August 17, 2018 at 6:31 am
Morning Folks,
I'll start by pointing out I know next to nothing about Active Directory, I am both learning and trying, but also find myself in a position at work whereby on this particular subject (Managed Service Accounts for SQL Server) I am the resident expert. Which is scary as I know nothing. So with that nugget of background information let us begin:
My problem is on a test system so have freedom to mangle it up as needed: We are running SQL Server 2016 and 2017 on a Windows Server 2016 host.
I want to start using Managed Service Accounts for the SQL Services.
I am unclear of the differences between MSA's and gMSA's in a single domain network
We typically run all our test sql servers under the same account. It seems this cannot be done with MSA's? Is there a way to make this work? So all 5 test servers can use the same MSA or gMSA?
Help please 🙂
Cheers
Alex
August 17, 2018 at 6:37 am
You could run them all under the same gMSA. I wouldn't do it myself because I like to have distinct accounts for each instance (or group of instances where Availability Groups are in play).
August 17, 2018 at 7:29 am
Hi Beatrix, what would be wrong with using the same gMSA for all SQL Server either per environment (i.e. test, dev, production) or generally across the whole network?
August 17, 2018 at 8:20 am
We don't do it here (a fairly large estate) even though it sounds like a good idea, because we grant access to certain specific file systems to our gMSAs, and we don't want one single account having access to all of our file systems. If that doesn't apply where you are I don't see an issue really.
August 17, 2018 at 8:21 am
There's nothing inherently "wrong" with using one account across multiple servers, but it's generally considered a bad practice as it does open up the possibility of security issues.
So if someone managed to hack one server and the gMSA account, now they have access to *all* the servers with that account in use. While in theory, with the size of the passwords generated for MSAs / gMSAs should make them difficult to hack, anything's possible.
As for the difference between a MSA and gMSA, MSAs are "tied" to one particular computer and can't be used on multiple computers (which made them unusable with clustered installations.) gMSAs however can be used on multiple computers (and I suspect were developed to solve the problem of clusters.)
August 17, 2018 at 8:28 am
I always use a gMSA for my SQL instances even if they're stand-alone because if it turns out we want to add them to a cluster later on it's much easier, and if we don't it makes no difference.
August 17, 2018 at 9:12 am
Beatrix Kiddo - Friday, August 17, 2018 8:28 AMI always use a gMSA for my SQL instances even if they're stand-alone because if it turns out we want to add them to a cluster later on it's much easier, and if we don't it makes no difference.
Which is eminently sensible. Plus when you migrate to new servers down the road, take the service account with you to the new server and you don't need to muck around with any share / file permissions on the network either.
August 18, 2018 at 3:04 am
Ahh yes, yes, good points! Cheers guys.
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply