Microsoft Azure AZ-800 — Section 5: Create and manage AD DS security principals Part 4

Microsoft Azure AZ-800 — Section 5: Create and manage AD DS security principals Part 4

43. Implement group managed service accounts (gMSAs)

I want to talk about a feature known as the group managed service accounts, also known as G M S. All right.

Now services are something we’ve had in windows since the very early days. The services are the behind the scenes system processes that allow windows to do some of the different activities that it needs to do. We can look at services by right clicking our start button and then from there we can go into computer management and then go to services and applications and click on services. Another way of getting there would just be to open up a server manager, go to ols and you can go to services that way.

So there’s various ways you can get in there. Of course, PowerShell, you can get that service, but here are all my different services now. Services do have to run under the authority of some kind of an account. Traditionally, if you look at different services that you’ve got running, they’re usually running under a system account, for example, if I double click on the DNS server here, I can go to log on and I can see is just using a local system account.

Now here’s where we run into a problem. Imagine you’re running a SQL server. Maybe, you’ve got a group of SQL servers, OK, and the sequel servers are replicating databases, or you’re running a group of web services and they’re communicating web related activities to each other. And these SQL servers are web servers or whatever they need to be able to communicate under the authority of a single account.

Now, in the past, what we would end up doing in the early days is we would actually create an actual user account that we would then associate with the servers. And the problem with that is that you would have a static password.

So what I would do is I’d create an account and I would link it to, you know, this account. Let’s just pretend like this. Let’s pretend like this account. Here was our account. We’d set the password on it. The problem is that account password would periodically have to change.

So you’d have to set it not to change. And then you ended up with an account that the password never changed. And then you run into this problem of, well, what if we’ve got disgruntled admins like, let’s say we create a sequel account, a single user account that’s going to have admin rights over sequel and it’s got a certain password. And then we have a disgruntled admin that gets fired from the company and that person leaves in that company. That person’s account gets deactivated, but then that that disgruntled admin knows the sequel password.

So how do we make it where Active Directory can handle its own reset of the password and only Active Directory knows the password for, say, the SQL servers or the web servers, or whatever that is. What this group managed service account is all about. It’s an account that you create that allows Active Directory to manage the password on it, and it’ll periodically reset it and all of your SQL servers or web servers or whatever you’re going to use a service account for. They’re going to be able to use that account, and Active Directory will handle the changing of the password and there won’t be any issues with that.

OK, so how do we go about doing that? Well, first off, I’ll tell you this you can’t do it graphically. You got to use PowerShell.

So, I want to show you now how we can jump in and create what’s known as a group managed service account. Case, I’m going to right click start and I’m going to go to PowerShell now, the first thing we have to do is we’ve got to create this thing known as a copious root key, Kadia stands for key distribution service and it has to do with Kerberos. Kerberos needs this root key so that it can grant to this account. This group managed service account the right to be able to reset its password whenever it needs to, and it’s going to allow us to delegate to computers the ability to interact with that account and have the password sent by Kerberos. To set this, this account serves up. And so, in order to do that, we’ve got to run this command.

Now there’s a catch to this. We’re going to take add -Card’s route key. But the problem is if you just create a rookie, you’ve got to wait 10 hours for that rookie to take effect. And Microsoft’s logic here was in big environments. It could take hours and hours for replication to occur across the world. And in reality, in the real world, you would want to work, wait 10 hours. But there is a command call or a parameter called effective immediately. But it’s a bit misleading. You’re still it’s still going to take the 10 hours for this to occur. If you do effective immediately, you can have it effective immediately on a single machine, but we don’t want it to happen on a single machine. We want it to be replicated.

So there’s a trick we can pull to do this. We can say effective time. All right. And then we can say in parentheses, get date. All right, get date and then add hours. And we’re going to do minus 10 hours. And this going to trick the system into basically skipping that 10 hour period, and it’s OK to do that in a lab environment. You wouldn’t want to do it in the real world. In the real world, you would want to let it replicate across your forced environment first before proceeding with the next step. I don’t want to wait that long.

OK, so that’s the reason why we’re doing that. All right.

So, we’re going to go ahead now and we’ve we’ve skipped the 10 hour wait and we’re now ready to create the service account. All right, So, we’re going to say to create the group managed service account. We’re going to run this command new -80 service account. We’re going to give it a name.

So the name is going to be I’m just going to call it Test DMC. All right.

So test group managed service account and then DNS hostname, we got to give it a DNS hostname. It’s going to be known as a hostname in your Active Directory and in DNS.

So, we’re going to call it Test G MSA Dot Exam, Labpractice.com, because that’s my domain name. All right. And then you got this massively long parameter here called principles allowed to delegate to account.

So you’re going to specify a group here that it’s going to link all of this to now in the real world. What I would advise you to do is, let’s say you had a bunch of SQL servers, let’s say you had four SQL servers that’s going to use this service account. You would create a group, right? So you might create a group. I would call it, you know, the Eskil SQL server or whatever, and they would put all of your SQL servers in that group if he had for you to add the four SQL servers to that to that group. And at that point, that’s going to be the group you designate that’s going to any computer that’s in that group would have the right to link on to this account and use this an account, this account for services.

OK, in my case, I’m actually just going to do domain computers. I’m going to allow all computers in the entire domain to use this account. All right. You wouldn’t really do that for in the real world, you wouldn’t do all computers, but I’m going to do all computers for this example.

OK, so just like that, we’ve now officially created our group managed service account.

Now, if you are doing this on a domain controller like I am right now in the domain chores, part of the Domain Computers Group, as all domain controllers are. I don’t really have to do this very next step. I’m going to show you. But if you do, let’s pretend for a moment that were sitting in front of a SQL server or an ice or whatever. You were going to do this on, we’ll say sequel. And the SQL server is obviously not a domain controller, it’s just a member server of the domain.

So you need to take this next step.

OK, with with a member server, you would not have the Active Directory commands to do this next step.

So what you would need to do is you would need to say add windows feature. All right. And then it would be our sad -and -PowerShell.

Now that is the remote server admin tools that’s going to add the remote Sarabhai tools that will include the Active Directory command.

So you would install that first by hitting enter, then you would type import -module Active Directory and that would install the Active Directory commands that you’re going to need. There’s really only one command that you’re going to need to do this on that server.

So after you’ve done that, the final thing you would type is install -A the service account -identity. And then it would be test g m assay.

Now I don’t need to run this command because I’m a domain controller. I’ve already got the accounts already activated for the domain controller, so, I’m good to go. But that would be what you do on that SQL server. If you were doing this on a SQL server and obviously SQL Server is not a domain control.

OK. After that, we’re good to go. Here’s what I’m going to do, I’m going to go to right click start, I’m going to go to computer management and so, I would go and I would find my service like, let’s say, it was a SQL service or something. You would find the service that needs to use this account. All right. And I’m just going to pretend like the DNS server was a SQL server, even though it’s not. I’m a double click on it and I must say, log on. You’re going to see this account, you’re going to click browse and then you’re going to specify the test. GSMA G Test G MSAccount. As you can see it, put a little dance on after the last thing you got to do is leave the password blank and then that’s it. Who hit Enter? It’s going to pop a little message up and warn you that it is now going to delegate count. We don’t get to know what the password is. That’s why you got to leave it blank. Active Directory will set what the password is. And then from that point on, Active Directory will reset the password periodically, and we’ll work with those servers to do the same thing. And that is how you use a group managed service account.