In a few previous articles, I have talked a lot about Managed Service Accounts (MSA) and Service Principal Names (SPN) and given examples of managing the separately. As a DBA prepping for a new SQL Server installation, you most likely already know the MSA account name(s) and what is needed to create the associated SPN, so why not create them at the same time?
This example uses the PowerShell cmdlet New-ADServiceAccount to create both in the same command. The ServicePrincipalNames parameter can accept an array of strings, so just specify each SPN separated by a comma.
New-ADServiceAccount `
-Name DEATHSTAREN5 `
-DNSHostName DEATHSTAREN5.govlab.corp `
-PrincipalsAllowedToRetrieveManagedPassword DEATHSTAR$ `
-ServicePrincipalNames @('MSSQLsvc/DEATHSTAR.govlab.corp:SQL2019','MSSQLSvc/DEATHSTAR.govlab.corp:11004')
We can even run SETSPN -L afterwards to verify the SPNs were created.
That’s all it takes. Don’t worry if you make a mistake because you can still use SETSPN to make corrections.
Additional reference:
https://learn.microsoft.com/en-us/powershell/module/activedirectory/new-adserviceaccount
