Set up a Group Managed Service Account

To run WorkZone on an air-gapped environment, you must set up a Group Managed Service Account (gMSA) in your Active Directory.

Add the KdsRootKey

  1. Open Powershell7 as an administrator
  2. First, check if the KdsRootKey exists by running Get-KdsRootKey
  3. Run Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
  4. Run Get-KdsRootkey again and check that it has the correct specifications:

Create a gMSA in your AD

  1. In Active Directory Users and Computers, select Create a new group in the current container.
  2. Enter a name for the group and set Group scope to Global and the Group type to Security.
  3. Click OK.

Add a server/node to the security group

  1. In Active Directory, open the newly created group and go to the Members tab and click Add....
  2. In the dialog, click Object types and make sure that only Computers is selected, then click OK.
  3. In the Enter the object names to select field, enter the name of your node, click Check names and then click OK.

Add the gMSA account to servers/nodes

Run the following command in Powershell7:

New-ADServiceAccount “gMSA” -DNSHostName “gMSA.[domain name]” -PrincipalsAllowedToRetrieveManagedPassword “gmsaserver”

When you have run this command, the gMSA should be visible in your Managed Service Accounts folder in Active Directory.

You can also run the console command Get-ADServiceAccount -identity “gMSA” -Properties * to check the parameters of the setup.

Install the gMSA via Windows Server Manager

  1. In Microsoft Server Manager, go to Manage > Add Roles and Features
  2. On the Select installation type page, select Role-based or feature-based installation, then click Next.
  3. In the Server selection, select Select a server from the server pool, search for your server and select, then click Next.
  4. On the Select server roles page, select File and Storage Services and Web Server (IIS), then click Next.
  5. On the Features page use the search field to navigate to Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools, and select Active Directory module for Windows PowerShell.
  6. Click Next, and then Install. When the installation is complete, you must reboot the server.
  7. Open Powershell7 on the server, once it is rebooted, and run the command Install-ADServiceAccount -Identity “gMSA$”.

Generate json spec file for the gMSA account

The system requires a .json file containing credential specifications to pass to the containers at startup. To generate this file, run the following commands in Powershell7:

Install-Module CredentialSpec

New-CredentialSpec -AccountName gMSA

Get-CredentialSpec

The generated gMSA.json file is located here: C:\ProgramData\Docker\CredentialSpecs.