This article is a 6^th article in the series for SQL Server Always On Availability Groups. It covers the configuration of the group managed service account (gMSA) for SQL Services.

本文是该系列SQL Server始终在可用性组6 ^日的文章。 它涵盖了SQL Services的组管理服务帐户（gMSA）的配置。

介绍 (Introduction)

DBA uses services accounts to run the various SQL Services. Usually, we should use a separate service account for an individual server SQL Services.

DBA使用服务帐户来运行各种SQL服务。 通常，对于单独的服务器SQL Services，我们应该使用单独的服务帐户。

• You should run SQL services having the least permissions 您应该运行权限最少SQL服务
• You should use a complex password and store it in a secure place 您应该使用复杂的密码并将其存储在安全的地方
• Its password should never expire 它的密码永远不会过期
• You should also change the password regularly, depending upon your organization’s security policy 您还应该根据组织的安全策略定期更改密码。

If you maintain a large inventory of SQL Servers, you might think it is a cumbersome task to change and maintain the passwords for these servers. Once you change the service account password using SQL Server Configuration Manager, it also requires the restart of SQL Services. It might be a challenging task as well to get downtime for highly transactional applications.

如果维护大量SQL Server，则可能会认为更改和维护这些服务器的密码是一项繁琐的任务。 使用SQL Server配置管理器更改服务帐户密码后，还需要重新启动SQL Services。 对于具有高事务性的应用程序来说，要使其停机也可能是一项艰巨的任务。

We can leverage Group Managed Service Accounts (gMSA) in these cases. Let’s explore it in the subsequent section.

在这些情况下，我们可以利用组托管服务帐户（gMSA）。 让我们在随后的部分中进行探讨。

先决条件 (Prerequisites)

1. You should follow the article series, Install SQL Server 2019 on Windows Server 2016 with SQL Server Always On Availability Groups and configure the following

   您应该按照文章系列（ 带有SQL Server Always On可用性组在Windows Server 2016上安装SQL Server 2019）并配置以下内容

   • The virtual machine acts as a domain controller and active directory 虚拟机充当域控制器和活动目录
   • Three SQL nodes with SQL Server 2019 installed 安装了SQL Server 2019的三个SQL节点
   • You should configure SQL Server Always On Availability Groups for these three nodes in synchronized mode 您应该在同步模式下为这三个节点配置SQL Server Always On可用性组

2. Windows PowerShell with active directory module installed. We installed it as a part of an active directory configuration

   安装了活动目录模块的Windows PowerShell。 我们将其安装为活动目录配置的一部分

托管服务帐户概述 (An Overview of Managed Service Accounts )

We have two kinds of managed service accounts in an active directory configuration.

在活动目录配置中，我们有两种托管服务帐户。

• Standalone Managed Service accounts(SMSA) provides the functionality of automatic password management. In simplified terms, users do not manage credentials for these users. It automatically changes the password and synchronizes with the services as per the active directory policy. We can use a standalone managed service account for a single server 独立托管服务帐户（SMSA）提供自动密码管理功能。 简而言之，用户不管理这些用户的凭据。 它会根据活动目录策略自动更改密码并与服务同步。 我们可以对一个服务器使用独立的托管服务帐户
• Group Managed Service accounts (gMSA) extend the functionality of SMSA. You can use gMSA for multiple servers. We define an AD group and provide permissions for all required servers that can use the credentials of the specified gMSA 组托管服务帐户（gMSA）扩展了SMSA的功能。 您可以将gMSA用于多台服务器。 我们定义一个AD组，并为所有可以使用指定gMSA凭据的所需服务器提供权限

To summarize, you get the following benefits using gMSA as the service account for SQL Services.

总而言之，使用gMSA作为SQL Services的服务帐户可获得以下好处。

• Automatic password management 自动密码管理
• Administrators do not require to store the passwords in a password vault 管理员不需要将密码存储在密码库中
• It uses a very complex password(120 characters), and it is not known to administrators as well. It avoids the risk of circulating the password unknowingly as well 它使用非常复杂的密码（120个字符），并且管理员也不知道。 它也避免了在不知不觉中传播密码的风险
• Automatic SPN registration SPN自动注册
• You can use them across multiple servers and services 您可以在多个服务器和服务中使用它们
• You can use gMSA on standalone servers or services that run on top of a failover cluster service such as Windows service, app pool, scheduled task 您可以在独立服务器或在故障转移群集服务之上运行的服务（例如Windows服务，应用程序池，计划任务）上使用gMSA

Let’s start configurations of the Group Managed Service accounts (GMSA) for SQL Server Always On availability groups.

