組託管服務賬戶（Group Managed Service Accounts，即gMSAs）

組託管服務賬戶（Group Managed Service Accounts，即gMSAs）

組託管服務賬戶是針對多個服務器的 MSA。 Windows 爲在一組服務器上運行的服務管理服務賬戶。 Active Directory 自動更新組託管服務賬戶密碼，而不重啓服務。 你能夠配置 SQL Server 服務以使用組託管服務賬戶主體。 從 SQL Server 2014 開始，SQL Server 針對獨立實例、故障轉移羣集實例和可用性組，在 Windows Server 2012 R2 和更高版本上支持組託管服務賬戶。

若要使用 SQL Server 2014 或更高版本的組託管服務賬戶，操做系統必須是 Windows Server 2012 R2 或更高版本。 裝有 Windows Server 2012 R2 的服務器須要應用 KB 2998082 ，以便服務能夠在密碼更改後當即登陸而不中斷。

組託管服務賬戶有註冊SPN的權限。

（備註：在實際部署中，看到有Write servicePrincipalName權限，可是沒有Read servicePrincipalName權限。按照http://www.sqlservercentral.com/blogs/james-sql-footprint/2013/01/19/got-cannot-generate-sspi-context-error-message-after-changing-sql-service-account/步驟手工添加後，重啓服務，查看錯誤日誌，發現SPN註冊成功）

備註：域管理員必須先在 Active Directory 中建立組託管服務賬戶，而後 SQL Server 安裝程序才能將其用於 SQL Server 服務。

配置步驟

1. 若是是首次建立組託管服務賬戶，須要建立KDS根祕鑰。

Add-KdsRootKey -EffectiveTime ((Get-Date).addhours(-10))

2. 先在域控上建立計算機組SQLServers，將須要使用組託管服務賬戶的主機添加進來。

3. 在域控上建立這些組託管服務賬戶。

在域控上建立SSAS服務賬戶gMSAsqlssas、×××S服務賬戶gMSAsql***s、SQL Server服務賬戶gMSAsqldbe、SQL Server Agent服務賬戶gMSAsqlagt：

New-ADServiceAccount -name gMSAsqlssas -DNSHostName dc.jztest.com -PrincipalsAllowedToRetrieveManagedPassword SQLServers
New-ADServiceAccount -name gMSAsql***s -DNSHostName dc.jztest.com -PrincipalsAllowedToRetrieveManagedPassword SQLServers
New-ADServiceAccount -name gMSAsqldbe -DNSHostName dc.jztest.com -PrincipalsAllowedToRetrieveManagedPassword SQLServers
New-ADServiceAccount -name gMSAsqlagt -DNSHostName dc.jztest.com -PrincipalsAllowedToRetrieveManagedPassword SQLServers

4. 查看賬戶狀態。

Get-ADServiceAccount gMSAsqlssas -Properties msDS-GroupMsaMembership | Select -Expand msDS-GroupMsaMembership | Select -Expand Access | Select -Expand IdentityReference

5. 重啓成員服務器，並安裝和驗證組託管服務賬戶。

在各成員服務器執行如下腳本：

Import-Module ServerManager
Add-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory
Install-ADServiceAccount gMSAsqlssas
Install-ADServiceAccount gMSAsql***s
Install-ADServiceAccount gMSAsqldbe
Install-ADServiceAccount gMSAsqlagt
Test-ADServiceAccount gMSAsqlssas
Test-ADServiceAccount gMSAsql***s
Test-ADServiceAccount gMSAsqldbe
Test-ADServiceAccount gMSAsqlagt

6. 爲了使用UNC遠程備份，若是你習慣使用默認共享如c$去作備份，須要將這些帳號添加到每臺成員服務器的Backup Operators組中。可是，這是一個很很差的習慣，管理共享都是給與具備管理員權限的用戶使用的，在平常運維過程當中，務必使用共享文件夾方式。若是使用共享文件夾，gMSAs無需執行此步驟。

（Administrative shares are hidden network shares created by Windows NT family of operating systems that allow system administrators to have remote access to every disk volume on a network-connected system. These shares may not be permanently deleted but may be disabled. Administrative shares cannot be accessed by users without administrative privileges.）

7. 配置各服務使用組託管服務賬戶，密碼留空並確認。

測試場景

1. 域控修改組託管服務賬戶密碼

域控修改組託管服務賬戶密碼後，驗證各副本的鏈接，正常。

2. 使用腳本切換主備實例

使用mov.ps1切換主備實例後，新的主實例能正常運行。

備註：在Windows Server 2012 R2上使用gMSAs務必打相關補丁，不然會遇到配置了該帳號的服務莫名崩潰的狀況。見KB 2998082

---

後記：

使用域帳號遠程登陸SQL Server實例，查看驗證方式：

select * from sys.dm_exec_connections where session_id=@@spid;

沒法使用Kerberos驗證，使用的是NTLM。

參考：https://technet.microsoft.com/en-us/library/bb463166.aspx

打開Kerberos日誌調試：

「

On an Active Directory server, Kerberos error messages are found in the Event Log. It is necessary to enable extended Kerberos logging before all message types will appear. To enable extended Kerberos logging, add a DWORD registry entry of LogLevel in the following location, and set it to 1:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

The server must be started after this change before the logging will be implemented.

