Friday, January 6, 2017

Advantages of gMSA (Groups Managed Service Accounts) Over Domain accounts as SQL Server Service Accounts

Traditionally Domain Accounts are used as service accounts for SQL Server Services. 

To make them secure:

  • Administrators need to change the passwords on regular basis on each SQL Server.
  • Managing and tracking all the passwords is big headache.
  • And password reset does need a reboot so downtime. 
  • It will be overwhelming amount of work when there are 100s of SQL Servers exists in an environment. 
  • Chance of Human errors. 

Though most of the above process is automated into a single PowerShell script. But there always a chance of things can go wrong as these passwords are kept in human reach.

I have gone through concept of MSA (Managed Service accounts), but there are certain limitations while using them in clustered environment. I really like this concept of gMSAs (Groups Managed Service Accounts) which is extension to MSA. gMSA satisfying all the limitations with MSA. There is little bit of work involved for windows\AD folks in setting up gMSA in the environment, but DBAs just need to change them one time from domain User account to gMSA account. 


Below are few advantages that we can get from gMSA. 
  • It is very safe for SQL Servers to use gMSA as service accounts instead domain accounts.
  • It automates password management within active directory.
  • It generates very complex passwords and changed automatically as often as we want, default is 30 days.
  • The passwords are cryptographically random and 240 bytes long. Good thing is No One can use them for interactive (like RDP) logon so no headache of lock outs.
  • And service restart is not needed when account password gets reset so no Downtime.
  • By delegating the SPN registration permission to the gMSA, As account is not usable by human no problem of duplicate SPNs.
     
     We are planning to implement them in our environment, will share more of my experience once we have them in place. Hope this helps.