How to create a Group Manged Service Account for a service
=================================================
Quick steps how to create a Group Managed Service Account in Windows Server 2012 R2. This is useful if your company follows a security policy where every month or so you need to reset a password for the service account and it causes the service to fail due to the change. By using group manged service accounts there are no user accounts or passwords to manage, Microsoft uses rolling keys so every time a service restarts it pulls a new key from the domain controller.
When you add the gMSA service account into your service under the Log On tab make sure it is in this format mylab\vc_svc$. Do not use mylab.local\vc_svc$, leave the password blank.
Configuring it is pretty straight forward, you create a group in AD, add the computers you would like to use the service account into the group. Then you run a powercli command to create the service account and point it back to the group of computers that can access it.
DC side (dc.mylab.local)
========
1. Create a group in AD called vcServerGroup, add vcenter55.mylab.local computer to the group or any other computer that will be using the service account that we will create below.
2. Run the following on a 2012 domain controller to create the rolling key, this gets replicated to all the DC’s after a while. Microsoft recommends to wait 10 hours, -EffectiveImmediately means wait 10 hours, weird i know.
Add-KDSRootKey –EffectiveImmediately
If you don’t want to wait 10 hours there is one command you can run instead of the above but MS suggests to run this only in a test environment.
https://technet.microsoft.com/en-us/library/jj128430.aspx
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
3. The following command will create a service account vc_svc in the “Managed service accounts” folder. Do not create a user account with this name as gMSA does not use regular users. The below command creates the vc_svc service account. The -DNSHostName option points it back to the DC that has the rolling key, all of your DC’s will have a rolling key after step 1 gets replicated.
New-ADServiceAccount -Name vc_svc -DNSHostName dc.mylab.local -PrincipalsAllowedToRetrieveManagedPassword “vcServerGroup”
4. Now you should see the account in Active Directory Users & Computers > Managed Service Accounts.
On the Client side (vcenter55.mylab.local)
===================================
1. To run the commands listed below you must have the following module installed and be running server 2012 or Win 8 machine
Add Features > Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > Active Directory module for Windows powershell
2. Reboot the vcenter55 server so it knows it is in a security group or you will ge the following error which is very misleading: “install-adserviceAccount : Cannot install service account. Error Message: ‘{Access Denied}
3. After reboot of vcenter55.mylab.local run powershell as administrator:
import-module activedirectory
install-adserviceAccount vc_svc
test-adserviceaccount vc_svc
It will display True, if it fails you will get a long powercli message.
4. Now to configure a service account, services.msc, right-click on service properties “Log On”, this account “mylab\vc_svc$”, leave password blank. <–do not enter mylab.local\vc_svc$, enter mylab\vc_svc$
5. For vCenter server you will need to add the mylab\svc$ to the local administrators group or vCenter will not start.
To remove an AD service account (on DC)
===========================
Get-ADServiceAccount vc_svc
Remove-ADServiceAccount -Identity vc_svc