让我们开始为SQL Server Always On可用性组配置组托管服务帐户（GMSA）。

为SQL服务配置gMSA (Configuration of gMSA for SQL Services)

We can configure and use the gMSA service accounts for Windows Server 2012 or later. In this article, we will work with Windows Server 2016.

我们可以为Windows Server 2012或更高版本配置和使用gMSA服务帐户。 在本文中，我们将使用Windows Server 2016。

步骤1：为gMSA创建安全组 (Step 1: Create a Security Group for gMSA)

Take an RDP of the active directory server and Launch active directory (AD) using DSA.MSC command.

获取活动目录服务器的RDP并使用DSA.MSC命令启动活动目录（AD）。

Right-click on the domain name and choose New -> Group. Specify a group name as per your requirement or naming convention.

右键单击域名，然后选择“新建”->“组”。 根据您的要求或命名约定指定组名。

Click Ok, and it creates the AD group. Open this group and enter a description. It helps you to identify the security group and its purpose efficiently.

单击“确定”，它将创建AD组。 打开该组并输入描述。 它可以帮助您有效地识别安全组及其用途。

Click on Members. In the members, add the failover cluster nodes. I have SQLNode1, SQLNode2, and SQLNode3 virtual machines configured in a SQL Server Always On availability group.

单击成员。 在成员中，添加故障转移群集节点。 我在SQL Server Always On可用性组中配置了SQLNode1，SQLNode2和SQLNode3虚拟机。

步骤2：配置密钥分发服务（KDS） (Step 2: Configure key distribution service (KDS) )

Group managed service accounts require a key distribution service (KDS) using the AD PowerShell module. It uses an Add-KdsRootkey PowerShell cmdlet. It takes 10 hours for full synchronization between all AD domain controllers.

组托管服务帐户需要使用AD PowerShell模块进行密钥分发服务（KDS）。 它使用Add-KdsRootkey PowerShell cmdlet。 所有AD域控制器之间的完全同步需要10个小时。

For the demonstration purpose, you can use either -EffectiveImmediately parameter or specify a past timestamp.

出于演示目的，您可以使用-EffectiveImmediately参数，也可以指定过去的时间戳。

Open the Windows PowerShell on the active directory VM (in this case vditest3.mydemosql.com) and run the following command.

在活动目录VM（在本例中为vditest3.mydemosql.com）上打开Windows PowerShell，然后运行以下命令。

Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))

It returns a GUID, as shown below.

它返回一个GUID，如下所示。

You can also validate the key using the Get-KdsRootKey to verify that the KDS key exists in the active directory.

您还可以使用Get-KdsRootKey验证密钥，以验证KDS密钥是否存在于活动目录中。

Get-KdsRootKey

You get the value, effective date, domain controller, and GUID.

您将获得值，生效日期，域控制器和GUID。

步骤3：建立新的群组管理服务帐户 (Step 3: Create a new group managed service account )

In this step, we create a new gMSA account using the New-ADServiceAccount PowerShell cmdlet.

在此步骤中，我们使用New-ADServiceAccount PowerShell cmdlet创建一个新的gMSA帐户。

It uses the following arguments.

它使用以下参数。

• Name: Specify a gMSA service account name 名称：指定gMSA服务帐户名称
• DNSHostName: Enter the FQDN of the service account. In my case, FQDN is gMSAsqlservice.mydemosql.com DNSHostName：输入服务帐户的FQDN。 就我而言，FQDN是gMSAsqlservice.mydemosql.com
• PrincipalsAllowedToRetrieveManagedPassword: Specify the AD group name we created in Step 1: Create a Security Group for gMSA
• PrincipalsAllowedToRetrieveManagedPassword：指定我们在步骤1：为gMSA创建安全组中创建的AD组名称。

New-ADServiceAccount -name gMSAsqlservice -DNSHostName gMSAsqlservice.mydemosql.com -PrincipalsAllowedToRetrieveManagedPassword SQLServer 

You must also allow the gMSA account to register its service principal name ( SPN) for Kerberos authentication in SQL Server.

