Using Group Managed Service Accounts
A Group Managed Service Account (gMSA) is the type of domain account configured on the server. It does not need the administrator to manage the password as this role is performed by the Microsoft Windows operating system. Randomly generated complex passwords are automatically changed every 30 days which reduce the risk of brute force and dictionary attacks. For more information about gMSAs, see this Microsoft article.
You can use gMSAs to run guest processing tasks.
For application-aware processing, using a gMSA is supported for backups or replicas of VMs that run Microsoft Active Directory (domain controllers), Microsoft Exchange, Microsoft SQL Server, and Oracle 12c Release 2 and later. You cannot back up or replicate VMs that run Microsoft SharePoint with the gMSA.
Requirements and Limitations
gMSAs have the following requirements and limitations:
- gMSAs are applicable to Microsoft Windows Server 2012 and later. For more information about operating system and Microsoft Active Directory requirements, see this Microsoft article.
- gMSAs are not supported for backups of the Linux target machines joined to the Active Directory domain.
- Since gMSAs require a connection to the domain controller, these accounts work only over network.
- If you use gMSAs to manage the restore process of VM guest OS files, consider Requirements and Limitations.
- If you back up a machine using a gMSA, both the guest interaction proxy and the target machine must have network access to the domain controllers and be in the same domain to obtain the gMSA password. On the target machine the gMSA must be added to the Administrators group (local or domain). Domain Administrator permissions are only required for Microsoft Active Directory backups, for other supported applications local Administrator permissions are sufficient.
Consider that granting Domain Administrator permissions to gMSAs makes them a potential source of vulnerability.
Before You Begin
Before you start using gMSAs, configure the domain controller:
- The domain controller requires a root key to generate gMSA passwords. Ensure that the Key Distribution Service is enabled on the domain controller and use the following command in Microsoft Windows PowerShell to generate a root key:
Wait until the Active Directory replication is finished or force it manually. For more information about creating KDS root keys, see this Microsoft article.
- To enable gMSA support in Microsoft Windows PowerShell, use the following commands:
Install-WindowsFeature RSAT-AD-PowerShell,NET-Framework-Features | Out-Null;
To create a gMSA, use the New-ADServiceAccount cmdlet on the domain controller. In the DNSHostName parameter, specify the FQDN of the gMSA. For the PrincipalsAllowedToRetrieveManagedPassword parameter specify the computer accounts separated by comma which will use the gMSA or the AD group containing these computer accounts. For more information about all cmdlet parameters, see this Microsoft article.
$gMSAName = 'DOMAIN\gmsa01'
$gMSAGroupName = 'gMSAComputerAccountsGroup'
$gMSADNSHostName = 'gmsa01.srv.local'
New-ADServiceAccount -Name $gMSAName -DNSHostName $gMSADNSHostName -PrincipalsAllowedToRetrieveManagedPassword $gMSAGroupName -Enabled $True
To provide a more secure environment, use separate gMSAs for critical backup infrastructure components.
By default, created gMSAs are shown in the Managed Service Accounts container.
To install a gMSA on the server or the target machine, perform the following steps:
- Run the Install-ADServiceAccount cmdlet.
- Ensure that the gMSA was successfully installed.
- Add the gMSA to the local Administrators group.
Add-LocalGroupMember -Group "Administrators" -Member "DOMAIN\gmsa01$"
For domain controller VMs, add the gMSA to the domain Administrators group or BUILTIN\Administrators group on the domain controller.
For guest processing, install the gMSA on the guest OS machine and the guest interaction proxy.
To run guest processing tasks with the gMSA, do the following:
- Make sure that the following services run under the LocalSystem account:
- The Veeam Backup Service on the backup server.
- The Veeam Data Mover Service on the guest interaction proxy.
- Add the gMSA account type to the Credentials Manager. For more information, see Group Managed Service Accounts.
- Select the gMSA when specifying guest OS credentials for jobs or policies.