group Managed Service Accounts allows you to use the same account on multiple servers at the same time. This is especially true in clustered SQL Server configurations. After configuring GMSA, password change / synchronization (by default every 30 days) is assigned to Active Directory and is performed automatically, without the need for the participation of the gMSA administrator and restarting the SQL Server services.
It should be noted that Failover Clustering does not support GMSA, but services running on top of the cluster service can use GMSA or SMSA.
Creation
Before wondering how to create a GMSA, there are a few prerequisites to know and do.
- Group Managed Service Accounts can only be configured on hosts running Windows Server 2012 or later because gMSA passwords can only be propagated by domain controllers running Windows Server 2012 or later.
- In order to create a gMSA account, you must be a domain administrator or use an account with "Create MSDS-GroupManagedServiceAccount Object" permission.
- You should also download the CredentialSpec PowerShell module, you can save the module on a computer with Internet access and copy it to your development computer.
Once these conditions are met, you can create a GMSA.
When you create a GMSA, you create a common identifier to use it simultaneously on different machines. As stated above, Active Directory owns access to the GMSA password, so it is recommended that you create a security group for each GMSA account. Next, you need to add associated container hosts to this security group in order to thus restrict access to passwords.
In addition, you need to manually create one or more hostnames for the GMSA account, as the container does not automatically register SPNs. Normally, the host is registered with the same name as the GMSA account, but if the DNS name is different from the name GMSA or the client is accessing the container app from behind the load balancer, you may need to use a different service name.
Once the name is GMSA determined, start PowerShell and create a security group and GMSA.
Use the following commands:
- Install-WindowsFeature RSAT-AD-PowerShell. The command is used to install the module on Windows Server,
- Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools ~~~~ 0.0.1.0'. The command is used to install the module ADon Windows 10, version 1809 or later,
- New-ADGroup -Name "WebApp02 Authorized Hosts" -SamAccountName "WebApp01Hosts" -GroupScope DomainLocal. The command is used to create a security group.
- New-ADServiceAccount -Name "WebApp02" -DnsHostName "WebApp02.contoso.com" -ServicePrincipalNames "host / WebApp01", "host / WebApp02.contoso.com" -PrincipalsAllowedToRetrieveManagedPassword "WebApp01Hosts". The command is used to create GMSA.
- Add-ADGroupMember -Identity "WebApp02Hosts" -Members "ContainerHost01 $", "ContainerHost02 $", "ContainerHost03 $". The command is used to add container hosts to a security group.
Note: Where WebApp02 and contoso.com are your GMSA names and domain names respectively.
Protect your virtual data
DiskInternals VMFS Recovery™ is the most famous professional VMFS recovery tool and it can get you back your VMDK files.
Here are the key features and capabilities that differentiate VMFS Recovery ™ from other similar software:
- Supports virtual machines, including VMware, VirtualBox, Virtual PC disk images.
- Supports vSphere 6 and ESX / ESXi Server.
- Works with Windows 7 and higher. However, it is best to use Windows 10 because before starting to recover deleted files VMDK VMFS Recovery ™ creates a VMFS structure in RAM, and for this you need at least 6 GB.
- The size of the software is 65 MB. However, you must have enough free space on your hard drive to recover data.
- Recovery Wizard will help you automatically and without problems recover data from any disk in a short period of time.
- Recovered files are exported to local or remote locations, and any virtual disk can be converted to local for access.
- The application supports file names and multi-level Unicode folders.
Check out these instructions for using DiskInternals VMFS Recovery:
1. Download the app from the DiskInternals website for Windows Vista, 7, 8 and 10 or Windows Server 2006-2019.
2.After launching the application, connect via SSH if necessary, and then immediately open the drive and start scanning.
3. VMFS Recovery will then mount all VMDK files.
4. Then check the recovered files for their integrity.
If everything suits you, it's time to buy a license agreement for the full use of DiskInternals VMFS Recovery, and then export all found or specific files at your discretion.