您还必须允许gMSA帐户在SQL Server中注册其服务主体名称（SPN）以进行Kerberos身份验证。

dsacls (Get-ADServiceAccount -Identity gMSAsqlservice).DistinguishedName /G "SELF:RPWP;servicePrincipalName"

It gives you the following output.

它为您提供以下输出。

You can check the account properties such as encryption type and SAM account name. By default, it uses RC4, AES128, and AES256 encryptions. You can note the account name uses the $ suffix in the account name.

您可以检查帐户属性，例如加密类型和SAM帐户名。 默认情况下，它使用RC4，AES128和AES256加密。 您可以注意到该帐户名在帐户名中使用$后缀。

Get-ADServiceAccount gmsasqlservice -Properties * | FL DNSHostName,KerberosEncryptionType,SamAccountName

步骤4：为目标服务器启用AD Windows功能 (Step 4: Enable AD Windows feature for the target servers )

We need to perform these steps in the target servers. Take RDP to the target server and enable the AD DS and AD LDS Tools in the Windows features.

我们需要在目标服务器中执行这些步骤。 将RDP带到目标服务器， 然后在Windows功能中启用AD DS和AD LDS工具 。

Click Next and confirm the feature installation. In the description box, you can note it installs the Active Directory module for Windows PowerShell on the target server as well.

单击下一步，然后确认功能部件安装。 在描述框中，您可以注意到它还在目标服务器上安装了Windows PowerShell的Active Directory模块。

Click on Install to enable AD feature along with its dependencies on the target nodes.

单击“ 安装”以启用AD功能及其对目标节点的依赖性。

You can perform this step on the remaining servers in the Windows failover cluster as well.

您也可以在Windows故障转移群集中的其余服务器上执行此步骤。

步骤5：在目标节点上为SQL Server Always On可用性组安装组托管服务帐户 (Step 5: Install Group Managed Service account on the target node for SQL Server Always On Availability Group)

Once the AD PowerShell cmdlets are available on the target node, we need to install the gMSA service account. It uses the Install-ADServiceAccount cmdlet.

一旦目标节点上的AD PowerShell cmdlet可用，我们需要安装gMSA服务帐户。 它使用Install-ADServiceAccount cmdlet。

Install-ADServiceAccount gMSAsqlservice

It does not return any output. You can use another cmdlet Test-ADServiceAccount to verify the group managed service account status. It returns true if gMSA is valid and ready to use.

它不返回任何输出。 您可以使用另一个cmdlet Test-ADServiceAccount来验证组托管服务帐户的状态。 如果gMSA有效且可以使用，则返回true。

Test-ADServiceAccount gMSAsqlservice

You can check the last password reset for the managed service account using the Get-ADServiceAccount cmdlet.

您可以使用Get-ADServiceAccount cmdlet检查上次重置托管服务帐户的密码。

Get-ADServiceAccount gMSAsqlservice -Property PasswordLastSet

步骤6：将gMSA配置为运行SQL Services (Step 6: Configure gMSA to run the SQL Services)

Now, we are ready to use the gMSA accounts in the SQL Services. Open the SQL Server Configuration Manager and go to Services.

现在，我们准备在SQL Services中使用gMSA帐户。 打开SQL Server配置管理器，然后转到服务。

Now, search the gMSA account in the active directory service account object. You can specify the account name as [mydemosql\gmsasqlservice$] as well. It does not give you a password prompt.

现在，在活动目录服务帐户对象中搜索gMSA帐户。 您也可以将帐户名指定为[mydemosql \ gmsasqlservice $]。 它不会给您密码提示。

You might notice that we do not have a password for this user. It is not required to configure the services running under group managed service account as well.

您可能会注意到我们没有该用户的密码。 也不需要配置在组托管服务帐户下运行的服务。

Click Ok and restart SQL Services. You can see SQL Service is running under the [mydemosql\gmsasqlservice$] security context.

