Yesterday we started installing System Center Orchestrator 2012 and we wanted to utilize the new Windows 2012 Group Managed Service Account feature. Upon starting the installation we quickly ran into a problem. SCORCH 2012 does not allow you to enter service credentials without providing a password (which is how a gMSA works). To get around this problem we installed SCORCH 2012 using one set of credentials and then changed it to use the gMSA after the fact. So far, everything appears to be functioning correctly so I thought I’d share the process.
- Install SQL Server
- Create Dummy Domain Account
- Prepare gMSA Account
- Install System Center Orchestrator
- Change service accounts
- Update SQL Security
- Update local security group
- Update IIS application pool
- Restart Services
Install SQL Server, can also be done using gMSA if you like.
Create a temporary dummy domain account in AD Users and Computers:
Create KDS Root Key, create and configure gMSA, and configure the gMSA on host as documented in this TechNet blog post.
New-ADServiceAccount -name SCService -DNSHostName SCService.company.domain –PrincipalsAllowedToRetrieveManagedPassword “System Center Servers”
In this case “SCService” is the name of the gSMA we’re creating, “company.domain” is our domain, and “System Center Servers” is an AD Security Group we created to house the Computers we want to use our gSMA (the SCORCH 2012 server at least as shown below).
Run SetupOrchestrator.exe, Click Install and follow the prompts.
Once you arrive at the “Configure the service account” screen you’ll find that you can’t use use your shiny new gMSA account because the SCORCH 2012 installer is a little too clever for its own good. It prevents you from providing credentials without a password. So for the time being, we’ll utilize our temporary dummy account.
Finish the SCORCH 2012 install pointing it to the SQL installation you completed in Step 1.
In the remaining steps we’ll go about replacing the dummy account we just used with our new gMSA account.
Open up Local Services and find the three Orchestrator Services (Orchestrator Management Service, Orchestrator Runbook Server Monitor, and Orchestrator Runbook Service). Each of these services should currently be configure with “Log On As” set to the dummy account we chose during installation.
For each Orchestrator service, Rick Click –> Stop, then Right Click –> Properties –> Log On and set the account to the gMSA as shown (password fields should be blank).
Next we need to configure our SQL Server to allow our gMSA account (rather than the dummy account). Open SQL Server Management Studio and connect the SQL Server you installed in Step 1. Expand Security then Logins and you should see our familiar dummy account. Right Click Logins –> New Login… –> Enter the gMSA Account name in “Login name” field as shown below.
Select the User Mapping page, check the Map checkbox next to “Orchestrator” and select “dbo” as the Default Schema as shown below.
Next, Expand Database then Orchestrator, then Security. Right Click Security –> New User… –> Choose User type “Windows user”. For “User name” choose the gMSA account, for “Login name” choose the gMSA account, and for “Default schema” choose dbo.
Select the Membership page and check the checkboxes next to “Microsoft.SystemCenter.Orchestrator.Admins”, “Microsoft.SystemCenter.Orchestrator.Operators”, and “Microsoft.SystemCenter.Orchestrator.Runtime” as shown below.
You can now delete the dummy user account from the Orchestrator db as well as the dummy Login from the SQL Server.
Now we’ll make the necessary local security group change. Open the Local Users and Groups manager and select “OrchestratorSystemGroup”.
Right Click –> Properties –> Add the gSMA and Remove the dummy account. Once finished the group membership should look similar to the image below.
The final configuration step is to update the SCORCH 2012 IIS App Pool Identity. Start by opening IIS Manager. Expand your IIS Server node and select Application Pools.
Find the “System Center 2012 Orchestrator Web Features” application pool and Right Click –> Advanced Setting. Find the Identity field under Process Model and change the value to your gMSA as shown below.
Finally, return to Local Services and start the three Orchestrator services you stopped in Step 5. The services should successfully start using the new gMSA credentials.