If required, you can use a group Managed Service Account (gMSA) for DRA services. For more information about using a gMSA, see the Microsoft reference Group Managed Service Accounts Overview. This section explains how to configure DRA for a gMSA after adding the account to Active Directory.
IMPORTANT:Do not use the gMSA as a service account while installing DRA.
To configure the DRA Primary Administration server for a gMSA:
Add the gMSA as a member of the following groups:
Local Administrators group on the DRA server
AD LDS group in the DRA managed domain
Change the logon account in service Properties for each of the services below to the gMSA:
Administration Service
DRA Audit Service
DRA Cache Service
DRA Core Service
DRA Log Archive
DRA Replication Service
DRA Rest Service
DRA Skype Service
Restart all the services.
Delegate the “Audit all objects” role to the gMSA by running the following command:
Add-DRAAssignments -Identifier "All Objects" -Users "CN=<gMSA_name>, CN=Managed Service Accounts, DC=MyDomain, DC=corp" -Roles "Audit All Objects"
To configure a DRA secondary administration server for a gMSA:
Install the secondary server.
On the primary server, assign the Configure Servers and Domains role to the Administration Servers and Managed Domains ActiveView for the secondary server’s service account.
On the primary server, add a new secondary server and specify the secondary server service account.
Add the gMSA to the local administrators group on the DRA Secondary Administration server.
On the secondary server, change the logon account of all the DRA services to the gMSA and then re-start the DRA services