#Create KDC root Key (This command takes 10 hours to take effect)
Add-KDSRootKey -EffectiveImmediatly #Install a Group Managed Service Account and configure it to work with the "Web Servers" group and a DNS CNAME which resolves to all machines. New-ADSeriveAccount -Name GroupMSAAccount -DNSHostName WebClusterA.mydomain.local -PrincipalAllowedToRetrieveManagedPassword "Web Servers" #Target machines need the RSAT-AD-PowerShell feature instralled Invoke-Command -ComputerName Web01,Web02,Web03 -ScriptBlock { Install-WindowsFeature RSAT-AD-PowerShell } #Install the GMSA Install-ADServiceAccount GroupMSAAccount #On the target server Install-ADServiceAccount GroupMSAAccount Test-ADServiceAccount -Identity GroupMSAAccount
Go to your service you wish to run on a service account, on the logon tab, set the credentials for the service as a network account. Use the browse button to find your MSA (You’ll need to change the location to the domain to find the account instead of the local machine. Remove the pre-populated password from the fields and save.