Windows Containers do not ship with Active Directory support and due to their nature can’t (yet) act as a full-fledged domain joined objects, but a certain level of Active Directory functionality can be supported through the use of Globally Managed Service Accounts (GMSA).
Windows Containers cannot be domain-joined, they can also take advantage of Active Directory domain identities similar to when a device is realm-joined. With Windows Server 2012 R2 domain controllers, we introduced a new domain account called a group Managed Service Account (GMSA) which was designed to be shared by services.
https://technet.microsoft.com/en-us/library/hh831782(v=ws.11).aspx
We can authenticate to Active Directory resources from Windows container which is not part of your domain. For this to work certain prerequisites needs to be met.
For once your container hosts shall be part of Active Directory and you shall be able to utilize Group Managed Service Accounts.
https://technet.microsoft.com/en-us/library/hh831782%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396
The following steps needed for communicate Windows container with on premise SQL server using GMSA.
Environments are used and described for this post.
Import-module ActiveDirectory
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10));5.
Get-KdsRootKey
New-ADServiceAccount -Name container_gmsa -DNSHostName cloudiq.local
-PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers", "domain admins",
"CN=Container Hosts,CN=Builtin, DC=cloudiq, DC=local" -KerberosEncryptionType RC4, AES128, AES256
Get-ADServiceAccount -Identity container_gmsa
Set-ADServiceAccount -Identity container_gmsa -PrincipalsAllowedToRetrieveManagedPassword
CloudIQDC1$,cloud-2016$, CIQSQL2012$
Enable-WindowsOptionalFeature -FeatureName ActiveDirectory-Powershell -online -all
Get-ADServiceAccount -Identity container_gmsa
Install-ADServiceAccount -Identity container_gmsa
Test-AdServiceAccount -Identity container_gmsa
Invoke-WebRequest "https://raw.githubusercontent.com/Microsoft/Virtualization-Documentation/live/windows-server-container-tools/ServiceAccounts/CredentialSpec.psm1"
-UseBasicParsing -OutFile $env:TEMP\cred.psm1
Import-Module $env:temp\cred.psm1
New-CredentialSpec -Name Gmsa -AccountName container_gmsa
#This will return location and name of JSON file
Get-CredentialSpec
CREATE LOGIN [cloudiq\container_gmsa$] FROM WINDOWS
sp_addsrvRolemember "cloudiq\container_gmsa$", "sysadmin"
Share this:
CloudIQ is a leading Cloud Consulting and Solutions firm that helps businesses solve today’s problems and plan the enterprise of tomorrow by integrating intelligent cloud solutions. We help you leverage the technologies that make your people more productive, your infrastructure more intelligent, and your business more profitable.
LATEST THINKING
INDIA
Chennai One IT SEZ,
Module No:5-C, Phase ll, 2nd Floor, North Block, Pallavaram-Thoraipakkam 200 ft road, Thoraipakkam, Chennai – 600097
© 2023 CloudIQ Technologies. All rights reserved.
Get in touch
Please contact us using the form below
USA
INDIA