Automatic SPN Management and Server 2008 R2
Simplifying the management of service accounts
By Glenn Weadock on Wed, 10/14/09 - 5:31pm.As we continue to chat about some of the benefits of Server 2008 R2, I thought we could take a couple of minutes to mention Automatic SPN Management. This feature takes effect when you raise the Domain Functional Level (DFL) to Server 2008 R2; that is, when all domain controllers in the domain are running the new OS. (You can actually also use them if your DFL is Server 2008 or even Server 2003, as long as the Server 2008 R2 schema extensions have been run via ADPREP, but you only get automatic password and SPN management on DC’s running Server 2008 R2.)
SPN stands for “Service Principal Name” and is a Kerberos requirement often discussed in the context of service accounts that may be needed by applications such as SQL Server. Before Server 2008 R2, if you wanted to create a domain account for such applications, you had to come up with some way to manage their passwords. With Automatic SPN Management, you can use a managed service account that is a domain account for managing and maintaining services running on local PCs, but you don’t ever have to reset passwords manually; that now happens automatically. The auto-generated password is 240 characters long. You can also delegate SPN management more easily.
The managed service account is actually a new object class in the Active Directory schema, called msDS-ManagedServiceAccount. This object class has attributes of both computer and user accounts. A managed service account is linked to only one computer at a time (no cluster nodes!), and managed service accounts do not permit interactive logons. Once created, you can view them in Active Directory Users and Computers by turning on the view option for advanced features.
You may also see the term “virtual accounts.” These are similar to the domain-based managed service accounts, but they are local accounts on the computer rather than domain accounts. A virtual account can access resources on the network using the computer’s account credentials.
- About Glenn Weadock on Windows Server 2008
Glenn Weadock is a longtime instructor for Global Knowledge and teaches Windows 7, Server 2008, and Active Directory. He has recently co-developed with Mark Wilkins two advanced Server 2008 classes in the Microsoft Official Curriculum. Glenn also consults through his Colorado-based company Independent Software, Inc. and is technical director of MarketCoach Investment Education Software LLC.
Most Discussed Posts
-
Network World, Inc
The Connected Enterprise