There is a feature/bug in the Windows Server 2008 R2 managed service account PowerShell command that limits the account name to 15 characters or less.
First, let’s create a managed service account called SVC_SQL01_LongName using PowerShell. The service account is 18 characters long. You can run the following command on a Windows Server 2008 R2 domain controller, or a 2008 R2 member server which has the Active Directory Module for PowerShell installed. Make sure the PowerShell you open has the AD module loaded.
New-ADServiceAccount SVC_SQL01_LongName -Enabled $true -Path “CN=Managed Service Accounts,DC=contoso,DC=net” -ServicePrincipalNames “MSSQLSVC/SQL01.contoso.net:1433″ -TrustedForDelegation $True
Great, the account is created. Now, here comes the problem. Logon to the Server 2008 R2 member server which will be using the service account, say your SQL server. If your member server doesn’t have the AD PowerShell module, run the following Powershell commands:
Import-module servermanager Add-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature
Then, close your PowerShell and from the Administrative tools open an Active Directory Module for Windows Powershell console and type:
It will fail with:
Install-ADServiceAccount : Cannot install service account. Error Message: ‘Unknown error (0xc0000017)’.At line:1 char:25+ install-adserviceaccount SVC_SQL01_LongName + CategoryInfo : WriteError: (SVC_SQL01_LongName:String) [Install- ADServiceAccount], ADException + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:Install ServiceAcccountFailure,Microsoft.ActiveDirectory.Management.Commands.InstallADServiceAccount
Doh..not good. Now, create another managed service account with a shorter name, say 15 characters long called SVC_001_SQL01_D. Run the install-adserviceaccount command again, and no error messages!
Make sure all of your managed service accounts are 15 characters or less. Microsoft has a nice and very detailed managed service accounts How-To you can find here. Nowhere does it mention a 15 character maximum, though. A more friendly blog post about managed service account best practices is here.