How to Properly Configure DNSHostName for Managed Service Accounts in Active Directory


3 views

When working with Managed Service Accounts (MSAs) in Active Directory, the DNSHostName parameter serves several critical functions:

  • Provides a fully qualified domain name (FQDN) for the service principal
  • Enables proper SPN (Service Principal Name) registration
  • Facilitates secure authentication through Kerberos
  • Allows for proper DNS resolution of the service account

Consider these guidelines when setting the DNSHostName:

# Good practice examples
New-ADServiceAccount WebSvc -DNSHostName websvc-prod.contoso.com
New-ADServiceAccount SQLAgent -DNSHostName sqlagent-02.corp.example.com

Key recommendations:

  • Use a meaningful prefix that identifies the service type
  • Include environment indicators (prod, dev, test)
  • Follow your organization's DNS naming conventions
  • Ensure the domain suffix matches your Active Directory domain

Here are some practical examples for different service types:

Web Application Service

New-ADServiceAccount AppPool01 -DNSHostName apppool-web01.contoso.com 
    -Enabled $true -PrincipalsAllowedToRetrieveManagedPassword WEB01$

Database Service

New-ADServiceAccount SQLReplication -DNSHostName sql-repl.db.contoso.com 
    -Enabled $true -PrincipalsAllowedToRetrieveManagedPassword SQLSRV01$

If you encounter problems with your MSA configuration:

  1. Verify DNS resolution using nslookup
  2. Check SPN registration with setspn -L
  3. Validate Kerberos tickets with klist

Example verification command:

Test-ADServiceAccount -Identity SQLReplication

When working with Managed Service Accounts (MSAs) in Active Directory, the DNSHostName parameter serves several critical functions:

  • Provides a fully qualified domain name (FQDN) for the service principal
  • Enables proper Kerberos authentication by establishing SPNs
  • Facilitates DNS resolution for services running under the account
  • Required by the underlying service account infrastructure

Here's the recommended format for setting DNSHostName:

# Basic MSA creation with DNSHostName
New-ADServiceAccount -Name "WebServiceAccount" 
                     -DNSHostName "websvc01.prod.corp.example.com" 
                     -Enabled $true 
                     -ServicePrincipalNames "HTTP/websvc01.prod.corp.example.com"

Follow these conventions when assigning DNSHostNames:

# Good practice - descriptive and hierarchical
New-ADServiceAccount -Name "SQLClusterNode1" 
                     -DNSHostName "sqlclusternode1.db.prod.example.com"

# Bad practice - too generic
New-ADServiceAccount -Name "Service1" 
                     -DNSHostName "service1.example.com"  # Lacks context

For complex environments with multiple services:

# Creating MSAs with multiple SPNs
$params = @{
    Name = "MultiServiceAccount"
    DNSHostName = "multisvc.appcluster.example.com"
    Enabled = $true
    ServicePrincipalNames = @(
        "HTTP/multisvc.appcluster.example.com",
        "HTTP/multisvc",
        "CIFS/multisvc.appcluster.example.com"
    )
}

New-ADServiceAccount @params

Common errors and solutions:

# Error: DNS name does not exist
# Solution: Ensure the DNS zone exists or use existing namespace

# Error: Duplicate SPN
# Solution: Verify uniqueness with:
Get-ADServiceAccount -Filter * -Properties ServicePrincipalNames | 
    Where-Object {$_.ServicePrincipalNames -contains "HTTP/yourservice"}