Skip to main content
Skip table of contents

Use a group Managed Service Account with Peer Agents

Group Managed Service Accounts (gMSA) provide a single identity solution for services running on a server farm or on systems that use Network Load Balancing (NLB). By providing a group managed service account solution, services such as those utilized by Peer Agent can be configured for the group managed service account principal, and the password management is handled by the operating system. This means that the password can be changed on a schedule for better security, but each Peer Agent service on each Windows file server wouldn't need to be manually updated with the new password.

Group Managed Service Accounts (gMSAs) provide a higher security option for non-interactive applications/services/processes/tasks that run automatically but need a security credential.

For more information on Service Accounts, including group managed service accounts, see:

Overview of setting up a gMSA

Before using a group Managed Service Account with a Peer Agent, there are several steps needed to set up a group Managed Service Account. The procedure to follow is:

  1. Create the Key Distribution Service (KDS) Key

  2. Create a group Managed Service Account (gMSA) in Active Directory

  3. Add the group Managed Service Account to a Group that is a member of the local Administrators group on each Windows file server that will host a copy of the Peer Agent software

  4. Install the group Managed Service Account on Windows file servers

  5. Configure the Peer Agent service to log on using the group Managed Service Account

These steps are detailed in the following section.

Step-by-step guide

Step 1. Create the Key Distribution Service (KDS) Key

Before you create a group Managed Service Account, you must perform a one-time operation to create a KDS Root Key, if it doesn't already exist. Use PowerShell to check if the KDS Root Key already exists:

Check if a KDS Root Key Exists

POWERSHELL 
Get-KdsRootKey

If no KDS Root Key exists, there will be no output and you will be returned to the PowerShell prompt. You will therefore need to create one.

Run the following PowerShell command on the domain controller (Microsoft Key Distribution Services has to be installed and running):

Immediate Implementation of KDS Root Key

POWERSHELL 
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))

To make sure that the KDS Root Key has been created successfully:

POWERSHELL 
Get-KdsRootKey

You can also use the following PowerShell command to check the KDS Key:

POWERSHELL 
Test-KdsRootKey -KeyId (Get-KdsRootKey).KeyId

If you receive the response True, the KDS Key checks out successfully.

Step 2. Create a group Managed Service Account (gMSA) in Active Directory

Before creating the gMSA account, create a Domain Security Group with the following PowerShell command:

POWERSHELL 
New-ADGroup "<ADGroup_Name>" -GroupScope Global -PassThru –Verbose

Next, add the servers to the Domain Security Group that will be allowed to use the password for this Group Service Account:

POWERSHELL 
Add-AdGroupMember -Identity <ADGroup_Name> -Members <Server_Name1>$, <Server_Name2>$, <Server_Name3>$

To create a Group Managed Service Account (gMSA), use the following PowerShell command:

POWERSHELL 
New-ADServiceAccount -name <gMSA_account> -DNSHostName <DNS_Server.domain.tld> -PrincipalsAllowedToRetrieveManagedPassword <ADGroup_Name> –verbose

Step 3. Add the group Managed Service Account to an AD Group that is a member of the local Administrators group on each server that the Peer Agent will run on

Use the following PowerShell command to add the Domain Security Group to the Domain Admins group in the domain:

POWERSHELL 
Add-ADGroupMember "Domain Admins" "CN=<gMSA_account>,CN=Managed Service Accounts,DC=<Domain Name>,DC=<Top Level Domain (TLD)>"


You can use an alternative to the Domain Admins group, as long as that group is a member of the local Administrators group on each target server that will be running the Peer Agent software.

Step 4. Install a group Managed Service Account on Windows servers

Use the following PowerShell command to check that the service account is already installed on each server that will run the Peer Agent software:

POWERSHELL 
Test-ADServiceAccount <gMSA_account>

If the command returns True, everything is configured correctly.

If the command does not return True, install the Active Directory PowerShell module on each server that will run the Peer Agent software.

POWERSHELL 
Add-WindowsFeature RSAT-AD-PowerShell


If you receive the error Cannot install service account. Error Message: {Access Denied}, you will need to reboot the server to get the updated group membership, as you only recently added the Security Group and added this server to the group. After a reboot, you will be able to test that the service account is installed, and if not, install it.

Next, install the Group Managed Service Account that you created earlier on each server.

POWERSHELL 
Install-ADServiceAccount -Identity <gMSA_account>

Step 5. Configure a Windows Service to log on as a Managed Service Account

To configure an installed Peer Agent service to use the group Managed Service Account, take the following steps:

  1. Open the Services management console (services.msc).

  2. Right-click the Peer Agent Service service, and then select Properties.

  3. Open the Log On tab.

  4. Select the This account radio button, and then enter the name of the Group Managed Service Account, followed by $. For example:

    POWERSHELL 
    <domain>\<gMSA_account>$
  5. Ensure that the password fields are blank and click the OK button. The MSA service account will be automatically granted Log On As a Service permission.

  6. Restart the Peer Agent Service.

Repeat these steps for each Windows file server running the Peer Agent software that you want to utilize the group Managed Service Account.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close