1
00:00:01,340 --> 00:00:02,790
To finish this exercise,

2
00:00:02,790 --> 00:00:06,440
let's take a look at group Managed Service Accounts or gMSAs.

3
00:00:06,440 --> 00:00:09,340
I've got some PowerShell to demonstrate this.

4
00:00:09,340 --> 00:00:12,450
I give you this PowerShell file as I always do with my

5
00:00:12,450 --> 00:00:14,680
source code in the exercise files.

6
00:00:14,680 --> 00:00:18,250
We're here in Visual Studio Code on one of my domain controllers,

7
00:00:18,250 --> 00:00:21,270
and I've installed the PowerShell extensions,

8
00:00:21,270 --> 00:00:24,730
so I have language support, and because it's a domain controller,

9
00:00:24,730 --> 00:00:28,230
I have the Active Directory PowerShell module already installed.

10
00:00:28,230 --> 00:00:32,300
The script file has some references to some helpful Microsoft docs here,

11
00:00:32,300 --> 00:00:36,540
and there is a reminder that some common use cases of the group

12
00:00:36,540 --> 00:00:38,940
Managed Service Accounts are IIS app pools,

13
00:00:38,940 --> 00:00:40,710
Windows services and tasks.

14
00:00:40,710 --> 00:00:43,320
However, if you're using Windows failover clustering,

15
00:00:43,320 --> 00:00:47,940
the cluster's own service account, at least at this time in early 2021,

16
00:00:47,940 --> 00:00:50,010
does not work with gMSAs.

17
00:00:50,010 --> 00:00:53,480
The Key Distribution Service, or KDS, is what's

18
00:00:53,480 --> 00:00:55,670
responsible for maintaining the password.

19
00:00:55,670 --> 00:00:59,180
So we have to run on line 5, Add‑KdsRootKey,

20
00:00:59,180 --> 00:01:03,160
and it does take 10 hours for replication and for that to settle.

21
00:01:03,160 --> 00:01:06,210
So on line 7, I actually ran this as a cheat.

22
00:01:06,210 --> 00:01:09,640
I wouldn't recommend you do that in a production environment.

23
00:01:09,640 --> 00:01:12,190
So what we're going to do in this case is this machine,

24
00:01:12,190 --> 00:01:16,030
rootdc1. Let's say we want to give both this machine,

25
00:01:16,030 --> 00:01:21,520
rootdc1, as well as my other timw.info domain controller rootdc2,

26
00:01:21,520 --> 00:01:25,010
membership to a new gMSA that I'll call web.

27
00:01:25,010 --> 00:01:28,940
So what we can do on line 9 is run New‑ADServiceAccount,

28
00:01:28,940 --> 00:01:30,350
giving it a name of web.

29
00:01:30,350 --> 00:01:33,000
Managed password interval in days is 30.

30
00:01:33,000 --> 00:01:33,680
By the way,

31
00:01:33,680 --> 00:01:38,270
if you're wondering about what the mins and maxes and all of that kind of stuff,

32
00:01:38,270 --> 00:01:40,920
never forget about using good, old Get Help,

33
00:01:40,920 --> 00:01:43,080
where we can just do the name of the command,

34
00:01:43,080 --> 00:01:46,790
and then if you throw in ‑online, and you're connected to the internet,

35
00:01:46,790 --> 00:01:51,290
you can go out to the latest help article by using your default web browser.

36
00:01:51,290 --> 00:01:51,760
Specifically,

37
00:01:51,760 --> 00:01:55,350
what I'll want to do after I zoom in a little bit is go to Parameters,

38
00:01:55,350 --> 00:01:59,530
and we can look up if we want to know about that managed password interval,

39
00:01:59,530 --> 00:02:02,220
the parameters are in alphabetical order.

40
00:02:02,220 --> 00:02:05,000
Though it says here that the managed password interval

41
00:02:05,000 --> 00:02:07,080
in days it's an integer parameter,

42
00:02:07,080 --> 00:02:11,740
and it specifies the number of days of set to 0 then the default is used.

43
00:02:11,740 --> 00:02:12,720
Now, what's the default?

44
00:02:12,720 --> 00:02:14,490
The default is 30 days.

45
00:02:14,490 --> 00:02:16,080
So again, that's just a notion.

46
00:02:16,080 --> 00:02:19,470
If you're not good with PowerShell yet, I'd suggest you get good,

47
00:02:19,470 --> 00:02:24,950
even though there's not an awful lot of complex PowerShell on AZ‑800 or 801.

