managed service accounts

• tcroninlifepoint

  SSC Veteran

  Points: 235

  More actions

  September 27, 2019 at 6:51 pm

  #3684158

  How many people out there have had success or issues with managed service accounts for sql server.  Looking at consolidation of about 1000 servers and 4 domains.

• frederico_fonseca

  SSCoach

  Points: 16014

  More actions

  September 27, 2019 at 11:52 pm

  #3684229

  on my shop we use group managed service accounts (GMSA) for ALL SQL instances (over 800 of them)- one per service per server

  works great and no issues with it.

  so server A would have

  • GMSA_SERVERID_SQL$ -- for SQL instance
  • GMSA_SERVERID_SSIS$ -- for SSRS service
  • GMSA_SERVERID_SSRS$ -- for SSRS service
  • GMSA_SERVERID_SSAS$ -- for SSAS instance
  • GMSA_SERVERID_SQLDBO$ -- to be set as db owner
  • GMSA_SERVERID_SQLAGT$ -- For sql Agent

  this allows for total segregation of roles as well as automation as you know each service will have the exact naming after replacing the SERVERID with what is decided to be the servername

  for example if someone names their servers as a combination of environment and a sequence for server PRD_1234 the gmsa could be named

  GMSA_1234_SQL$

  Do not use the same account for all servers as a principle of less privilege

   

• Beatrix Kiddo

  SSC-Dedicated

  Points: 32407

  More actions

  September 30, 2019 at 12:23 pm

  #3684514

  We do broadly the same as Frederico. Servers which are clustered together for AGs share gMSAs but otherwise they are unique.

  I would not use one account across the entire estate.