Due to unforeseen circumstances, I made the tough decision to blow my lab away and start from scratch. Well, honestly, I do this about 6 times a year, so it's more like I'm looking for an excuse. Anyway, I decided that I would do two very special things with this lab:
- Configure everything almost entirely in PowerShell -- whenever possible
- Follow recommended best practices (when it doesn't greatly slow down other work)
To a lot of IT folks, that probably sounds like a nightmare. To others, "impossible." (Honestly, it is technically impossible even with only using Microsoft products... there's a small number of things that just cannot be done). But hopefully you're like me and would enjoy the heck out of it. It's a constant puzzle and you're always finding new pieces. I just love when you execute a script that you're really not sure of and it runs without any of that dastardly red text.
When it came time to install SQL, I realized that the recommended best practice is to have an MSA for every service. That's a minimum of two per instance. With SCOM, SCCM, SCVMM, SC Orch, Lync, and SharePoint... that's a lot of services.
So of course I scripted it.
PowerShell Script: Install-MSAs.ps1
Using the Script
Assuming you put the script in C:\Scripts, you can just run
.\Install-MSAs.ps1 "SvcSqlR-SQL02"
and it will create the MSA and install it on the local computer. You can then configure it for a service, such as those needed for SQL to run, like so:
You can also specify more than one MSA name. For example, you could do this:
$MSANames = "MSA1","MSA2"
and then put that variable after the script name. Or, if you want to get fancy, you can do this:
All I did was create a text file on my desktop that looks like this:
...and then I get to delete all those accounts that I made for your amusement. That's right... all of this is for YOU so you better appreciate it. Or whatever.
To delete or view the MSAs in Active Directory Users and Computers, see below. You must first enabled "Advanced Settings" under the View drop-down menu.
Script Content
Overview:
I'm just going to paste the script here because it's not very long and you won't have to download anything.
Here is the high-level process:
- Check if the AD PowerShell module is installed; install it, if needed
- Check to see if a service account with the name you provided exists; skip creating that MSA if so
- Create the MSA, associate it with the local computer, and install it
- Display which MSAs were created and which failed to be provisioned
Code:
param($MSANames)
$hostname = hostname
$InstallState = (Get-WindowsFeature -Name RSAT-AD-PowerShell).InstallState
if ($InstallState -ne "Installed") {
Install-WindowsFeature -Name RSAT-AD-PowerShell -WarningAction SilentlyContinue | Out-Null
sleep 1
}
Import-Module ActiveDirectory
sleep 1
$CreatedMSAs = @()
$NotCreatedMSAs = @()
foreach ($name in $MSANames) {
Try {
Get-ADServiceAccount -Identity $name | Out-Null
sleep 1
Write-Host "An account with the name '$name' already exists! This account cannot be created.`n`n" -ForegroundColor Red
$NotCreatedMSAs += $name
} catch [System.Exception] {
New-ADServiceAccount -Name $name -Enabled $true -RestrictToSingleComputer
sleep 1
Add-ADComputerServiceAccount -Identity $hostname -ServiceAccount $name
sleep 1
Install-ADServiceAccount $name
sleep 1
$CreatedMSAs += $name
}
}
$count = 0
if ($CreatedMSAs -ne $null) {
Write-Host "Managed Service Accounts have been installed on this computer." -ForegroundColor Green
}
foreach ($name in $CreatedMSAs) {
$count += 1
Write-Host "MSA #$count : $name" -ForegroundColor Cyan
}
if ($NotCreatedMSAs -ne $null) {
Write-Host "`nThe following MSAs were not able to be created, most likely because an account with that name already exists."
foreach ($name in $NotCreatedMSAs) {
Write-Host $name
}
}
No comments:
Post a Comment