Windows Server 2008 R2 Managed Service Account (MSA) Features

When deploying AD RMS today, you need to create a separate service account for RMS, so you think of a new feature in Server 2008 R2: Managed Service Account. First of all, let's first understand what it is. Managed service account: Due to the troublesome management of the domain user account password of the running service, the Managed Service Account came into being. The so-called managed service account, that is, the account that is entrusted to the operating system for management. The password of the managed service account (MSA) is automatically set and maintained by the operating system, and is automatically updated periodically. It does not require manual intervention by the administrator. It seems to the administrator that the account has no password. The role of the Managed Service Account (MSA) is to isolate the services from each other, requiring separate automatic password management to reduce service interruptions, thereby reducing TCO. A single managed service account is used per service or per server (service accounts cannot be shared by multiple computers) ) Better SPN management at the Windows Server 2008 R2 domain functional level (allowing the server to rename the service account) After learning the managed service account, let's create an RMS service account! 1. Create an MSA account: Log in to On the DC, open Powershell as an administrator and enter New-ADServiceAccount for service account creation. 2. Installing the MSA account After the account is created, you can install the MSA account. Install a managed service account on a Windows Server 2008 R2 member server or a Windows 7 client computer. My environment here is Server 2012 as a domain member server to deploy RMS. Open PowerShell as an administrator and enter the Install-ADServiceAccount command. . 3. Assign the MSA account to the service Open the Service Control Manager, expand Configuration - Services, double-click the service you want to configure on the right, under the Login tab, select "This Account"-"Browse", navigate to Create an MSA account and click OK. Use this service to run with the selected MSA account.