- Link ophalen
- X
- Andere apps
Prepare AD First thing to do is adding a KdsRootKey by issuing this cmdlet on the DC: Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10)) Security Group Create a new global security group. This group will contain all servers that will use gMSA. After adding the servers, they will require a reboot in order for their tokens to pick up membership in the group. This group will be given specific permissions to its members that will allow the member servers to retreive the gMSA password. e.g. Create group nl.mgt.SQL2017DE.gs in OU batenict.corp/DTB Desktop/Groups/Security Groups/ gMSA Now we can create the gMSA: New-ADServiceAccount -Name nl.SQL2017DE -DNSHostName nl.SQL2017DE.batenict.corp -PrincipalsAllowedToRetrieveManagedPassword nl.mgt.SQL2017DE.gs After creating the gMSA add some permissions: Add a new SELF permission with grants on Read msDS-PrincipalName and Write msDS-PrincipalName Service Dependencies To prevent auto-start issues, add the following services to the existing Dep