Using Group Managed Service Accounts
A Group Managed Service Account (gMSA) is the type of domain account configured on the server. It does not need the administrator to manage the password as this role is performed by the Microsoft Windows operating system. Randomly generated complex passwords are automatically changed every 30 days which reduce the risk of brute force and dictionary attacks. For more information about gMSAs, see this Microsoft article.
You can use gMSAs to only run guest processing tasks.
Note |
For application-aware processing, using a gMSA is supported for backups or replicas of VMs that run Microsoft Active Directory (domain controllers), Microsoft Exchange, Microsoft SQL Server, and Oracle 12c Release 2 and later. You cannot back up or replicate VMs that run Microsoft SharePoint with the gMSA. |
Requirements and Limitations
gMSAs have the following requirements and limitations:
- gMSAs are applicable to Microsoft Windows Server 2012 and later. For more information about operating system and Microsoft Active Directory requirements, see this Microsoft article.
Note |
Consider that this section describes the gMSA configuration compatible with most environments. To reduce the number of possible issues, it is recommended to perform all required steps to configure the domain controller and implement the gMSA. |
- gMSAs are not supported for backups of the Linux target machines joined to the Active Directory domain.
- When using gMSAs for guest processing, consider the following:
- For backup and replication jobs:
- A guest interaction proxy must be joined to the Active Directory domain where the gMSA was created.
- The gMSA must also have Logon as a service permission granted.
- For CDP policies, the backup server must be joined to the Active Directory domain where the gMSA was created.
- Veeam Explorers do not support data recovery using gMSAs.
- Since gMSAs require a connection to the domain controller, these accounts work only over network.
- If you use gMSAs to manage the restore process of VM guest OS files, consider Requirements and Limitations.
- If you back up a machine using a gMSA, both the guest interaction proxy and the target machine must have network access to the domain controllers and be in the same domain to obtain the gMSA password. On the target machine the gMSA must be added to the Administrators group (local or domain). Domain Administrator permissions are only required for Microsoft Active Directory backups, for other supported applications local Administrator permissions are sufficient.
Important |
Consider that granting Domain Administrator permissions to gMSAs makes them a potential source of vulnerability. |
Before You Begin
Before you start using gMSAs, configure the domain controller:
- The domain controller requires a root key to generate gMSA passwords. Ensure that the Key Distribution Service is enabled on the domain controller and use the following command in Microsoft Windows PowerShell to generate a root key:
Add-KdsRootKey -EffectiveImmediately |
Wait until the Active Directory replication is finished or force it manually. For more information about creating KDS root keys, see this Microsoft article.
- To enable gMSA support in Microsoft Windows PowerShell, use the following commands:
Install-WindowsFeature RSAT-AD-PowerShell,NET-Framework-Features | Out-Null; Import-Module ServerManager; Import-Module ActiveDirectory; |
To create a gMSA, use the New-ADServiceAccount cmdlet on the domain controller. For example:
$gMSAName = 'DOMAIN\gmsa01' $gMSAGroupName = 'gMSAComputerAccountsGroup' $gMSADNSHostName = 'gmsa01.srv.local' New-ADServiceAccount -Name $gMSAName -DNSHostName $gMSADNSHostName -PrincipalsAllowedToRetrieveManagedPassword $gMSAGroupName -Enabled $True |
Consider the following:
- In the DNSHostName parameter, specify the FQDN of the gMSA.
- For the PrincipalsAllowedToRetrieveManagedPassword parameter specify the AD group containing computer accounts which will use the gMSA. As an alternative, specify computer accounts separated by comma.
- By default, created gMSAs are shown in the Managed Service Accounts container.
For more information about all cmdlet parameters, see this Microsoft article.
Note |
To provide a more secure environment, use separate gMSAs for critical backup infrastructure components. |
To refresh AD group membership after you create a gMSA, run the following command on the machines on which you plan to install the gMSA:
C:\WINDOWS\system32\klist.exe -lh 0 -li 0x3e7 purge |
Alternatively, you can reboot these machines.
To install a gMSA on the server or the target machine, perform the following steps:
- Run the Install-ADServiceAccount cmdlet.
Install-ADServiceAccount "DOMAIN\gmsa01$" |
- Ensure that the gMSA was successfully installed.
Test-ADServiceAccount "DOMAIN\gmsa01$" |
- Add the gMSA to the local Administrators group.
Add-LocalGroupMember -Group "Administrators" -Member "DOMAIN\gmsa01$" |
Note |
For domain controller VMs, add the gMSA to the domain Administrators group. |
For guest processing, install the gMSA on the guest OS machine and the guest interaction proxy.
Using gMSA
To run guest processing tasks with the gMSA, do the following:
- Make sure that the following services run under the LocalSystem account:
- The Veeam Backup Service on the backup server.
- The Veeam Data Mover Service on the guest interaction proxy.
- Add the gMSA account type to the Credentials Manager. For more information, see Group Managed Service Accounts.
- Select the gMSA when specifying guest OS credentials for jobs or policies.