Announcement

Collapse
No announcement yet.

DFL/FFL for Managed Service Accounts

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DFL/FFL for Managed Service Accounts

    I was reading about these, and really can't see any mention of raising DFL/FFL as a requirement for using Managed Service Account

    http://technet.microsoft.com/library/dd548356.aspx

    It says that /forestprep must be run at forest level, and /domainprep must be run in each domain where one wants to use managed service accounts, but no talk of raising the DFL/FFL at all.

    So what DFL/FFL is needed to utilise Managed Service Accounts?

    Can't find anything here either http://technet.microsoft.com/en-us/l...(v=ws.10).aspx

    Except that at 2008R2 DFL:

    "Automatic SPN management for services running on a particular computer under the context of a Managed Service Account when the name or DNS host name of the machine account changes. For more information about Managed Service Accounts, see Service Accounts Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=180401)."

    Is Server 2003 the minimum DFL needed to utilise managed service accounts?

  • #2
    Re: DFL/FFL for Managed Service Accounts

    From the link you posed (Step By Step Guide):
    Domains at the Windows Server 2008 R2 functional level provide native support for both automatic password management and SPN management. If the domain is running at the Windows Server 2003 functional level or the Windows Server 2008 functional level, additional configuration steps will be needed to support managed service accounts
    Strongly suggests 2003 and above -- note you need at least one 2008R2 DC
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: DFL/FFL for Managed Service Accounts

      Thanks. But how do you gather that you need at least one 2008R2 DC?

      Comment


      • #4
        Re: DFL/FFL for Managed Service Accounts

        -- should have read step 3 a few lines deeper -- got to the 2008R2 and missed the alternatives
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment

        Working...
        X