In AD DS, MSA’s will stored under CN=Managed Service Accounts,
DC=<domain>, DC=<com>
Example: CN=Managed Service Accounts, DC=Contoso, DC=com
1)
Open the PowerShell console with administrator
privileges
2)
To create service account,
New-ADServiceAccount
–Name <MSA_Name> –DNSHostname <DNS name of Domain_Controller>
Example in my LAB -
New-ADServiceAccount –Name ADCSFSSVC
–DNSHostname DC1.Contoso.Com
While
Exexuting above Command , will get an error on first time.
New-ADServiceAccount
: Key does not exist
At
line:1 char:1
+
New-ADServiceAccount -Name ADCSFSSVC -DNSHostName dc1;
To create the KDS root key in my test
environment for immediate effectiveness
Add-KdsRootKey –EffectiveTime
((get-date).addhours(-10));
In Production we need to use below command
and need to wait until replication successful with Other DC’s.
Add-KdsRootKey
–EffectiveImmediately
Now Below command will run successfully.
3)
New-ADServiceAccount –Name ADCSFSSVC
–DNSHostname DC1.Contoso.Com
Need to associate it with the computer object
4)
Add-ADComputerServiceAccount –identity
<Host_Computer_Name> -ServiceAccount <MSA_Name>
In my LAB Environment, I associate it with computer ADCSFS
5)
Add-ADComputerServiceAccount –identity ADCSFS
-ServiceAccount ADCSFSSVC
Then need to install the MSA in hostcomputer of ADCSFS, where
service Account going to configure
If Server is Non-Domain Controller, Need to follow below
steps
- . Open the PowerShell console with administrator privileges
- . Run the Import-Module ServerManager cmdlet
- . Add-WindowsFeature RSAT-AD-PowerShell cmdlet to install the Active Directory module for Windows PowerShell.
- . Close and re-open PowerShell console with administrator privileges
- . Import-Module ActiveDirectory cmdlet
6)
Set-ADServiceAccount -Identity ServiceManager
-PrincipalsAllowedToRetrieveManagedPassword ADCSFS$;
7)
Install-ADServiceAccount -Identity
ADCSFSSVC;
Post that, Managed Service Account visible on AD.
