gMSAs and SQL Server 2017

https://dba.stackexchange.com/questions/209016

03-01-2021
|

Question

I am setting up a brand new SQL 2017 installation. I want to set up and use gMSA(s) for the Service Accounts. What are the best practices for SQL Server? Should I use individual gMSAs for each service? Should there be individual gMSAs for each server or instance or site?

I have read the following and several other articles and posts:

Follow best practices described here: https://docs.microsoft.com/en-us/sql/sql-server/install/security-considerations-for-a-sql-server-installation?view=sql-server-2017
Consider the use of Managed Service Accounts and Group Managed Service Accounts described here:
- https://blogs.msdn.microsoft.com/markweberblog/2016/05/25/group-managed-service-accounts-gmsa-and-sql-server-2016/
- https://blogs.msdn.microsoft.com/markweberblog/2016/05/25/group-managed-service-accounts-gmsa-and-sql-server-2016/

Any help that you can offer would be awesome.

Solution

We have created gMSAs for SQL Agent, Database Engine, Analysis Services and Integration Services. I recommend the following:

MICROSOFT SQL SERVER 2016 INSTALLATION USING GMSA (GROUP MANAGED SERVICE ACCOUNTS) – PART I

Also, make sure that follow:

Using a gMSA with SQL Server

This will help you escape the pitfall of restarting the server.

Licensed under: CC-BY-SA with attribution

Not affiliated with dba.stackexchange