All we need is an easy explanation of the problem, so here it is.
I have to migrate 8 SQL Server instances to a new SQL Server 2019 AlwaysON cluster. Each instances are going to be replicated to a passive secondary node. We globally want to use gMSA instead of classicals domain accounts.
I cannot find the best practises related to this :
- Should I use the same gMSA for all sql services on all nodes ?
- Should I use a dedicated gMSA for each instance ? (primary and secondary node).
- If yes, Can I install more than one gMSA service on each node ?(
How to solve :
I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.
Since this has to do with internal company security, you’ll want to ask your security folks what they want to do. They will be the ones auditing and bringing items to your attention, thus it is better to have their sign-off on it.
Assuming they don’t care, so long as you use gMSAs…
Should I use the same gMSA for all sql services on all nodes ?
This will greatly simplify the deployments. Due to the nature of gMSA accounts, I don’t see an issue with this so long as the environment doesn’t touch many outside resources (as in it’s relatively self contained or all nodes and services need access to those outside resources, thus the security would need to be everywhere, anyway).
Should I use a dedicated gMSA for each instance ? (primary and secondary node).
The power of the gMSA is that it can be used more than once. If it were my personal environment, I’d use one gMSA account per cluster deployment. Note that I would not install more than one instance (AG or FCI) in a cluster, thus one account would work per cluster.
If yes, Can I install more than one gMSA service on each node ?( Install-ADServiceAccount gMSAsqlservice)
Yes, it’s possible and you can, but I wouldn’t have more than a single instance per node or single FCI per cluster, personally. Thus, I don’t see the need, but I’m also not you 🙂
Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