When working with Managed Service Accounts (MSAs) in Active Directory, the DNSHostName parameter serves several critical functions:
- Provides a fully qualified domain name (FQDN) for the service principal
- Enables proper SPN (Service Principal Name) registration
- Facilitates secure authentication through Kerberos
- Allows for proper DNS resolution of the service account
Consider these guidelines when setting the DNSHostName:
# Good practice examples
New-ADServiceAccount WebSvc -DNSHostName websvc-prod.contoso.com
New-ADServiceAccount SQLAgent -DNSHostName sqlagent-02.corp.example.com
Key recommendations:
- Use a meaningful prefix that identifies the service type
- Include environment indicators (prod, dev, test)
- Follow your organization's DNS naming conventions
- Ensure the domain suffix matches your Active Directory domain
Here are some practical examples for different service types:
Web Application Service
New-ADServiceAccount AppPool01 -DNSHostName apppool-web01.contoso.com
-Enabled $true -PrincipalsAllowedToRetrieveManagedPassword WEB01$
Database Service
New-ADServiceAccount SQLReplication -DNSHostName sql-repl.db.contoso.com
-Enabled $true -PrincipalsAllowedToRetrieveManagedPassword SQLSRV01$
If you encounter problems with your MSA configuration:
- Verify DNS resolution using
nslookup - Check SPN registration with
setspn -L - Validate Kerberos tickets with
klist
Example verification command:
Test-ADServiceAccount -Identity SQLReplication
When working with Managed Service Accounts (MSAs) in Active Directory, the DNSHostName parameter serves several critical functions:
- Provides a fully qualified domain name (FQDN) for the service principal
- Enables proper Kerberos authentication by establishing SPNs
- Facilitates DNS resolution for services running under the account
- Required by the underlying service account infrastructure
Here's the recommended format for setting DNSHostName:
# Basic MSA creation with DNSHostName
New-ADServiceAccount -Name "WebServiceAccount"
-DNSHostName "websvc01.prod.corp.example.com"
-Enabled $true
-ServicePrincipalNames "HTTP/websvc01.prod.corp.example.com"
Follow these conventions when assigning DNSHostNames:
# Good practice - descriptive and hierarchical
New-ADServiceAccount -Name "SQLClusterNode1"
-DNSHostName "sqlclusternode1.db.prod.example.com"
# Bad practice - too generic
New-ADServiceAccount -Name "Service1"
-DNSHostName "service1.example.com" # Lacks context
For complex environments with multiple services:
# Creating MSAs with multiple SPNs
$params = @{
Name = "MultiServiceAccount"
DNSHostName = "multisvc.appcluster.example.com"
Enabled = $true
ServicePrincipalNames = @(
"HTTP/multisvc.appcluster.example.com",
"HTTP/multisvc",
"CIFS/multisvc.appcluster.example.com"
)
}
New-ADServiceAccount @params
Common errors and solutions:
# Error: DNS name does not exist
# Solution: Ensure the DNS zone exists or use existing namespace
# Error: Duplicate SPN
# Solution: Verify uniqueness with:
Get-ADServiceAccount -Filter * -Properties ServicePrincipalNames |
Where-Object {$_.ServicePrincipalNames -contains "HTTP/yourservice"}