locked
Reconfigure service accounts RRS feed

  • Question

  • Hi guys,

    Guy who was responsible for SQL servers left and I took over. I have notice that he configured many services accounts for all sql servers and I would like to replace them with group managed service account. My question is can I use one group managed services account for all sql servers (6 servers) and is this best practice or shall I create 1 for each sql. Next what is the impact of replacing existing service account with group managed? What to think about before doing this step?

    Please help


    Wednesday, March 6, 2019 2:57 PM

Answers

  • Hi,

    >>My question is can I use one group managed services account for all sql servers (6 servers) and is this best practice or shall I create 1 for each sql. 
    Yes, you can use it. A Group Managed Service Account is an MSA for multiple servers. It will simplify your management.

    >>Next what is the impact of replacing existing service account with group managed?
    Beginning with SQL Server 2014, SQL Server supports group managed service accounts for standalone instances, and SQL Server 2016 and later for failover cluster instances, and availability groups. It won't cause any issues.

    >>What to think about before doing this step?
    The OS that host your SQL Server instance must be Windows Server 2012 R2 or later. 

    You would like to refer to Configure Windows Service Accounts and Permissions. Hope it can help.

    Best Regards,
    Puzzle
    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com

    Thursday, March 7, 2019 5:41 AM
  • Hi,

    You can use Group Managed Service Account with SQL server 2014 on Windows Server 2012 R2 or later. Make sure that you install KB 2998082 on the server.

    https://support.microsoft.com/en-us/help/2998082/gmsa-based-services-can-t-log-on-after-a-password-change-in-a-windows

    -----------------------------------------------------------------------------------------------------------
    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.

    Thursday, March 7, 2019 9:34 AM
  • You will not be able to use Managed Service Accounts with SQL 2008. You will need to have SQL Server 2012 or higher and you need to have Windows Server 2008 R2.

    -----------------------------------------------------------------------------------------------------------
    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.

    Thursday, March 7, 2019 10:00 AM
  • Thank you guys, so regarding sql server 2014 I can use gmsa and regarding sql server 2008 I have to use normal ad account as a service? I cannot use managed service account for those?
    Correct.

    Tibor Karaszi, SQL Server MVP (Web Blog)

    Thursday, March 7, 2019 10:00 AM

All replies

  • Well if you have one account  for all servers and need to change the pass  then you would need to restart all servers....

    >>>Next what is the impact of replacing existing service account with group managed?

    You need to have a power domain account for the SQL Server service  not a group...


    Best Regards,Uri Dimant SQL Server MVP, http://sqlblog.com/blogs/uri_dimant/

    MS SQL optimization: MS SQL Development and Optimization
    MS SQL Consulting: Large scale of database and data cleansing
    Remote DBA Services: Improves MS SQL Database Performance
    SQL Server Integration Services: Business Intelligence

    Wednesday, March 6, 2019 3:48 PM
  • No, no need for a "power domain admin account" (whatever you mean by that).

    GMSA is supported for SQL Server as of SQL server 2016. Here's an outline for doing it: https://blogs.msdn.microsoft.com/markweberblog/2016/05/25/group-managed-service-accounts-gmsa-and-sql-server-2016/. I'm not aware of any issues having several SQL Server using a gMSA, that is what you typically do with an Availability Group setup.


    Tibor Karaszi, SQL Server MVP (Web Blog)

    Wednesday, March 6, 2019 5:43 PM
  • Hi,

    >>My question is can I use one group managed services account for all sql servers (6 servers) and is this best practice or shall I create 1 for each sql. 
    Yes, you can use it. A Group Managed Service Account is an MSA for multiple servers. It will simplify your management.

    >>Next what is the impact of replacing existing service account with group managed?
    Beginning with SQL Server 2014, SQL Server supports group managed service accounts for standalone instances, and SQL Server 2016 and later for failover cluster instances, and availability groups. It won't cause any issues.

    >>What to think about before doing this step?
    The OS that host your SQL Server instance must be Windows Server 2012 R2 or later. 

    You would like to refer to Configure Windows Service Accounts and Permissions. Hope it can help.

    Best Regards,
    Puzzle
    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com

    Thursday, March 7, 2019 5:41 AM
  • Hi Guys,

    Thank you for respons. 2 servers are windows server 2008 Standard and 4 servers are windows server 2012 R2 standard. 

    SQL servers that are installed on windows server 2012 R2 are 2014 and SQL server that are installed on 2008 are SQL 2008 edition.

    If I understand this good I can use group managed service account on sql servers that are 2014 but not on 2008 right? Can I used managed service account on 2008? Domain controllers are 2012 R2 and 2016.

    Shall I create 1 gmsa for each 2014 sql or I can use 1 for all 4 servers? SQL servers are not in cluster or availability set, they are independent. 

     

    Thursday, March 7, 2019 8:29 AM
  • The requirements are that you much meet both: At least Win 2012 R2 *and* at least SQL 2014.

    [Edited text, I incorrectly stated earlier that gMSA support came in SQL 216.]


    Tibor Karaszi, SQL Server MVP (Web Blog)


    • Edited by TiborKMVP Thursday, March 7, 2019 9:43 AM correction
    Thursday, March 7, 2019 8:33 AM
  • Hi Tibor,

    Ahaa so GMSA can be used only on SQL 2016 okay. Can I use managed service account for sql 2014 and 2008?

    According to this we can use GMSA on sql 2014



    Thursday, March 7, 2019 9:23 AM
  • Hi,

    You can use Group Managed Service Account with SQL server 2014 on Windows Server 2012 R2 or later. Make sure that you install KB 2998082 on the server.

    https://support.microsoft.com/en-us/help/2998082/gmsa-based-services-can-t-log-on-after-a-password-change-in-a-windows

    -----------------------------------------------------------------------------------------------------------
    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.

    Thursday, March 7, 2019 9:34 AM
  • Oops, my bad. gMSA support was apparently introduced in SQL Server 2014: This is the SQL 2014 documentation: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-2014#MSA

    Regular MSA support can in SQL Server 2012.


    Tibor Karaszi, SQL Server MVP (Web Blog)

    Thursday, March 7, 2019 9:41 AM
  • Thank you guys, so regarding sql server 2014 I can use gmsa and regarding sql server 2008 I have to use normal ad account as a service? I cannot use managed service account for those?
    Thursday, March 7, 2019 9:56 AM
  • You will not be able to use Managed Service Accounts with SQL 2008. You will need to have SQL Server 2012 or higher and you need to have Windows Server 2008 R2.

    -----------------------------------------------------------------------------------------------------------
    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.

    Thursday, March 7, 2019 10:00 AM
  • Thank you guys, so regarding sql server 2014 I can use gmsa and regarding sql server 2008 I have to use normal ad account as a service? I cannot use managed service account for those?
    Correct.

    Tibor Karaszi, SQL Server MVP (Web Blog)

    Thursday, March 7, 2019 10:00 AM
  • Thank you all for support. Much appreciated.
    Thursday, March 7, 2019 10:26 AM