Tag Archives: active directory

MS SQL AlwaysOn Availability Groups with Managed Service Accounts

Posted on by

This is a practical guide for configuration Microsoft SQL Server with AlwaysOn Availability Groups using Managed Service Accounts.

This is not a guide for installing Microsoft SQL Server as there are plenty of existing resources to do so. This guide assumes that you have a pair of fresh SQL Servers or that you have the knowledge to create and install a best practices SQL Server.

Requirements

  • Two or more ready SQL Servers.
  • Domain Administrator, or delegated privileges to create Computer Accounts, Managed Service Accounts, and Security Enabled Groups.
  • Domain Administrator, or delegated privileges to set Service Principal Names.
  • Local administrative privileges on the SQL Server operating system.
  • SA privileges on the SQL Server instances.

Summary Steps

  • Pre-Create Active Directory Resources.
    • Computer Account Objects
    • Managed Service Account Object
    • Service Principal Names
  • Configure the SQL Server operating system.
    • Local Firewall
    • Local Security Policy
    • Network Adapters
  • Create the Windows Server Failover Cluster instance.
  • Configure a File Share as a cluster witness.
  • Enable AlwaysOn functionality for MS SQL.
  • Configure the Managed Service Account for MS SQL.
  • Create the Availability Group.

Continue reading

Pages: 1 2

ADCS Enrollment Policy Web Service

Posted on by

This guide covers the deployment of the Active Directory Certificate Services (AD CS) Enrollment Policy Web Service (CEP) role on Server Core. The Certificate Enrollment Policy Web Service allows clients to retrieve Certificate Enrollment Policies from an Enterprise Certificate Authority when access to a Domain Controller is not possible, such as external or DMZ housed computers, or clients without permissions. Users and computers can retrieve enrollment policies from a CEP server over HTTPS/443.

The Certificate Enrollment Policy Web Service binds to Active Directory Domain Controllers over standard LDAP ports. A single CEP server can provide policy services for multiple Enterprise Certificate Authorities. A CEP server is required for clients to utilize a Certificate Enrollment Web Services server.

Requirements

  • Administrator privileges on the CEP server.
  • A deployed and functional Enterprise PKI.

Summary Steps

  • Enroll a Computer Certificate for the CEP server IIS binding.
  • Install the Certificate Authority feature with the Policy Web Enrollment Service role.
  • Determine the URI for client access to the CEP service.
  • Configure Group Policy to direct clients to the new CEP server.

Continue reading

Pages: 1 2

ADDS Group Managed Service Accounts

Posted on by

This guide covers the creation and management of Active Directory Domain Services (ADDS) Group Managed Service Accounts (gMSA). Group Managed Service Accounts are system managed service accounts that behave much like computer accounts in that the system automatically manages and rotates the account password. A gMSA solves many of the security implications arising from using service accounts where passwords may be infrequently (or never) rotated and where multiple users may have access to the account’s credential.

Steps in this guide can be performed on any computer joined to the domain. Access to a domain controller is not necessary.

Requirements

  • Domain Administrator, or delegated privileges to create Managed Service Accounts and Security Enabled Groups.

Summary Steps

  • Create a Security Enabled Group
  • Create a Managed Service Account

Continue reading

ADCS Enrollment Web Service with Managed Service Accounts

Posted on by

This guide covers the deployment of the Active Directory Certificate Services (AD CS) Enrollment Web Service (CES) role using group Managed Service Accounts (gMSA) on Server Core. The Enrollment Web Service allows for automated certificate issuance to computers that are unable to directly reach the Certificate Authorities over the standard DCOM ports, such as external or DMZ housed computers. Users and computers can enroll for certificates from a CES server over HTTPS/443.

The Enrollment Web Service binds to an individual issuing Certificate Authority. To issue certificates from multiple CAs, multiple CES servers will need to be provisioned. The CES server requires that at least one Certificate Enrollment Policy Web Service (CEP) server be configured. The CES and CEP roles can both exist on the same system or can be deployed separately.

Requirements

  • Enterprise Administrator
  • Administrator permissions on the target Enterprise Certificate Authority.
  • A deployed and functional Enterprise PKI.
  • A deployed and enabled Certificate Enrollment Policy Web Service server.

Summary Steps

  • Enroll a Computer Certificate for the CES server IIS binding.
  • Install the Certificate Authority feature with the Enrollment Web Service role.
  • Create a group Managed Service Account (gMSA) for the IIS App Pool.
  • Assign the gMSA to the local IIS_IUSRS group on the CES server.
  • Assign a service principal name (SPN) to the gMSA.
  • Configure the gMSA for constrained delegation to the Certificate Authorities.
  • Assign the gMSA to the CES server IIS App Pool.

Continue reading

Pages: 1 2