It appears there is a feature/bug in the Windows Server 2008 R2 managed service account PowerShell command that limits the account name to 15 characters or less.
First, let's create a managed service account called SVC_SQL01_LongName using PowerShell. The service account is 18 characters long. You can run the following command on a Windows Server 2008 R2 domain controller, or a 2008 R2 member server which has the Active Directory Module for PowerShell installed. Make sure the PowerShell you open has the AD module loaded.
New-ADServiceAccount SVC_SQL01_LongName -Enabled $true -Path “CN=Managed Service Accounts,DC=contoso,DC=net” -ServicePrincipalNames “MSSQLSVC/SQL01.contoso.net:1433″ -TrustedForDelegation $True
Great, the account is created. Now, here comes the problem. Logon to the Server 2008 R2 member server which will be using the service account, say your SQL server. If your member server doesn't have the AD PowerShell module, run the following Powershell commands:
Import-module servermanager
Add-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature
Then, close your PowerShell and from the Administrative tools open an Active Directory Module for Windows Powershell console and type:
Install-AdServiceAccount SVC_SQL01_LongName
It will fail with:
Install-ADServiceAccount : Cannot install service account. Error Message: 'Unknown error (0xc0000017)'.At line:1 char:25+ install-adserviceaccount <<<< -identity SVC_SQL01_LongName + CategoryInfo : WriteError: (SVC_SQL01_LongName:String) [Install- ADServiceAccount], ADException + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:Install ServiceAcccountFailure,Microsoft.ActiveDirectory.Management.Commands.InstallADServiceAccount
Doh..not good. Now, create another managed service account with a shorter name, say 15 characters long called SVC_001_SQL01_D. Run the install-adserviceaccount command again, and no error messages!
I don't know if this is by design, or a bug that will be corrected in a future service pack. Until then, just make sure all of your managed service accounts are 15 characters or less. Maybe its related to NetBIOS maximum name length of 15 characters?
Microsoft has a nice and very detailed managed service accounts How-To you can find here. Nowhere does it mention a 15 character maximum, though. A more friendly blog post about managed service account best practices is here.
Derek,we are aware about this problem and we have a work item on our side to fix it. The reason is that there is a discrepancy on the restrictions that exist in the base SAM code which allows creation of accounts greater than 15 characters and the limitation of 15 characters for accounts that require periodic password changes in NetLogon.
ReplyDeleteThanks for trying Managed Service Accounts!
Jairo Cadena (jairoc@microsoft.com)
Program Manager
Identity, Directory and Access
Microsoft Corporation
Derek,
ReplyDeleteNot sure if Microsoft fixed this this but the only way we were able to get the Install-ADServiceAccount to work is by reducing the character to 15 just like you described. Thanks for the info.
I create an MSA that is 10 characters long, but I am getting "0xc0000106", which still translates to "name too long"....
ReplyDeleteSecond, in Ned's blog, step 4, to associate the service account with a computer acct, is not listed in the "step by step guide". Ned mentioned that the guide is imcomplete, and he would have looked after the guide, but one year later, no change.
For everyone that is struggling with the powershell method of creating and working with MSAs, in the next couple of days I'll be releasing a free GUI alternative for managing MSAs (which will be updated to work with GMSAs when Server 2012 is released). More info and screenshots on my blog here: http://cjwdev.wordpress.com/2012/06/27/managed-service-accounts-gui/
ReplyDelete