Event banner
What's new in Active Directory
Event Ended
Tuesday, Nov 28, 2023, 10:00 AM PSTEvent details
Lean in as software developers from the Active Directory software engineering team dive into the latest improvements in Active Directory. We'll cover key areas of investment including scalability, se...
Char_Cheesman
Updated Dec 27, 2024
Wayne_McIntyre
Nov 29, 2023Microsoft
DFL/FFL needs to only be at 2016 - - You will need at least one DC running 2025 per domain. There are also changes to the client auth flow, and those details are still being worked on.
Kumar
Jul 01, 2024Occasional Reader
To experiment with dMSA, I installed Windows Server 2025 Preview DC in a domain. I would appreciate your help with a few questions:
1. Do we need to create dMSA on a server where it is used by the service?
2. Does the server need to be a DC, or can it be a member server?
3. What GPO changes, specifically for Kerberos, are required for dMSA to work and be able to migrate a legacy service account?
Thank you in advance.
- AndrewPriorJul 03, 2024Brass ContributorLimited testing for this with build 26244. https://learn.microsoft.com/en-us/windows-server/security/delegated-managed-service-accounts/delegated-managed-service-accounts-overview this details it and I tried this out, although i only have a single dc up and running and so member server up to verify that a windows service running a previous service account now effectively runs under a dMSA. this is what i did (but accept the caveats listed above) ceated a new bog standard service account called it svctest1 set up the domain to be able to create managed service accounts. (you just do this once) add-kdsrootkey -effective(get-date).addhours(-10) created a dmsa new-adserviceaccount -name dmsasvctest1 -dnshostname dmsasvctest1 -createddelegatedserviceaccount -kerberosencryptiontype aes256 start-adserviceaccountmigration -identity "dmsasvctest1" -supersededaccount "cn=svctest1,ou=serviceaccounts,dc=yourdomain,dc=com" complete-adserviceaccountmigration -identity dmsasvctest1 -supersededaccount "cn=svctest1,ou=serviceaccouns,dc=yourdomain,dc=com" you'll note that the original service account is now disabled you'll also see that there are new attributes populated for the now disabled service account, they are msds-managedaccountprecededbylinkbl , msds-supersededmanagedaccountlink and msds-supersededserviceaccountstate If I had a member server availablem, I could have verified this but I have not been able to but I think this is teh jist of it. refer to that article as it seems to contain of what is required.