单击确定，然后重新启动SQL Services。 您可以看到SQL Service在[mydemosql \ gmsasqlservice $]安全上下文下运行。

• Verify the entry in SQL Server logs for the service account

  验证服务帐户在SQL Server日志中的条目

  
• Verify Service Principal Name(SPN) registration for SQL Server 验证SQL Server的服务主体名称（SPN）注册

It successfully registers the service principal name ( SPN) for the Kerberos authentication and logs an entry in the error log, as shown below.

它成功注册了Kerberos身份验证的服务主体名称（SPN），并在错误日志中记录了一个条目，如下所示。

• [MSSQLSvc/SQLNode1.MyDemoSQL.Com:INST1] [MSSQLSvc / SQLNode1.MyDemoSQL.Com：INST1]
• [MSSQLSvc/SQLNode1.MyDemoSQL.Com:I433] [MSSQLSvc / SQLNode1.MyDemoSQL.Com：I433]

Similarly, change the service accounts in the SQLNode2 and SQLNode3 for SQL Server Always On Availability Group and start SQL services.

同样，更改SQL Server Always On可用性组SQLNode2和SQLNode3中的服务帐户，然后启动SQL服务。

SELECT @@Servername AS server,status_desc,service_account
FROM sys.dm_server_services
WHERE status_desc='Running'

• Add these accounts into all SQL instances and provides database mirroring endpoint to [MyDemoSQL\gMSsqlservices$] account. If the account does not have permissions for the endpoint, databases won’t see in the SQL Server Always on availability group, and you get disconnected status.

  将这些帐户添加到所有SQL实例中，并为[MyDemoSQL \ gMSsqlservices $]帐户提供数据库镜像终结点。 如果该帐户没有端点的权限，则在“ SQL Server始终可用”组中将看不到数据库，并且您将获得断开连接状态。

  ALTER AUTHORIZATION
  ON ENDPOINT::mirroring_endpoint TO [MyDemoSQL\gMSsqlservice$];
  

You can hold for some time, and you would see a healthy AG dashboard. In the below screenshot, we see that the [SQLShackDemo] database is in the synchronized state without any data loss.

您可以保留一段时间，然后会看到一个健康的AG仪表板。 在下面的屏幕快照中，我们看到[SQLShackDemo]数据库处于同步状态，而没有任何数据丢失。

结论 (Conclusion)

In this article, we explored Group Managed Service Accounts (gMSA) for SQL Server Always On Availability Groups. It automatically manages SQL Service accounts and changes them without restarting SQL Services. It also eliminates the risk of password hacking or misuse for connecting to SQL. You can also configure the Windows task scheduler using this gMSA account.

在本文中，我们探讨了SQL Server Always On可用性组的组托管服务帐户（gMSA）。 它会自动管理SQL Service帐户并更改它们，而无需重新启动SQL Services。 它还消除了密码被黑客入侵或滥用以连接到SQL的风险。 您也可以使用此gMSA帐户配置Windows任务计划程序。

目录 (Table of contents)

A comprehensive guide to SQL Server Always On Availability Groups on Windows Server 2016

Configure Domain Controller and Active Directory for SQL Server Always On Availability Groups

Configure failover clusters, storage controllers and quorum configurations for SQL Server Always On Availability Groups

Install SQL Server 2019 on Windows Server 2016 with SQL Server Always On Availability Groups

Add a new node into existing SQL Server Always On Availability Groups

Configure Managed Service Accounts for SQL Server Always On Availability Groups

Add or remove a node from SQL Server Always On Availability Groups using T-SQL scripts

Windows Server 2016上SQL Server Always On可用性组的全面指南

为SQL Server Always On可用性组配置域控制器和Active Directory

为SQL Server Always On可用性组配置故障转移群集，存储控制器和仲裁配置

在Windows Server 2016和SQL Server Always On可用性组上安装SQL Server 2019

将新节点添加到现有SQL Server Always On可用性组中

为SQL Server Always On可用性组配置托管服务帐户

使用T-SQL脚本从SQL Server Always On可用性组中添加或删除节点

翻译自: https://www.sqlshack.com/configure-managed-service-accounts-for-sql-server-always-on-availability-groups/