I am currently reading http://technet.microsoft.com/de-de/library/jj128431.aspx and I do not understand the purpose of the -DNSHostName parameter. Why does a gMSA need a DNS host name?
Hi,
Thank you for your posting.
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Best Regards,
AmyHi,
-DNSHostname parameter defines the host that uses the managed service account.
You could check the following post to learn details:
http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
Regards, Brian
Hi Brian,
thanks for your reply. However, I don't think it is correct. A gMSA may be used by a group of computer accounts defined by the parameter PrincipalsAllowedToRetrieveManagedPassword.
Also, the linked article does not explain the DNSHostName parameter. Plus, the DNSHostName used in the example does not represent a computer or computer account.
Regards,
Monster
DNSHostName is the Computer that will use MSA, you could do this on multiple computer; Group name is defined by PrincipalsAllowedToRetrieveManagedPassword
You could open up a Support ticket to confirm this point.
Regards, Brian
If it is so, then what happens if I want to use it on multiple computers (members of the group PrincipalsAllowedToRetrieveManagedPassword) run the command, defining the DNSHostName's of all the computers? If so, then what is the purpose of the group anyway? If not, then what is the purpose of DNSHostName then?!
Yes, modify the DNSHostName if you want an additional host to use MSA. It's why we call it gMSA. sMSA, one account for one host only. Adding these hosts to a group makes it more convenient in management.
Regards, Brian
Hi Brian, it is not the DNShostname of the host where you want to use it. In all documention even of MS itself it has the servicename as DNShostname.
//EDIT:
http//technet. microsoft. com/en-us/library/jj128431.aspx
Here you can see it is stated as "DNS host name of Service".
Kind Regards,
Peter
- Edited by Peter Baumert Tuesday, July 22, 2014 1:31 PM added link
I can't tell you where or what it is used for, because I have simply never seen it being used. I guess the reason it is there is because the "Managed Service Account" is kind of a child-object of an Computer Account and inherits its properties from that one.
But as I said this is just a guess ;)
Kind Regards,
Peter
this is not an answer, Moderator.
-DNSHostName should be the FQDN of that DC which holds KDS Master key - msKds-ProvRootKey.
Most likely you already created that one - take a look at Group Key Distribution Service container in Configuration partition of your AD forest.
And probably you could use any DC in that forest as long as you set their names in -PrincipalsAllowedToRetrieveManagedPassword
All of the above represents the "new" gMSA, so if you wish to use old MSA instead, just forget about that -DNSHostName since it's not required then and simply use -RestrictToSingleComputer locking an account to some server.
Hope that helps.
- Edited by Vladimir Molodnyakov 17 hours 58 minutes ago
- Proposed as answer by Vladimir Molodnyakov 17 hours 58 minutes ago