Use Multiple MSAs

In many deployments, the MSA is specified at the Enterprise node and is the same for every server in the Enterprise.

If necessary, you can specify a different MSA for a particular Site group, Site, or Server node in the Enterprise Manager Installations tree. Some example scenarios where you might specify a different account for a Site Group, Site, or Server include:

  • You have a Site that uses a different Windows naming convention. For example, you have a data center site in the U.K. and a remote site in India, and the India site uses a different Windows naming convention. In this case, you can specify a different Management Service Account for the remote India site than is specified for the U.K. data center site.

  • Two different sites exist and the MSA is sometimes locked at one of the sites. In this case, using different accounts at each site allows each site to operate independently if it is necessary for one site to lock the account.

  • No domain exists and the Servers at a site are deployed in a Windows workgroup.

    In this scenario, the MSA is a local Windows account on each computer. The MSA is specified in the Computername\Username format (for example, ComputerName1\JDoe, ComputerName2\JDoe and so on). Since the computer name is different for each server, the MSA username must be specified separately for each server in the workgroup.

As noted above, all servers in the same data center must run using a single dedicated MSA. Therefore, in a workgroup environment, the data center server must either be a single server of the Data Center platform Predefined logical group of server roles installed together on a physical server., or a Consolidated server.

Site Permissions When Multiple Accounts Are Used

If you have two remote Sites (or Site Groups) that have different MSAs, no special configurations are needed at either Site regarding the permissions of the accounts. For example if you have remote Site 1 using account 1 and remote Site 2 using account 2, you do not need to perform any special configurations for account 2 at Site 1, or vice versa. The servers at different Sites do not use Windows authentication when communicating with each other (they use token-based authentication).