在SQL Server中使用组托管服务帐户
Standalone Managed Service Accounts, introduced a long ago with Windows Server 2008 R2, were a ray of hope for the database administrators. They promised to provide automatic password management and simplified SPN management, meaning that the time-consuming task of maintaining passwords would be a thing of the past (not to mention the required downtime for this).
Windows服务器2008 R2之前引入的独立托管服务帐户,对于数据库管理员来说是一线希望。 他们承诺将提供自动密码管理和简化的SPN管理,这意味着耗时的密码维护任务将成为过去(更不用说为此而需要的停机时间)了。
It also meant that we could finally forget another scenario – having the same domain service account we use for all of our SQL Servers with very high privileges not only within the AD but among numerous Windows Servers which password we have not changed since it was created. The problem with the standard Managed Service Accounts is that they can only be used in a one to one ratio as a single account can be used on only one host / computer.
这也意味着我们最终可能会忘记另一种情况–使用与我们所有SQL Server相同的域服务帐户,不仅在AD中而且在众多Windows Server中都使用非常高的特权,自创建以来,该口令我们从未更改过。 标准托管服务帐户的问题在于,它们只能以一对一的比例使用,因为单个帐户只能在一台主机/计算机上使用。
With Windows Server 2012 the Group Managed Service Accounts were introduced, it provides the same functionality within the domain, but also provides the possibility to use it over multiple servers.
在Windows Server 2012中,引入了组托管服务帐户 ,它在域中提供了相同的功能,但也提供了在多个服务器上使用它的可能性。
They can be used for standalone and clustered installations of SQL Server. AlwaysOn Availability Groups are also an option, although it requires additional configurations. It is as simple as it sounds – once configured the Active Directory takes care for the password change every 30 days (default) without the need of administrator’s intervention or SQL Server service restart.
它们可用于SQL Server的独立安装和群集安装。 AlwaysOn可用性组也是一个选项,尽管它需要其他配置。 听起来很简单 –配置完成后,Active Directory会每30天(默认)为您更改一次密码,而无需管理员干预或重新启动SQL Server服务。
The password for the gMSAs (Group Managed Service Accounts) are generated and maintained by the Key Distribution Service (KDS, kdssvc.dll) on the Active Directory Domain controllers. This allows multiple Windows Servers to use the same gMSA account, the usage is, of course, restricted and only the computer objects assigned can query the password.
gMSA(组托管服务帐户)的密码是由Active Directory域控制器上的密钥分发服务(KDS,kdssvc.dll)生成和维护的。 这允许多个Windows Server使用相同的gMSA帐户,使用当然受到限制,只有分配的计算机对象才能查询密码。
Group Managed Service Accounts can only be configured and administered on hosts running Windows Server 2012 and are not applicable on to other Windows operating systems prior to Windows Server 2012, the other requirements are as follows:
组托管服务帐户只能在运行Windows Server 2012的主机上进行配置和管理,不适用于Windows Server 2012之前的其他Windows操作系统,其他要求如下:
- The AD forest functional Level should be updated to Windows Server 2012 (you can still have DCs running Windows Server 2008/R2); AD林功能级别应更新为Windows Server 2012(您仍然可以使DC运行Windows Server 2008 / R2);
- You need to create a Key Distribution Service root key and you need to wait 10 hours for it to be replicated on all domain controllers; 您需要创建一个密钥分发服务根密钥,并且需要等待10个小时才能将其复制到所有域控制器上。
- You can only use Group Managed Service Accounts on Windows Server 2012 hosts; 您只能在Windows Server 2012主机上使用组托管服务帐户。
- The full list of requirements can be seen here – Getting Started with Group Managed Service Accounts; 需求的完整列表可以在这里看到– 组管理服务帐户入门 ;
Let us configure and setup the usage of Group Managed Service accounts, note that some, if not the most of the actions require elevated permissions within the Active Directory domain.
