A small problem with Managed Service Accounts
I am very fortunate to always have the latest versions of Microsoft stuff to play with such as SQL Server 2008 R2, but occasionally something doesn’t work, and so I need to tell the relevant product team what the problem is.
In this case I was trying to get the SQL Server 2008 R2 November CTP to run with the new Managed Service Accounts in Windows Server 2008 R2 Active Directory. They are a bit like the NTAUTHORITY/LocalService account in that they don’t have passwords that you need to specify to the service, however they are a totally different beast in that they are domain accounts designed to be used for services, like IIS 7.5. Essentially the passwords are managed internally by active directory and are designed for use with Kerberos. For more on this have a look at this article on TechNet
However they are so new there is no way you can create one without using PowerShell (with the active directory module loaded)..
New-ADServiceAccount SQLService
Then you tell AD where you want to use the account on the server SQL08R2Demo..
Add-ADComputerServiceAccount -Identity SQL08R2DEMO -ServiceAccount SQLService
finally you deploy it to the computer that will use it
Install-ADServiceAccount -Identity SQLService
Now you can see this account in Active Directory under the new managed service account folder..
I can now use an account like this to run IIS by going to services and running IIS with the new account (note you don’t supply a password for this account).
However when Iu try and use it to run a SQL Server service, it doesn’t show up in the SQL Server configuration tool as it doesn’t see this kind of account at all even though you can search the managed service accounts folder. Of course if I go into services proper I can change SQL Server services to use it…
but that is not supported, as it will foul up the permissions needed to do things like backup. BTW I didn’t supply the dollar sign suffix
so I have found something wrong and now I need to tell someone to fix it and the place where you do that for Microsoft stuff , irrespective of whether or not you work for them is on Connect (https://www.connect.microsoft.com).
You register suggestions and bugs by first searching to see if it’s there already and then you can create your own..
Here’s that bug, and notice that no one’s voted on it yet. Votes are primarily there to influence feature requests, but bear in mind that what you or I consider to be a bug, maybe there by design and so could in fact really be a feature request. Anyway the more votes there are coupled with the severity of the problem the more likely it will be fixed
So if you think something needs to be changed then use the site as the product teams are pretty good but are not known for their telepathic abilities.
In the meantime I hope that this gets fixed for the release of SQL Server 2008 R2.
Update 28 November 2011
Managed Service Accounts didn't get supported in SQL Server 2008 R2, but are a feature in SQL Server 2012 as per this TechNet article. The method is exactly the same
Technorati Tags: Connect,Microsoft bug reporting,managed service accounts,active directory,windows server 2008 R2,SQL Server 2008 R2
Comments
Anonymous
November 17, 2009
Doing it in the services applet is fine if you then go and add the account to the local group that is setup for SQL. Its the really long group name like *SQLServer2005MSSQLUser$ONARC-VHST02$SQL2005Anonymous
November 23, 2009
Simon Yep that'll work it's just like a few things around the edges of SQL Server it's not supported AndrewAnonymous
February 21, 2010
Hi, there! I'm also trying new things out. Now i follow this walkthrough on installing Sharepoint 2010 on my machine: http://andreasglaser.net/post/2009/11/18/Installing-SharePoint-Server-2010-on-Windows-Server-2008-R2-and-SQL-Server-2008-R2-Part-7-SQL-Server-2008-R2-installation-and-configuration.aspx After googling a lot, I left NT AuthoritySystem account for SQL Server Agent account. When using <mydomain>SqlServiceAccount$(created with the "New-ADServiceAccount" command), SqlServer 2008 R2 Installation stops me with the error: "The specified credentials for the sql server agent service are not valid. to continue provide a valid account and password for the Sql Server Agent Service" Am I going to experience any problems when I change the account from the Services Console to a managed service account, not regarding backup?!Anonymous
February 21, 2010
Am I going to experience any problems, not regarding backup, if I use the Services Applet to change to a service account?! I'm trying to install Sharepoint 2010 from this walkthrough: http://andreasglaser.net/post/2009/11/18/Installing-SharePoint-Server-2010-on-Windows-Server-2008-R2-and-SQL-Server-2008-R2-Part-7-SQL-Server-2008-R2-installation-and-configuration.aspx , but everything(incl Active Directory) is on one machine?!Anonymous
May 04, 2010
Now that SQL Server 2008 R2 is RTM, is there anything new on this? Would like to be able to directly specify a managed service account in SQL Server setup.Anonymous
May 12, 2010
Any update on the bug report? I'm having the same problem, can't use managed service account in SQL 2008 R2 setup....Anonymous
May 16, 2010
Looks like managed service accoutns still aren't supported for SQL Server as per http://technet.microsoft.com/en-us/library/ff641729(WS.10).aspx However there is no clear reason why not, given tagt exchange and IIS both make use of this new feature AndrewAnonymous
June 01, 2012
I was also able to add it to the groups for SQL Server and change the service account in services.msc and was able to run it successfully except that it broke replication. I added the MSA to a group and added the group to all of the permissions necessary for transactional replication but it still failed to run the replication job successfully so I'm assuming there are still issues in 2008 R2.