locked
spn management of managed service accounts RRS feed

  • Question

  • Following an older question by Tachelau (https://social.technet.microsoft.com/Profile/tacheleu) that was never really answered:

    https://social.technet.microsoft.com/Forums/Lync/en-US/c9d7b7c5-ba04-45d9-b5ee-96ceda28c6d3/spn-management-of-managed-service-accounts?forum=winserverDS

    QUESTION: Managed Service Accounts has two main benefits, first, simplified password management (so clear), and the second one, SPN management. Exactly (an overview description will be enough), what are the main Service Principal Name management benefits of MSA?

    ANSWER: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd548356(v=ws.10)?redirectedfrom=MSDN

    In Windows Server 2008 R2 and Windows 7, one managed service account can be used forservices on a single computer. Managed service accounts cannot be shared betweenmultiple computers and cannot be used in server clusters where a service is replicated onmultiple cluster nodes.
    Domains at the Windows Server 2008 R2 functional level provide native support for bothautomatic password management and SPN management. If the domain is running at theWindows Server 2003 functional level or the Windows Server 2008 functional level,additional configuration steps will be needed to support managed service accounts. Thismeans that:
    If the domain is at the Windows Server 2008 R2 functional level, the SPNmanagement of managed service accounts is simplified. Specifically, the DNS part ofthe managed service account SPN is changed from oldname.domain-dns-suffix.comto newname.domain-dns-suffix.com for all managed service accounts installed on thecomputer in the following four situations:
    The samaccountname property of the computer is changed.
    The DNS name property of the computer is changed.
    A samaccountname property is added for the computer.
    A dns-host-name property is added for the computer.
    If the domain controller is on a computer running Windows Server 2008 or WindowsServer 2003 but the Active Directory schema has been updated to WindowsServer 2008 R2 in order to support this feature, managed service accounts can beused and service account passwords will be managed automatically. However, thedomain administrator using these server operating systems will still need to manuallyconfigure SPN data for managed service accounts.

    • Moved by Dave PatrickMVP Thursday, December 3, 2020 4:06 PM looking for forum
    Thursday, December 3, 2020 3:58 PM

Answers

  • I'd try asking for help over here.

    windows-server - Microsoft Q&A

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Proposed as answer by Guido Franzke Friday, December 4, 2020 6:59 AM
    • Marked as answer by Guido Franzke Thursday, December 10, 2020 6:57 AM
    Thursday, December 3, 2020 4:06 PM