让我们配置和设置组托管服务帐户的用法,请注意,如果不是大多数操作,大多数操作需要在Active Directory域内提升权限。
- Create the KDS root key
If not already created, a KDS root key is required. We can add it using the PowerShell cmdlet “Add-KdsRootKey”. Once the key is created we must wait for 10 hours in order for it to be fully synchronized between all AD domain controllers. In a test environment we can set it to be effective immediately using the “-EffectiveImmediately” parameter.
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
如果尚未创建,则需要KDS根密钥。 我们可以使用PowerShell cmdlet“ Add-KdsRootKey”添加它。 创建密钥后,我们必须等待10个小时,以便所有AD域控制器之间完全同步密钥。 在测试环境中,我们可以使用“ -EffectiveImmediately”参数将其立即生效。
Add-KdsRootKey –EffectiveTime((获取日期).addhours(-10))
- Configure the AD
We will create a new AD group that will contain all our SQL Servers that will be using the Group Managed Service Account. Although an account can be linked directly with multiple hosts it is much easier for administrating it using an AD container.
Once the group, in our scenario “ProductionSQLServers” is created we need to add the computer objects of the servers where we will use the gMSA account.
The computer object “MIA-SQL” is now member of the newly created group. Note that a reboot is required for the hosts once we move them in the new group.
我们将创建一个新的AD组,其中将包含将使用组托管服务帐户的所有SQL Server。 尽管一个帐户可以直接与多个主机链接,但是使用AD容器管理该帐户要容易得多。
一旦创建了组,在我们的场景“ ProductionSQLServers”中,我们需要添加将使用gMSA帐户的服务器的计算机对象。
现在,计算机对象“ MIA-SQL”是新创建的组的成员。 请注意,一旦我们将主机移到新组中,它们便需要重新启动主机。
- Creating the Group Managed Service Account
The creation of the account requires the PowerShell cmdlets available, the creation can be done on a DC or on another server.
You will need the AD PowerShell cmdlets later in order to install and validate the account on the hosts, for more information check “How to add the AD PowerShell cmdlets” at end of the article;
New-ADServiceAccount -name PrdSQLgMSAsvc -DNSHostName PrdSQLgMSAsvc.adventureworks.msft -PrincipalsAllowedToRetrieveManagedPassword “ProductionSQLServers”
The Group Managed Service Account is now created, using the parameter “-PrincipalsAllowedToRetrieveManagedPassword” we have granted the rights to query the account password to the security group “ProductionSQLServers” that we created in the previous step.
The account will now also be visible under “Managed Service Accounts” within the AD Administrative Center:
帐户的创建需要可用的PowerShell cmdlet,可以在DC或另一台服务器上完成创建。
稍后,您将需要AD PowerShell cmdlet以便在主机上安装和验证该帐户,有关更多信息,请参见本文结尾处的“如何添加AD PowerShell cmdlet”;有关详细信息,请参见本文。
New-ADServiceAccount -name PrdSQLgMSAsvc -DNSHostName PrdSQLgMSAsvc.adventureworks.msft -PrincipalsAllowedToRetrieveManagedPassword“ ProductionSQLServers”
现在,使用参数“ -PrincipalsAllowedToRetrieveManagedPassword”创建了组托管服务帐户,我们已经授予了向上一步中创建的安全组“ ProductionSQLServers”查询帐户密码的权限。
现在,该帐户也将在AD管理中心内的“托管服务帐户”下显示:
- Configure the gMSA on the target hosts
Although the following can be considered optional it is rather important to confirm that all prerequisites are met and the gMSA is working correctly.
The “Install-ADServiceAccount” cmdlet also makes the required changes locally so that the service account password can be periodically reset by the computer without requiring additional actions by the administrator.
