locked
MSA Account Naming Rules? RRS feed

  • Question

  • Hi, we have a new VM with SQL server and plan to use our first MSA.  I asked for an account that had embedded $ in the name (e.g., "sql$blah$blah$msa").  We use this format for regular domain accounts without issue.  Our admin said the creating the MSA did not error, but was unable to find it upon lookup.  Creating a new account by replacing the $ with underscores works fine and the account is visible.  I was unable to find anything about special naming for an MSA.  Anybody have an idea what's going on?  A bug?  A feature to make accounts invisible?  Thanks.

    Randy in Marin

    Monday, November 24, 2014 11:22 PM

All replies

  • Here is the standard or working format....

    DomainName\S-SQLSER-Dev111

    DomainName\S-SQLAGT-Dev111

    DomainName\S-SQLSIS-Dev111

    DomainName\S-SQLSRS-Dev111

    DomainName\S-SQLSAS-Dev111

    =====================

    Domain Name = Name of the Domain = For me 5 to 8 Character is working

    S --- This stands for Service account or sql service

    SQLSER-- SQL Service engine

    SQLSGT-- SQL Agent Service

    SQLSRS-- SQL SSRS Service

    SQLSAS-- SQL SSAS Service

    SQLSIS - SQL SSIS Service

    Dev111 --- Environment and last 3 numbers or characters of the Host name.. ( we can change this for Prod , UAT, Test etc.... )

    Note : After the configuration and all the stuff when you to sql $ will be added at the end automatically...


    Raju Rasagounder Sr MSSQL DBA

    Monday, November 24, 2014 11:38 PM
  • Also you can read this link for Troubleshooting & Limitations ... I think we cant use $ in the MSA manually, because this will take by default after you assign to sql ( But I never tried MSA creating with $ )...

    http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx


    Raju Rasagounder Sr MSSQL DBA

    Monday, November 24, 2014 11:46 PM
  • Our naming standard is similar, but we used $, not hyphens.  I guess it's luck of the draw.  I have yet to find documentation about the use of $ as incorrect.  If the CN was "domain\blah$blah", then I figured - wrongly, I guess - that the SAM name for the service would be "domain\blah$blah$".  Or for "domain\blah$", it should be "domain\blah$$"? 

    I've come across others reporting issues when exceeding a 15 character limit.  I have not seen anything re the use of $. 


    Randy in Marin

    Tuesday, November 25, 2014 12:41 AM
  • Hi Randy,

    What version of SQL Server are you using?

    Based on my research, Managed Service Accounts (MSA) are supported from SQL Server 2012 on for use running SQL service accounts (all SQL Services) where they are confined to a SINGLE machine.  It means that this account can NOT be used across multiple machines.  Besides, usually, the MSA account used for SQL Server service is in formats like "domain\blah$". For more information, please review the following blogs.

    MSA accounts used with SQL
    Managed Service Accounts (MSA) and SQL 2012: Practical Tips

    In addition, for MSA issues, I recommend you ask the question in the Windows Server forums at https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?category=windowsserver  . It is appropriate and more experts will assist you.


    Thanks,
    Lydia Zhang

    If you have any feedback on our support, please click here.


    Wednesday, November 26, 2014 10:06 AM
  • Hi.  Yes, it is SQL 2012.  The MSA does work for the service account, but only after removing $ chars from the name.  This is not related to the extra $ added to the name when defining the service account.  (But I do think it's odd to not require the "extra" $ during the creation of the account and then to require it when using the account.)  Thanks for the link.  For some reason, I could not find the windows server forum.  For those that are interested, here is a link to that post. 

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/6b7cbef4-f2bc-457d-8969-d55a1eae99ba/msa-account-naming-rules?forum=winserverDS


    Randy in Marin

    Wednesday, November 26, 2014 5:41 PM