」

Error	ErrorName	Description
0x7	KDC_ERR_S_PRINCIPAL_UNKNOWN	Server not found in Kerberos database

根據錯誤判斷，應該是SPN未註冊或未正確註冊。

參考：https://technet.microsoft.com/en-us/library/bb463167.aspx

「

Common DNS Issues

• DNS problems are often encountered only during a service ticket request after a successful TGT request. If a client can successfully authenticate initially but is then unable to acquire a service ticket or access services, then DNS problems are the likely cause.

• The error 「Server not found in Kerberos database」 is common and can be misleading because it often appears when the service principal is not missing. The error can be caused by domain/realm mapping problems or it can be the result of a DNS problem where the service principal name is not being built correctly. Server logs and network traces can be used to determine what service principal is actually being requested.

• Kerberos recognizes short host names as different from long host names. For example, problems may occur if a client computer knows an application server as appserver1.example.com, but the Kerberos server knows the same computer as appserver1. Check that each host in the environment knows the others by using a consistent naming pattern.

• Kerberos is case sensitive. Problems can occur in an environment using host names with mixed case. In the world of Kerberos, appserver1.EXAMPLE.COM and appserver1.example.com are not the same. Check that DNS resolves host names with consistent case.

• Kerberos relies on the presence of both forward and reverse lookup entries in DNS. Check that the host name of each computer can be resolved to its IP address and that its IP address can be resolved to its host name.

• DNS domain name ambiguities in a multidomain environment can result in subtle DNS issues. Check that each computer knows the others using the same domain name. Avoiding the use of short host names is particularly important in a multidomain environment.

• Look carefully at the configuration of any multihomed hosts. You might need to perform network traces to determine which interfaces and what names are being used in requests to or from computers with multiple network cards.

」

根據上文中「Server logs and network traces can be used to determine what service principal is actually being requested.」和「Kerberos recognizes short host names as different from long host names.」查找到日誌中報錯記錄的是短域名的SPN。根據「Kerberos is case sensitive.」發現報錯記錄的短域名的SPN是小寫的。因而，手工註冊該小寫短域名SPN。「Kerberos relies on the presence of both forward and reverse lookup entries in DNS.」對於綁定了新的網卡的IP，須要到DNS去作反向解析。

再去驗證鏈接，就是Kerberos驗證了。

所以，必定要去驗證遠程鏈接是否使用了Kerberos驗證。

那麼問題來了，爲何自動註冊的SPN不行，而還要手動註冊呢？自動註冊的SPN是根據FQDN解析出的地址去自動註冊的，機器名大寫，在DNS裏是大寫的，那麼註冊的SPN也是大寫的。那爲何會須要小寫手工註冊呢？我發現，以前爲了測試Read-scale availability groups(a new feature introduced in SQL Server 2017)，在主機HOST中，添加了小寫的域名解析：

那麼致使了沒法使用Kerberos驗證。因而，從域控刪除小寫的SPN。從新嘗試遠程使用Windows驗證鏈接，結果確實使用了Kerberos驗證。

 

那麼這兩點咱們再溫習一遍：

「Kerberos relies on the presence of both forward and reverse lookup entries in DNS. Check that the host name of each computer can be resolved to its IP address and that its IP address can be resolved to its host name.」

「Kerberos is case sensitive. Problems can occur in an environment using host names with mixed case. In the world of Kerberos, appserver1.EXAMPLE.COM and appserver1.example.com are not the same. Check that DNS resolves host names with consistent case.」

 

結論是：SPN自動註冊能使用Kerberos驗證。

 

參考：https://blogs.msdn.microsoft.com/apgcdsd/2011/09/26/kerberosntlm-sql-server/

「

SQL Server 2008/2008 R2

1) 當SPN被映射到正確的域或者內建機器帳號時 (Local System, Network Service)，本地鏈接會使用NTLM，而遠程鏈接會使用Kerberos。

2) 當沒有找到註冊在正確的域或內建機器帳號下的SPN時，鏈接會使用NTLM。

3) 當域中存在錯誤的SPN時，認證失敗。

」

具體Kerberos驗證的過程，能夠參考：https://blogs.technet.microsoft.com/askds/2008/03/06/kerberos-for-the-busy-admin/