1 00:00:06,400 --> 00:00:14,170 You use group I must say is to extend the capabilities of standard MSA is to more than one server in 2 00:00:14,170 --> 00:00:24,500 your domain in server farms in areas with network load balance and or MLB clusters or IRS servers. 3 00:00:24,640 --> 00:00:32,440 You often need to wrong system or program services under the same service account second standard messages 4 00:00:32,650 --> 00:00:40,430 can not provide a must say functionality to services that are run on more than one server. 5 00:00:40,450 --> 00:00:48,880 However by using group I must say as you can configure multiple servers to use the same I must say and 6 00:00:48,880 --> 00:00:58,910 still retain the benefits that EMRs provide such as automatic password maintains and simplified as being 7 00:00:58,940 --> 00:00:59,950 in management. 8 00:01:00,220 --> 00:01:03,880 What are the requirements for group EMRs. 9 00:01:03,910 --> 00:01:07,420 Your environment must meet the following requirements. 10 00:01:07,420 --> 00:01:15,130 If you want to support group I must say functionality including that at least one domain controller 11 00:01:15,430 --> 00:01:23,980 must be run on Windows Server 2012 or newer to store manage password information client computers. 12 00:01:23,990 --> 00:01:32,020 Your then group of masses must have Windows 8 or newer and server based computers must have Windows 13 00:01:32,020 --> 00:01:34,970 Server 2012 or newer. 14 00:01:35,020 --> 00:01:43,730 You must create a key k d s root key on one of the domains the domain controllers to create the k s 15 00:01:43,770 --> 00:01:44,480 root key. 16 00:01:44,680 --> 00:01:51,910 You must run the following command from the Active Directory module for Windows power shell on Windows 17 00:01:51,910 --> 00:01:54,970 Server 2016 domain controller. 18 00:01:54,980 --> 00:02:01,620 Add k d s root key effective time through effective immediately. 19 00:02:01,630 --> 00:02:09,790 Please know that effective immediately switch uses the current time to establish this timestamp that 20 00:02:09,790 --> 00:02:11,980 marks the key as well it. 21 00:02:12,130 --> 00:02:21,190 However when using the effective immediately switch the actual effective time is set to 10 hours later 22 00:02:21,190 --> 00:02:22,900 than the current time. 23 00:02:22,900 --> 00:02:30,820 This turn our differences to allow the 8 areas the replication to replicate changes to other domain 24 00:02:30,820 --> 00:02:34,680 controllers in the domain for testing purposes. 25 00:02:34,690 --> 00:02:42,880 You can bypass this functionality by setting the effective time parameter to 10 hours before the current 26 00:02:42,880 --> 00:02:52,780 time by running the following command at KDE s root key effective time get date dot add hours minus 27 00:02:52,780 --> 00:02:53,290 down. 28 00:02:53,440 --> 00:03:01,180 Some words about group I must say functionality group of EMRs enable managed service account functionality 29 00:03:01,540 --> 00:03:10,130 across multiple servers by delegating the management of MSA passport information to Windows Server to 30 00:03:10,420 --> 00:03:13,020 2016 domain controllers. 31 00:03:13,060 --> 00:03:22,030 By doing this the management of passwords is no longer dependent on the relationships between a single 32 00:03:22,270 --> 00:03:28,560 server and a tedious but is controlled entirely by ADF. 33 00:03:28,630 --> 00:03:36,810 The group managed service account object contains a list of principals are the computers or aided is 34 00:03:36,820 --> 00:03:44,800 groups which are allowed to retrieve group MSA password information from ADT as the principals that 35 00:03:44,800 --> 00:03:50,500 can use the managed service account group for authentication for services. 36 00:03:50,570 --> 00:03:56,900 Your carrier group AMA says by using the same command letters that you used for creating the standard 37 00:03:56,910 --> 00:04:03,350 I must say from the active directory module for Windows power cell that is the command. 38 00:04:03,370 --> 00:04:12,460 Let's use for managed service account management greed group MSA by default on Windows Server 2016 domain 39 00:04:12,460 --> 00:04:20,860 controller grid and you might say by using the new HD service account command lab with the principles 40 00:04:20,990 --> 00:04:30,340 allowed to retrieve manage password parameter this parameter accepts one or more comma separated computer 41 00:04:30,340 --> 00:04:38,100 accounts or ADT has groups that are permitted to obtain password information for the group. 42 00:04:38,110 --> 00:04:46,450 I must say that is taught in aid it is on Windows Server 2016 domain controllers for example the following 43 00:04:46,450 --> 00:04:56,560 command let creates a new group Imam essay called sequel form and enables the long sequel one long sequel 44 00:04:56,560 --> 00:05:05,350 to a long sequel three hosts to use the group I must say you could type new HD service account name 45 00:05:05,720 --> 00:05:14,190 log on sequel form principles allowed to retrieve manage password and the names of the servers after 46 00:05:14,190 --> 00:05:22,590 you add a computer to use the principles aloud to retrieve managed password parameter you can assign 47 00:05:22,590 --> 00:05:30,600 the group I must say two services by using the same assignment process as standard Emma says you can 48 00:05:30,600 --> 00:05:33,920 use ADT as security groups to identify. 49 00:05:33,930 --> 00:05:43,000 Group says when you use an 82 years group for the principles allowed to retrieve managed password parameter. 50 00:05:43,140 --> 00:05:50,910 Any computers that are members of the group will be allowed to retrieve the password round utilize group 51 00:05:50,940 --> 00:05:59,400 MSA functionality when you use an 80 days group as the principal allowed to retrieve or manage password 52 00:05:59,760 --> 00:06:05,670 any accounts that are members of the group will also have the same capability. 53 00:06:05,670 --> 00:06:11,220 Next up will see the demonstration of how to configure group Hamas says.