To configure and validate the gMSA account we will use the following PowerShell commands on the target host:
Install-ADServiceAccount PrdSQLgMSAsvc
Test-ADServiceAccount PrdSQLgMSAsvcThe expected result is “True” – meaning the Group Managed Service Account is now configured and ready for use.
We can use the account for new installations of SQL Server or for the already existing instances.
When installing a new SQL Server true the Setup Wizard using Group Managed Service Account requires only to specify the account, in our scenario – “ADVENTUREWORKS\PrdSQLgMSAsvc$”. The wizard will not prompt you for password when using gMSA account as it checks the account type within the AD directory. If you miss adding the “$” to the account name it will be automatically added for you.
I order to change the service account for an existing SQL Server locate the service within the SQL Server Configuration Manager, and go into the Properties.
Under the logon section choose “Browse” in order to change the account. In similar fashion like in the setup wizard, we can choose the “ADVENTUREWORKS\PrdSQLgMSAsvc$” account. Once we have specified the gMSA account the password fields are blank and available for edit – do not enter password, it will be automatically obtained from the AD.
Start the service if you have stopped it or restart it – the SQL Server is now configured to run under a Group Managed Service Account.
If we are installing SQL Server from the command line we can skip the password parameter and only provide information about the account –
SQLSVCACCOUNT=”ADVENTUREWORKS\PrdSQLgMSAsvc$”.Next I’ll show how to add the AD PowerShell cmdlets:
First, within the Server Manager console open the “Add roles and Features Wizard” and locate the “AD DS Snap-Ins and Command-Line Tools”, “AD LDS Snap-Ins and Command-Line Tools” and “Active Directory module for Windows PowerShell”. The feature installation does not require restart.
Then import the PowerShell module as follows:
尽管以下内容可以视为是可选的,但确认满足所有先决条件并且gMSA正常工作是非常重要的。
“ Install-ADServiceAccount” cmdlet还可以在本地进行所需的更改,以便计算机可以定期重置服务帐户密码,而无需管理员进行其他操作。
要配置和验证gMSA帐户,我们将在目标主机上使用以下PowerShell命令:
Install-ADServiceAccount PrdSQLgMSAsvc
Test-ADServiceAccount PrdSQLgMSAsvc预期结果为“ True”(True),这意味着组托管服务帐户现已配置并可以使用。
我们可以将该帐户用于SQL Server的新安装或已存在的实例 。
在安装新SQL Server时,在我们的方案中,使用组托管服务帐户的设置向导仅需要指定帐户即可-“ ADVENTUREWORKS \ PrdSQLgMSAsvc $”。 使用gMSA帐户时,该向导不会提示您输入密码,因为它会检查AD目录中的帐户类型。 如果您想在帐户名中添加“ $”,则会自动为您添加。
我为了更改现有SQL Server的服务帐户,请在SQL Server配置管理器中找到该服务,然后进入“属性”。
在登录部分下,选择“浏览”以更改帐户。 以类似于安装向导中的方式,我们可以选择“ ADVENTUREWORKS \ PrdSQLgMSAsvc $”帐户。 一旦我们指定了gMSA帐户,密码字段将为空并且可以编辑-不输入密码,它将自动从广告中获取。
如果已停止服务或将其重新启动,请启动该服务-现在已将SQL Server配置为在组托管服务帐户下运行。
如果我们从命令行安装SQL Server,则可以跳过password参数,而仅提供有关帐户的信息–
SQLSVCACCOUNT =” ADVENTUREWORKS \ PrdSQLgMSAsvc $”。接下来,我将展示如何添加AD PowerShell cmdlet:
首先,在服务器管理器控制台中,打开“添加角色和功能向导”,然后找到“ AD DS管理单元和命令行工具”,“ AD LDS管理单元和命令行工具”以及“ Active Directory模块”。 Windows PowerShell”。 功能安装不需要重新启动。
然后按如下所示导入PowerShell模块:
翻译自: https://www.sqlshack.com/using-group-managed-service-accounts-with-sql-server/