I have to migrate 8 SQL Server instances to a new SQL Server 2019 AlwaysON cluster. Each instances are going to be replicated to a passive secondary node. We globally want to use gMSA instead of classicals domain accounts.
I cannot find the best practises related to this :
- Should I use the same gMSA for all sql services on all nodes ?
- Should I use a dedicated gMSA for each instance ? (primary and secondary node).
- If yes, Can I install more than one gMSA service on each node ?(
Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.
Since this has to do with internal company security, you’ll want to ask your security folks what they want to do. They will be the ones auditing and bringing items to your attention, thus it is better to have their sign-off on it.
Assuming they don’t care, so long as you use gMSAs…
Should I use the same gMSA for all sql services on all nodes ?
This will greatly simplify the deployments. Due to the nature of gMSA accounts, I don’t see an issue with this so long as the environment doesn’t touch many outside resources (as in it’s relatively self contained or all nodes and services need access to those outside resources, thus the security would need to be everywhere, anyway).
Should I use a dedicated gMSA for each instance ? (primary and secondary node).
The power of the gMSA is that it can be used more than once. If it were my personal environment, I’d use one gMSA account per cluster deployment. Note that I would not install more than one instance (AG or FCI) in a cluster, thus one account would work per cluster.
If yes, Can I install more than one gMSA service on each node ?( Install-ADServiceAccount gMSAsqlservice)
Yes, it’s possible and you can, but I wouldn’t have more than a single instance per node or single FCI per cluster, personally. Thus, I don’t see the need, but I’m also not you 🙂