How to create and deploy MSAs and gMSAs

How to Create and Deploy MSAs and gMSAs

Copyright©2021 Rockwell Automation, Inc. All Rights Reserved.

Page 1 of 10
 How to create and deploy MSAs and gMSAs

Table of Contents
Abstract................................................................................................................................................................ 3

Introduction ......................................................................................................................................................... 3

Minimum permissions and Environment ............................................................................................................ 3

MSAs ..................................................................................................................................................................... 3

gMSAs ................................................................................................................................................................... 6
Steps to create a gMSA .......................................................................................................................................6

Additional Questions and Troubleshooting ...................................................................................................... 10

Copyright©2021 Rockwell Automation, Inc. All Rights Reserved.

Page 2 of 10
 How to create and deploy MSAs and gMSAs
Abstract
This document will show you how to create MSAs (Managed Service Accounts) and gMSAs (Group Managed
Services Accounts) and list some common questions & answers. With FactoryTalk AssetCentre V11.0, MSA or
gMSA is required when installing if MSSQL Server is located on a remote computer.

Introduction
MSAs are Active Directory accounts that are assigned to certain computers. The passwords for these accounts
are secure through length and complexity and are maintained automatically. By default, new passwords are
generated every 30 days. gMSA was first introduced in Windows Server 2012 and brings MSA functionality to
multiple servers in a domain. gMSA introduces additional flexibility to implement Network Load Balancing (NLB),
allowing grouping of servers to operating as one single system, accommodating for growth in highly utilized
services or servers.

Minimum permissions and Environment

The minimum permissions required to create MSA/gMSA are as follows:

• Membership in Domain Admins and Account Operators, or

• Ability to create msDSGroupManagedServiceAccount objects.
Windows Operating System Requirements

• Create MSA beginning with Windows Server 2008 and use on Windows 7.
• Create gMSA beginning with Windows Server 2012 and use on Windows 8, 10, Windows Server 2012 (or
later).
• Note: Microsoft no longer supports and maintains Windows 7 and Windows Server 2008 operating
systems and FactoryTalk AssetCentre Server V11.0 is compatible beginning with Windows Server 2012.
For additional compatibility information, please visit the Rockwell Automation Product Compatibility and
Download Center.

MSAs
MSAs allow you to create an account in Active Directory that is tied to a specific computer. That account has its
own complex password which is maintained automatically. This means that an MSA can run services on a
computer in a secure and easy manner, while maintaining the capability to connect to network resources as a
specific user principal.
To create MSAs you must:
• Use Active Directory (AD) on a 64-bit Windows 2012 or later
• Extend your AD schema to Windows Server 2012 or later
• Host services using MSAs on Windows 8, Windows 10 and Windows Server 2012 or later
• Set AD forest level to Windows Server 2012 at a minimum.
To create and deploy an MSA, you need to use several PowerShell cmdlets (lightweight command used in
PowerShell)
1. Launch PowerShell from a domain controller computer.

Copyright©2021 Rockwell Automation, Inc. All Rights Reserved.

Page 3 of 10
 How to create and deploy MSAs and gMSAs
2. Create a KDS Root Key with the cmdlet “Add-KdsRootKey”.

3. Verify the KDS Root Key with the cmdlet “Test-KdsRootKey”.

The returned result “True” means the key is valid and effective.
4. Create an MSA with the cmdlet “New-ADServiceAccount”.

This example creates a new MSA with a name of msa002. The parameter “RestrictToSingleComputer” is
required, meaning it is used by a single computer only.
5. Once the MSA has been created, it needs to be installed on the computer where it will be used. Log into
the computer that will consume the MSA and launch PowerShell to install.

6. Once the MSA has been installed, verify whether it is working by using the cmdlet below:

“True” indicates the MSA has been installed successfully.

MSAs can only be active and linked to a single computer at any one time. Should you attempt to install
the same account on another computer, you will be asked for confirmation.
7. MSA account is available for use.

Copyright©2021 Rockwell Automation, Inc. All Rights Reserved.

Page 4 of 10
 How to create and deploy MSAs and gMSAs
On the computer where the MSA is used, open the Services, and select the service that will run under the
MSA. Change its Log On account to msa002.

In the above image, WIN12R2 is the domain name and msa002 is the MSA created in the steps above.
Important to append the MSA with “$”, which denotes the account as an MSA. Password field will remain
blank. Click OK or Apply, the following message will appear. You must either stop and restart the service
as stated or restart the computer.

Copyright©2021 Rockwell Automation, Inc. All Rights Reserved.

