在 Azure Active Directory 域服务中创建组托管服务帐户 (gMSA)Create a group managed service account (gMSA) in Azure Active Directory Domain Services

应用程序和服务通常需要标识来向其他资源进行身份验证。Applications and services often need an identity to authenticate themselves with other resources. 例如,Web 服务可能需要向数据库服务进行身份验证。For example, a web service may need to authenticate with a database service. 如果一个应用程序或服务有多个实例(如 web 服务器场),则手动创建和配置这些资源的标识将非常耗时。If an application or service has multiple instances, such as a web server farm, manually creating and configuring the identities for those resources gets time consuming.

在这种情况下,可以在 Azure Active Directory 域服务 (Azure AD DS) 托管域中创建组托管服务帐户 (gMSA)。Instead, a group managed service account (gMSA) can be created in the Azure Active Directory Domain Services (Azure AD DS) managed domain. Windows OS 自动管理 gMSA 的凭据,这简化了对大型资源组的管理。The Windows OS automatically manages the credentials for a gMSA, which simplifies the management of large groups of resources.

本文介绍了如何使用 Azure PowerShell 在托管域中创建 gMSA。This article shows you how to create a gMSA in a managed domain using Azure PowerShell.

准备阶段Before you begin

需有以下资源和特权才能完成本文:To complete this article, you need the following resources and privileges:

托管服务帐户概述Managed service accounts overview

独立的托管服务帐户 (sMSA) 是一个域帐户,其密码是自动管理的。A standalone managed service account (sMSA) is a domain account whose password is automatically managed. 此方法简化了服务主体名称 (SPN) 管理,并且可以委托其他管理员进行管理。This approach simplifies service principal name (SPN) management, and enables delegated management to other administrators. 无需手动创建和轮换帐户的凭据。You don't need to manually create and rotate credentials for the account.

组托管服务帐户 (gMSA) 提供同样的管理简化效果,但适用于域中的多个服务器。A group managed service account (gMSA) provides the same management simplification, but for multiple servers in the domain. gMSA 允许服务器场上承载的同一服务的所有实例都使用同一服务主体,相互身份验证协议才能工作。A gMSA lets all instances of a service hosted on a server farm use the same service principal for mutual authentication protocols to work. 当 gMSA 用作服务主体时,将再次由 Windows 操作系统管理帐户的密码,而不是依赖于管理员。When a gMSA is used as service principal, the Windows operating system again manages the account's password instead of relying on the administrator.

有关详细信息,请参阅组托管服务帐户 (gMSA) 概述For more information, see group managed service accounts (gMSA) overview.

使用 Azure AD DS 中的服务帐户Using service accounts in Azure AD DS

由于托管域由 Microsoft 锁定和管理,因此在使用服务帐户时有一些注意事项:As managed domains are locked down and managed by Microsoft, there are some considerations when using service accounts:

  • 在托管域上的自定义组织单位 (OU) 中创建服务帐户。Create service accounts in custom organizational units (OU) on the managed domain.
    • 无法在内置的“AADDC 用户”或“AADDC 计算机”OU 中创建服务帐户 。You can't create a service account in the built-in AADDC Users or AADDC Computers OUs.
    • 在这种情况下,请在托管域上创建自定义 OU,然后在该自定义 OU 中创建服务帐户。Instead, create a custom OU in the managed domain and then create service accounts in that custom OU.
  • 密钥分发服务 (KDS) 根密钥已预先创建。The Key Distribution Services (KDS) root key is pre-created.
    • KDS 根密钥用于生成和检索 gMSA 的密码。The KDS root key is used to generate and retrieve passwords for gMSAs. 在 Azure AD DS 中,服务会为你创建 KDS 根。In Azure AD DS, the KDS root is created for you.
    • 你没有相应权限可创建另一个 KDS 根密钥或查看默认的 KDS 根密钥。You don't have privileges to create another, or view the default, KDS root key.

创建 gMSACreate a gMSA

首先,使用 New-ADOrganizationalUnit cmdlet 创建一个自定义 OU。First, create a custom OU using the New-ADOrganizationalUnit cmdlet. 有关创建和管理自定义 OU 的详细信息,请参阅 Azure AD DS 中的自定义 OUFor more information on creating and managing custom OUs, see Custom OUs in Azure AD DS.

提示

若要完成这些步骤来创建 gMSA,请使用管理 VMTo complete these steps to create a gMSA, use your management VM. 此管理 VM 应已具有所需的 AD PowerShell cmdlet 和与托管域的连接。This management VM should already have the required AD PowerShell cmdlets and connection to the managed domain.

以下示例在名为 aaddscontoso.com 的托管域中创建名为 myNewOU 的自定义 OU 。The following example creates a custom OU named myNewOU in the managed domain named aaddscontoso.com. 使用你自己的 OU 和托管域名:Use your own OU and managed domain name:

New-ADOrganizationalUnit -Name "myNewOU" -Path "DC=aaddscontoso,DC=COM"

现在,使用 New-ADServiceAccount cmdlet 创建 gMSA。Now create a gMSA using the New-ADServiceAccount cmdlet. 定义了以下示例参数:The following example parameters are defined:

  • “-Name”设置为 WebFarmSvc-Name is set to WebFarmSvc
  • “-Path”参数为上一步中创建的 gMSA 指定自定义 OU。-Path parameter specifies the custom OU for the gMSA created in the previous step.
  • 为 WebFarmSvc.aaddscontoso.com 设置 DNS 条目和服务主体名称DNS entries and service principal names are set for WebFarmSvc.aaddscontoso.com
  • AADDSCONTOSO-SERVER$ 中的主体可以检索密码并使用标识。Principals in AADDSCONTOSO-SERVER$ are allowed to retrieve the password and use the identity.

指定你自己的名称和域名。Specify your own names and domain names.

New-ADServiceAccount -Name WebFarmSvc `
    -DNSHostName WebFarmSvc.aaddscontoso.com `
    -Path "OU=MYNEWOU,DC=aaddscontoso,DC=com" `
    -KerberosEncryptionType AES128, AES256 `
    -ManagedPasswordIntervalInDays 30 `
    -ServicePrincipalNames http/WebFarmSvc.aaddscontoso.com/aaddscontoso.com, `
        http/WebFarmSvc.aaddscontoso.com/aaddscontoso, `
        http/WebFarmSvc/aaddscontoso.com, `
        http/WebFarmSvc/aaddscontoso `
    -PrincipalsAllowedToRetrieveManagedPassword AADDSCONTOSO-SERVER$

现在可以根据需要将应用程序和服务配置为使用 gMSA。Applications and services can now be configured to use the gMSA as needed.

后续步骤Next steps

有关 gMSA 的详细信息,请参阅组托管服务帐户入门For more information about gMSAs, see Getting started with group managed service accounts.