1
00:00:06,410 --> 00:00:17,230
An MSA is an A.D. object class that enables simplified password and SBA management for service accounts.

2
00:00:17,230 --> 00:00:26,770
The MSA was introduced in Windows 7 and Windows Server 2008 are to many network based programs use an

3
00:00:26,770 --> 00:00:31,440
account to run services or provide authentication.

4
00:00:31,480 --> 00:00:40,390
For example a program on a local computer might use the local servers network servers or local system

5
00:00:40,390 --> 00:00:41,260
accounts.

6
00:00:41,260 --> 00:00:43,870
This service accounts may work fine.

7
00:00:43,900 --> 00:00:51,910
However these typically are shared among multiple programs and services which makes it difficult to

8
00:00:51,910 --> 00:00:54,730
manage for a specific program.

9
00:00:54,730 --> 00:01:00,640
Furthermore you cannot manage this local service account at the Domain level.

10
00:01:00,940 --> 00:01:07,360
Alternatively it is common that a program might to use a standard domain account that you configure

11
00:01:07,660 --> 00:01:10,120
specifically for the program.

12
00:01:10,120 --> 00:01:18,640
However the main drawback is that you need to manage password manually which in Cruz's administration

13
00:01:18,640 --> 00:01:26,500
effort and managed service account can provide a program with its own unique account while eliminating

14
00:01:26,530 --> 00:01:31,990
the need for an administrator to administer the account credentials manually.

15
00:01:32,020 --> 00:01:41,260
So how an MSA works MSE are restored to an idea says amongst the years dish managed service accounts

16
00:01:41,370 --> 00:01:42,400
objects.

17
00:01:42,430 --> 00:01:50,800
This class inherits structural aspects from the computer class which it inherits from the User class.

18
00:01:50,800 --> 00:01:58,930
This enables an MSA to fulfill a user like functions such as provide an authentication and security

19
00:01:58,930 --> 00:02:01,780
context for a run and service.

20
00:02:01,780 --> 00:02:10,660
It also enables an MSA to use the same password update mechanism that computer objects in ADT s use

21
00:02:10,930 --> 00:02:15,510
which is a process that requires no user intervention.

22
00:02:15,520 --> 00:02:20,810
MSE provides the following benefits to simplify administration.

23
00:02:20,860 --> 00:02:28,990
The first benefit is automatic password management an MSA maintains its own password including password

24
00:02:28,990 --> 00:02:31,340
changes automatically.

25
00:02:31,350 --> 00:02:39,610
Another benefit is simplified SBN management as Pain management happens automatically if you configure

26
00:02:39,880 --> 00:02:49,330
your domain at the Windows Server 2008 our two domain functional level or higher EMRs are stored in

27
00:02:49,660 --> 00:02:57,070
managed service accounts container you can view this by enabling the advanced feature absorption on

28
00:02:57,070 --> 00:03:02,220
The View manager with an Active Directory user or send computers.

29
00:03:02,290 --> 00:03:08,100
This container is visible by default in the Active Directory administrative center.

30
00:03:08,320 --> 00:03:16,900
Now what are our requirements for as an MSA is to use an MSA the server that runs the service or program

31
00:03:17,200 --> 00:03:27,130
must be run on Windows Server 2008 are 2 or newer operating system you also must ensure that Microsoft

32
00:03:27,130 --> 00:03:35,380
Dot Net framework three point five and the Active Directory module for Windows power share are both

33
00:03:35,380 --> 00:03:37,150
installed on the server.

34
00:03:37,150 --> 00:03:44,890
Please know that you can not share a standard MSA between multiple computers or that you use in several

35
00:03:44,890 --> 00:03:49,120
class stores where the service is replicated between nodes.

36
00:03:49,120 --> 00:03:58,720
Additionally you cannot use MSA store for unattended scheduled tasks to simplify and provide full automatic

37
00:03:58,720 --> 00:04:08,110
password and as pain management it is strongly recommended that the Active Directory Domain be out Windows

38
00:04:08,110 --> 00:04:13,120
Server 2008 are two functional level or higher.

39
00:04:13,120 --> 00:04:20,650
However if you have a domain controller that is run on Windows Server 2008 you can update the Active

40
00:04:20,650 --> 00:04:28,150
Directory schema to a Windows Server 2008 are two to support this feature.

41
00:04:28,150 --> 00:04:36,670
The only disadvantage is that the domain administrator must configure wristband data manually for the

42
00:04:36,860 --> 00:04:37,810
EMRs.

43
00:04:37,900 --> 00:04:46,750
Some words about to use an emphasis on Windows Server 2016 domain controllers in Windows Server 2016.

44
00:04:46,750 --> 00:04:53,700
You create MSE as the new group managed service account object type by default.

45
00:04:53,980 --> 00:05:04,030
However on a Windows Server 2016 domain controller you accommodate this by grade and a key distribution

46
00:05:04,030 --> 00:05:09,980
services or TADS root key for the domain to create the root key.

47
00:05:10,060 --> 00:05:17,450
You must run the following command led from the Active Directory module for Windows power shell like

48
00:05:17,450 --> 00:05:18,110
amounts.

49
00:05:18,310 --> 00:05:19,750
Looks as follows.

50
00:05:19,750 --> 00:05:27,770
At key the root key effective time get data that add hours minus 10.

51
00:05:27,790 --> 00:05:29,110
Next up we'll discuss.

52
00:05:29,110 --> 00:05:36,450
Group I must say some more detail including providing further explanation for how you can create a key

53
00:05:36,460 --> 00:05:41,850
the absolute key and the add key ideas root key command lap.

54
00:05:41,920 --> 00:05:42,810
I'll see you there.