1. Check if Machine Is Domain Joined
(Get-WmiObject Win32_ComputerSystem).PartOfDomain
2. View SPNs for a SQL Server Service Account
setspn -L domain\sqlsvcaccount
3. Register an SPN for SQL Server
setspn -S MSSQLSvc/sql1.contoso.com:1433 domain\sqlsvcaccount
4. Create a gMSA Account (Domain Admin)
New-ADServiceAccount -Name gMSASQL01 `
-DNSHostName sql1.contoso.com `
-PrincipalsAllowedToRetrieveManagedPassword "SQLServersGroup"
Test-ADServiceAccount gMSASQL01
5. Install gMSA on SQL Server VM
Install-ADServiceAccount -Identity gMSASQL01
Test-ADServiceAccount gMSASQL01
6. Delegate Permissions to gMSA (Constrained)
Set-ADUser -Identity gMSASQL01 `
-Add @{msDS-AllowedToDelegateTo="MSSQLSvc/sql2.contoso.com:1433"}
7. Delegate DNS Record Permissions to a Cluster or Listener
dnscmd /RecordAdd <domain name> AGListenerName A <IP>
8. View Domain Membership Info
systeminfo | findstr /B /C:"Domain"
or
(Get-WmiObject Win32_ComputerSystem).Domain
9. View Delegation Settings in AD (GUI)
Open Active Directory Users and Computers
Find your gMSA or SQL Server object
Right-click → Properties → Delegation tab
10. Common Permissions for DBA Tasks
| Task | AD Permission Needed |
|---|---|
| Create AG Listener | Create Computer Objects + DNS registration |
| Use gMSA | gMSA retrieval rights + Log on as service (local) |
| Use linked servers w/ Kerberos | Constrained delegation from gMSA to target SPN |
| SQL Agent file share access | gMSA/file system permissions (domain-level ACLs) |
11. PowerShell AD Module Cmdlets
| Cmdlet | Purpose |
|---|---|
Get-ADUser | View user/service account |
Set-ADUser | Modify user (e.g., delegate) |
New-ADServiceAccount | Create a gMSA |
Install-ADServiceAccount | Install gMSA on SQL Server |
Get-ADComputer | Inspect SQL Server host or cluster node |