dcsimg

Windows Server 2008 R2 AD Domain Services -- Managed Service Accounts

By Marcin Policht (Send Email)
Posted Dec 12, 2010


More on Windows Server 2008 R2

One of more common administrative challenges in Windows environments involves configuring user-based credentials that provide arbitrary security context to non-core services. Active Directory schema extensions incorporated into Windows Server 2008 R2 introduced a new feature known as managed service accounts, which eliminate a number of drawbacks associated with such configuration.

One common administrative challenge in Windows environments involves configuring user-based credentials that provide arbitrary security context to non-core services. Active Directory schema extensions incorporated into Windows Server 2008 R2 introduced a new feature, managed service accounts, which eliminate a number of drawbacks associated with such configuration.

One of more common administrative challenges in Windows environments involves configuring user-based credentials that provide arbitrary security context to non-core services (instead of leveraging built-in LocalSystem, LocalService, or NetworkService accounts). The complexity associated with such configuration results from the fact that changing the passwords of these accounts requires manual updates to the Security Control Manager database on each computer where they are being used. As a matter of fact, there are scenarios where considerably more elaborate steps are needed, as documented in articles 934838 and 283811 of Microsoft Knowledge Base. More importantly, the manual nature of this process introduces potential for mistakes and oversights, leading to account lockouts and subsequent outages -- typically after service-dependent applications fail to start following a reboot. The same outcome is sometimes caused by typographical errors when service accounts credentials are misused for interactive logons. Last but not least, to avoid administrative overhead associated with password changes, such accounts are frequently configured with non-expiring passwords, introducing a security vulnerability, which is further aggrevated by their elevated privileges.

Active Directory schema extensions incorporated into Windows Server 2008 R2 introduced a new feature known as managed service accounts (MSAs), which allow you to eliminate these issues. While their most widely recognized benefit is automatic password management, they are also capable of self-correcting Service Principal Names attribute in case of sAMAccountName or DNS name changes. Since they are associated with computer (rather than user) accounts, they cannot be used for interactive logons, and they are not subject to account lockouts. They can, however, be disabled.

On the other hand, it is also important to point out some of their limitations. In particular, they are applicable only to services running on Windows 7 or Window Server 2008 R2. Because of their dependency on the host computer account, they are restricted to an individual OS instance, making them unsuitable for highly available applications operating on failover clusters or Network Load Balancing farms. It is, however, possible to have multiple MSAs associated with the same computer. In addition, this technology's viability must be evaluated in the context of individual applications, so make sure to consult with the respective vendors regarding its supportability.

Page 1 of 2


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.