48
00:02:24,950 --> 00:02:27,640
So after the ManagedPasswordIntervalInDays parameter,

49
00:02:27,640 --> 00:02:31,440
we have the PrincipalsAllowedToRetrieveManagedPassword.

50
00:02:31,440 --> 00:02:32,740
That's really important.

51
00:02:32,740 --> 00:02:34,990
That's going to be the Active Directory group that

52
00:02:34,990 --> 00:02:37,190
contains those servers. Web farm,

53
00:02:37,190 --> 00:02:40,030
you know what? I haven't yet created web farm, so let's go

54
00:02:40,030 --> 00:02:43,450
back to Users and Computers. I will just temporarily put it

55
00:02:43,450 --> 00:02:44,930
in the Computers container.

56
00:02:44,930 --> 00:02:49,710
I'm going to create a new global security group called Web Farm, and then

57
00:02:49,710 --> 00:02:52,490
we're going to populate that group. We'll click Add,

58
00:02:52,490 --> 00:02:55,970
make sure that our object type includes Computers, and

59
00:02:55,970 --> 00:02:57,840
then I'm going to do a search for root.

60
00:02:57,840 --> 00:03:01,110
We want to bring in rootdc1, and let me do that again.

61
00:03:01,110 --> 00:03:03,360
I think I might have to set the object type again.

62
00:03:03,360 --> 00:03:03,960
No, I don't.

63
00:03:03,960 --> 00:03:08,170
Good deal. Click Root, we'll bring in rootdc2, and so now those computers

64
00:03:08,170 --> 00:03:12,030
belong to Web Farm, and now line 9 should work just fine.

65
00:03:12,030 --> 00:03:14,930
So let's right‑click Run the selection. And then we can

66
00:03:14,930 --> 00:03:18,000
verify that we've created the gMSA by running

67
00:03:18,000 --> 00:03:20,780
Get‑ADServiceAccount, as you can see here.

68
00:03:20,780 --> 00:03:23,020
Also, if we come back to Active Directory,

69
00:03:23,020 --> 00:03:24,310
Users and Computers,

70
00:03:24,310 --> 00:03:28,350
you can see in the Managed Service Account container, we have our web

71
00:03:28,350 --> 00:03:32,370
identity there. Next step is we're going to install or register the

72
00:03:32,370 --> 00:03:36,650
service account on our computers, and I have some invoke commands, and I

73
00:03:36,650 --> 00:03:40,080
was getting started on how I could iteratively loop through in a

74
00:03:40,080 --> 00:03:42,940
collection of computers to do that.

75
00:03:42,940 --> 00:03:46,240
So you see what we've done so far? We've got a global group that contains

76
00:03:46,240 --> 00:03:48,770
the servers that will share the Managed Service Account.

77
00:03:48,770 --> 00:03:52,430
We then created the service account, we retrieved its metadata.

78
00:03:52,430 --> 00:03:54,950
The last step is on each of our servers to run

79
00:03:54,950 --> 00:03:59,100
Install‑ADServiceAccount to make sure that it's properly registered.

80
00:03:59,100 --> 00:04:02,810
Let me right‑click to install this service account on the local server.

81
00:04:02,810 --> 00:04:06,190
We can test to verify that the Managed Service Account has

82
00:04:06,190 --> 00:04:09,290
been installed properly by running Test‑ADServiceAccount,

83
00:04:09,290 --> 00:04:12,490
and if it comes back as true, we're good to go.

84
00:04:12,490 --> 00:04:13,350
So finally,

85
00:04:13,350 --> 00:04:16,000
to demonstrate how we would implement this service

86
00:04:16,000 --> 00:04:19,460
account, let me open the Services Control Manager here and

87
00:04:19,460 --> 00:04:21,280
let me pick on a Windows service,

88
00:04:21,280 --> 00:04:25,060
just as a representative example. Let me grab this device picker,

89
00:04:25,060 --> 00:04:28,630
and the idea here is that we would specify the name of the

90
00:04:28,630 --> 00:04:31,980
service account domain\serviceAccount,

91
00:04:31,980 --> 00:04:35,760
but we want to be really careful not to supply any passwords

92
00:04:35,760 --> 00:04:43,000
here, because this is a group Managed Service Account that's being managed by Active Directory itself.