Page 5 of 10
 How to create and deploy MSAs and gMSAs
gMSAs
Differing from MSAs, gMSAs can be used across multiple computers that reside in the same domain. When using
gMSAs, services or service administrators do not need to manage password synchronization between service
instances. Before creating and deploying gMSAs, refer to this list of prerequisites.

• At least one domain controller must be running Windows Server 2012 or later (64-bit)
• Microsoft Active Directory must be present
• Extend the Active Directory schema to Windows Server 2012 (or later)
• Computers using gMSAs must be Windows 8, Windows 10, Windows Server 2012 or later.
• PowerShell must be available on each relevant computer.

Steps to create a gMSA

Follow the sequence below to run the cmdlets on the domain controller computer.
1. Launch PowerShell and Create a KdsRootKey with the following cmdlet.

2. Verify the key is already valid and effective.

3. Create a gMSA by running the following scripts in PowerShell ISE.

The DNSHostName should be the full computer name of the domain controller. Use parameter
PrinciplasAllowedToRestrieveManagedPassword to specify group intended for use of the gMSA. Follow
the steps below to create a group.
a. On the domain controller computer, launch the Active Directory Users and Computers.
b. Right click Users from the left pane and select New -> Group.
c. Enter a group name and select a group scope.
d. Click OK to exit.

Copyright©2021 Rockwell Automation, Inc. All Rights Reserved.

Page 6 of 10
 How to create and deploy MSAs and gMSAs

e. In the right pane double click PCGroup to open its properties dialog.
f. Select the Members and click the Add button.

g. Click the Object Types… button and check Computers.

Click OK to close the Object Types dialog.

Copyright©2021 Rockwell Automation, Inc. All Rights Reserved.

Page 7 of 10
 How to create and deploy MSAs and gMSAs

h. Click Find Now and select Domain Computers from the list. Click OK until you return to the Active
Directory Users and Computers.

If the group is newly created, restart both the domain controller and the computers that will use the gMSA
account, otherwise, the next step will fail.

The parameter PrincipalsAllowedToRetrieveManagedPassword can be also followed by one or more

computer names besides a group name. For example,

PC1 and PC2 are two computer names. Keep in mind to append each PC name with a $ and use a coma
to separate them. When using a group name, you do not need a $ at the end.

Copyright©2021 Rockwell Automation, Inc. All Rights Reserved.

Page 8 of 10
 How to create and deploy MSAs and gMSAs
You can also use a combination of computer names and group names as shown below.

The parameter PrincipalsAllowedToRetrieveManagedPassword specifies which computers or groups of

computers are granted to use a gMSA. For the previous example, the account gmsa005 can be used only
by PC AdaWindowsSer-0 and the computers belonging to PCGroup.

4. After the gMSA has been successfully created, you need to install it on the computers where it will be
used. Log into those domain computers and launch PowerShell to run the cmdlet below.

To verify the gMSA is installed successfully on a computer, run the following cmdlet.

The result “True” means the installation is successful.

This step needs to be executed on all computers that will be using the gMSA.

5. Apply the gMSA to a service. Change the logon account to gmsa002 and leave the password fields blank.
DO NOT miss the $ at the end of gmsa002.

6. Click OK to save the settings and restart the service to make it effective.

Copyright©2021 Rockwell Automation, Inc. All Rights Reserved.

Page 9 of 10
 How to create and deploy MSAs and gMSAs
Additional Questions and Troubleshooting
• What happens if I try to use MSA on more than one computer?
MSA cannot be used by multiple computers simultaneously. With that said, when you install a MSA on
another computer, it will be automatically uninstalled from the computer where it has been installed. On
the contrary, a gMSA account can be used by multiple computers at the same time.

• Is it required to install the gMSA on multiple computers where it will be used?

Yes. It is required to install it on each computer where it will be used.

• The Log On page for a service is greyed out after adopting a MSA or gMSA account, how to re-enable
it?
1. Launch the Command Prompt as Administrator.
2. Enter and run SC ManagedAccount “Service Name” false
The Service Name must be exactly same as shown in the service’s properties dialog.

• Why does it fail to install a gMSA/MSA with the cmdlet Install-ADServiceAccount ?

There are two common reasons, which are often associated with the parameter
PrincipalsAllowedToRetrieveManagedPassword.
I. The computer where you attempt to install the gMSA is not added to the group, which is
specified for the parameter.
II. You have not rebooted the domain controller or the computer where the gMSA will be used after
you created the group and add some computers into it.
• Why does it fail to verify a gMSA or MSA with Test-ADServiceAccount ?
If the result returned by Test-ADServiceAccount is not True, it indicates the new gMSA or MSA is not
installed successfully. Refer to the previous question for troubleshooting.

Copyright©2021 Rockwell Automation, Inc. All Rights Reserved.

Page 10 of 10