GROUP MANAGED SERVICE ACCOUNTS: PREPARE YOUR DOMAIN

December 27, 2020

Last posts I have been talking about Group Managed Service Accounts (GMSA). I will continue on that journey with this blog.

Group managed Service accounts are nice, but you need to prepare it very well, otherwise you end up with a non working non supported estate.

There are some things one should know before continue. It is wise to make all your steps repeatable, each time, over and over. You also should test it on a test environment first. You can create a simpel test environment on your laptop with Lability or just with hyper-v enabled. It is up to you to decide what you use. I will not go through installation or setting up a test environment.

Besides those things it is advised to look at your Active Directory environment. The requirements for GMSA are not that high, but it is imporatant to be sure about it. GMSA wants you to have an AD running in at least 2012 Forest. level, your servers should be domain joined and have Windows 2012 or better and do not use 32 bit architecture anymore.

GMSA work with KDS (Key Distrribution Service). KDS shares a secret (its root key) among all the KDS instances in your domain. Those secrets change periodically (typically every 30 days. The length of it is 128 random characters). This behaviour can be influenced by domain policies(allthough I do not see a reason why to change this). When a GMSA account requires a password, it is generated based on that key and a common algorithm. After this, all the instances from the GMSA will be query the domain for the latest password.

Now you are ready to start with implementing GMSA and know some bits and pieces of how they work it is time to starts creating the main part: the KDS root key.Offcourse you can do this via Powershell:

Add-KdsRootKey –EffectiveImmediately

But this is not very repeatable. It just creates the KDS rootkey. I prefer to check if the KDS rootkey has been generated al ready. You can do that by using the Get-KDSRootKey. If Get-KDSRootkey does not return a value, the rootkey is not set. Then you are safe to add the rootkey by issueing the add-KDSRootKey command.

It takes up to 10 hours before the KDS keys are replicated arround the estate.

Next time we are going to talk about the groups and accounts.