Create Group Managed Service Account (gMSA)

As AlwaysOn requires a domain service account, we will be setting up a Group Managed Service Account for use by the SQL Server and Agent Services

  1. Within the jumpserver, and with Powershell ISE still up, open up a new tab by hitting CTRL+N, and entering the below script to create a gMSA:
$nodes = "EC2SQL1", "EC2SQL2" #Defines the servers 
[string]$DomainName = (Get-WmiObject win32_computersystem).domain #Extracts the domain name via PS
$gMSAUsr = 'gMSA01' #This will be the Group Managed Service Account Name
$gMSAgrp = 'grp_gMSA01' #This will be the AD Group allowed to use the gMSA
$gMSAFQDN= $gMSAUsr + '.' + $DomainName; 

New-ADGroup -Name $gMSAgrp -Description 'Security group for gMSA01 computers' -GroupCategory Security -GroupScope Global; #Creates the Management AD Group that can use the gMSA
Add-ADGroupMember -Identity $gMSAgrp -Members EC2SQL1$, EC2SQL2$; #Adds the 2 DB servers to that group
New-ADServiceAccount -Name $gMSAUsr -PrincipalsAllowedToRetrieveManagedPassword $gMSAgrp -Enabled:$true -DNSHostName $gMSAFQDN -SamAccountName $gMSAUsr -ManagedPasswordIntervalInDays 30; #Creates the gMSA
Start-Sleep -s 10
Restart-Computer -ComputerName $nodes -Wait -For Wmi -Force -Protocol WSMan #Required for the servers to use the gMSA
Start-Sleep -s 10
ipconfig /flushdns
  1. Once executed, you should see a minimal output below:

  2. We can validate the new gMSA using Active Directory Users and Computers tool within Administrative Tools - Make sure to enable Advanced Features: