Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to host the service account in Windows Server 2008 R2. The article is very detailed and has a certain reference value. Interested friends must read it!

In modern enterprises, computer network occupies a top priority. More and more core businesses of enterprises are attached to computer network architecture, such as email, file sharing, instant messaging and so on. Under the network architecture, there are more and more kinds of computer operating systems, business applications, background databases and other application systems deployed by enterprises, and the network architecture is becoming more and more complex, and the application system operates normally. In addition to the foreground application interface, what is more important is the background process or background service. With the stable operation of background processes and services, the normal operation of business activities can be ensured.

Windows Server 2008 R2 background processes and services need to specify a specific running account, which accounts should be specified? We can discuss it from the classification of backend services:

* classes are services that come with the operating system, such as BITS service, DNS Client service, etc. Their function is to provide background support for the operating system to run. Under the Windows operating system, we know that there are three special accounts to start such services, namely:

SYSTEM account: system account. Some operating system versions will be recognized as LocaSystem accounts. The background process started by the System account has access to the computer and can receive requests from other users and issue access tokens.

LocaService account: local service account. Is a default local account with minimal permissions and has an anonymous identity in the network credentials. LocaService accounts usually have access to resources that LocaService, Everyone groups and authenticated users have access to.

Network Service account: network service account. Is a default local account with partial local permissions that can access network resources in the name of a computer. The service running under the Network Service account submits the access credentials to the remote computer based on the actual environment. Network Service accounts usually have access to Network Service, Everyone groups, and resources that authenticated users have access to.

The second category is business application system services, such as SQServer services, ERP application services, etc., they are to meet a business application to provide background support. Generally, we need to specify a domain account to start such services. Under Microsoft's active Directory architecture, this account is often a domain account. For the password management of domain accounts, each enterprise has its own set of specifications.

For example, some enterprises may require the password of a domain user:

The minimum password length is 7 digits.

Change password up to 42 days

Cannot use the password used the last three times as the new password

Obviously, the domain account running the service must also change the password every 42 days. Once the password is not changed for more than 42 days, the original password expires, which will cause the service to fail to function properly.

For administrators, it is tedious to change the password of a service account regularly, and the more types of services and accounts, the more difficult it is to manage. For the convenience of management, some system administrators often set up a service account whose password will never expire. Although this avoids changing the password regularly and reduces the workload, it does not change the password for a long time, which increases the risk of password disclosure.

The managed service account (MSA) in Windows Server 2008 R2 solves this problem and how it is implemented. Let's take a look.

Managed service account

Because it is difficult to manage the password of the domain user account of the running service, the managed service account (Managed Service Account) arises at the historic moment. The so-called managed service account is the account entrusted to the operating system for management. The password of the managed service account (MSA) is automatically set, maintained and updated by the operating system on a regular basis, without manual intervention by the administrator, as if the account does not have a password.

The role of managed service account (MSA)

Managed service accounts make services isolated from each other, and automatic password management is required separately.

Reduce TCO by reducing service disruption

Use a single managed service account per service or per server (the service account cannot be shared by multiple computers)

Better SPN management at the Windows Server 2008 R2 domain functional level (allows the server to rename the service account)

Use of managed service account (MSA)

To configure and apply a managed service account (MSA), you need to take three steps:

Create MSA account à install MSA account à assign MSA account to the service.

1. Create a MSA account:

The creation of a MSA account needs to be created through the New-ADServiceAccount command of PowerShell

After the creation is complete, you can see the MSAtest account you just created in AD users and computers.

two。 Install MSA account

After the account is created, you can install the MSA account. To install a managed service account on a member server of Windows Server 2008 R2 or a client computer of Windows 7, and use the Install-ADServiceAccount command in PowerShell, it is important to note that

Note:

1) the managed service account (MSA) only supports Windows Server 2008 R2 or Windows 7 operating systems, but not earlier versions of the operating system.

2) A managed service account (MSA) can only be installed on one computer and cannot be shared by multiple computers. This means that the MSA account does not support the cluster service.

3. Assign a MSA account to the service

Take the Windows Server 2008 R2 member server as an example.

First, open the Service Control Manager, expand configuration-Services, double-click the service you want to configure on the right, select "this account"-"Browse" under the login tab, navigate to the previously created MSA account, and click OK. Use this service to run under a selected MSA account

Note:

1) by default, the backend service does not allow you to set an account with an empty password to start, with the exception of the MSA account. In fact, the MSA account actually has a password, but the administrator does not need to set it.

Considerations for managed Service account (MSA)

The use of managed service accounts greatly simplifies the management of internal service accounts, but there are also some points for attention.

It is critical to give MSA proper access

Assigning permissions to MSA is like assigning permissions to a user service account

SCM gives MSA locasystem permission through logonAsService.

The installation manager will not let you specify an account without a password

Install using a standard server account

Give a MSA copy permission

Change the service in SCM to use MSA

Scheduled jobs cannot be run under a managed service account

Because the MSA account can only be installed on one computer and cannot be shared by multiple computers, the managed service account cannot be used in the cluster service

If the domain function level is Windows Server 2008 R2, the SPN of the service account will be updated when the service account is renamed.

The above is all the contents of the article "how to host a service account in Windows Server 2008 R2". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.