Event banner
Event details
Seen the video on migrating a service account to a dMSA. My understanding is that you need the schema updates (89 and 90). but what other requirements would be required if you want to use this on a domain running 2019 wit DFL and FFL set at 2016? Does DFL and FFL need to be set to 2025 to use this and would we require any 2025 domain controllers and if so, would we need jsut 1 or would teh whole domain need to be running 2025 DCs?
Wayne_McIntyreMicrosoft
DFL/FFL needs to only be at 2016 - - You will need at least one DC running 2025 per domain. There are also changes to the client auth flow, and those details are still being worked on.- To experiment with dMSA, I installed Windows Server 2025 Preview DC in a domain. I would appreciate your help with a few questions: 1. Do we need to create dMSA on a server where it is used by the service? 2. Does the server need to be a DC, or can it be a member server? 3. What GPO changes, specifically for Kerberos, are required for dMSA to work and be able to migrate a legacy service account? Thank you in advance.
- Limited testing for this with build 26244. https://learn.microsoft.com/en-us/windows-server/security/delegated-managed-service-accounts/delegated-managed-service-accounts-overview this details it and I tried this out, although i only have a single dc up and running and so member server up to verify that a windows service running a previous service account now effectively runs under a dMSA. this is what i did (but accept the caveats listed above) ceated a new bog standard service account called it svctest1 set up the domain to be able to create managed service accounts. (you just do this once) add-kdsrootkey -effective(get-date).addhours(-10) created a dmsa new-adserviceaccount -name dmsasvctest1 -dnshostname dmsasvctest1 -createddelegatedserviceaccount -kerberosencryptiontype aes256 start-adserviceaccountmigration -identity "dmsasvctest1" -supersededaccount "cn=svctest1,ou=serviceaccounts,dc=yourdomain,dc=com" complete-adserviceaccountmigration -identity dmsasvctest1 -supersededaccount "cn=svctest1,ou=serviceaccouns,dc=yourdomain,dc=com" you'll note that the original service account is now disabled you'll also see that there are new attributes populated for the now disabled service account, they are msds-managedaccountprecededbylinkbl , msds-supersededmanagedaccountlink and msds-supersededserviceaccountstate If I had a member server availablem, I could have verified this but I have not been able to but I think this is teh jist of it. refer to that article as it seems to contain of what is required.
- Thanks. that's good news. IF you don't mind can you elaborate on requiring at least 1 DC per domain. Does this mean the 2025 DC(s) are contacted specifically in relation to using dMSAs or is it just the fact that the schema updates have to be applied - which would occur as you promote the first DCs in that domain? yes this is very good news though. Really appreciate the AD team continuing to provide support and enhancements for the product. I really don't see on-prem AD infrastructure going anytime soon.
- Wayne_McIntyre2025 DCs are specifically contacted for dMSAs. This of course means it is something that will have to scale over time as you enable more clients to support dMSA.