Managed Service Accounts (MSAs) were introduced to eliminate the overhead of managing and updating passwords for application service accounts. By shifting password management to Active Directory (AD), MSAs ensure that passwords are automatically generated, secured, and rotated every 30 days (by default). Additionally, updating an MSA password does not require a restart of SQL Server. This delegation of password management relieves the DBA/SQL team of the cumbersome task of manually updating service account passwords and restarting SQL Server.
However, MSAs have limitations—they are restricted to a single computer account, making them unsuitable for failover clustered instances where the SQL Server instance can run on any node in the cluster. In large SQL environments, this restriction can result in the creation of numerous MSA objects in AD, adding to administrative overhead.
To address these limitations, Group Managed Service Accounts (gMSAs) were introduced. gMSAs provide the same automated password management benefits as MSAs while allowing multiple SQL Server installations to share a single account. This significantly reduces the number of service account objects in AD and simplifies management in large environments.
Prerequisites:
- Oracle VirtualBox must be downloaded and installed on Windows 10.
- Basic knowledge of Windows Server 2016 or Windows Server 2012 R2.
- Familiarity with SQL Server 2014, 2016, or 2017.
- Understanding of Active Directory.
- A Windows Server 2016 or Windows Server 2012 R2 Domain Controller must be installed and configured.
- SQL Server 2014, 2016, or 2017 database server(s) must be installed and configured.
Instructions
Part 1 – Create the security group and the gMSA
Part 2 – Install Active Directory cmdlets on servers hosting SQL Server
Part 3 – Configure the SQL Server instance to use the gMSA