Some related attributes on a dMSA account are msDS-DelegatedMSAState, which signifies whether or not the migration course of is unknown, in progress, or accomplished; msDS-ManagedAccountPrecededByLink, which signifies the outdated account; and msDS-GroupMSAMembership, which signifies which principals (customers, teams, and computer systems) can authenticate because the account.
As soon as migration to a dMSA account is full, any machine that authenticates because the outdated service account will obtain from Area Controller an error indicating that the outdated account was disabled, together with a KERB-SUPERSEDED-BY-USER discipline to point the dMSA that changed it. The machine will then retry authentication because the dMSA to acquire an authenticated session ticket that permits them to carry out the motion.
That is the place the Key Distribution Heart (KDC) comes into play. Within the Kerberos protocol, which AD makes use of, the KDC ensures safe entry to community assets by verifying consumer identities, granting them entry primarily based on their permissions.
