Autogenerated Active Directory objects password rotation

Applies to: SQL Server 2019 (15.x)

This article describes how to rotate passwords for active directory objects in a big data cluster integrated with Active Directory.


The Microsoft SQL Server 2019 Big Data Clusters add-on will be retired. Support for SQL Server 2019 Big Data Clusters will end on February 28, 2025. All existing users of SQL Server 2019 with Software Assurance will be fully supported on the platform and the software will continue to be maintained through SQL Server cumulative updates until that time. For more information, see the announcement blog post and Big data options on the Microsoft SQL Server platform.


When a big data cluster is deployed with Active Directory integration, there are the Active Directory (AD) accounts and groups that SQL Server creates during a big data cluster deployment. For more information on these AD accounts and groups, see autogenerated active directory objects. These objects are usually found in the provided organizational unit (OU) in the deployment profile configurations.

One of the biggest challenges for enterprise customers is security hardening. For many customers, setting a password expiration policy is required, which allows the administrator to set user password expiration over time. For a big data cluster, in the past this required manually rotated passwords for those autogenerated active directory objects.

To get around aforementioned challenges, autorotation of passwords for autogenerated AD objects was introduced with CU13.

The following two steps are required, regardless of the sequence, to complete password autorotation:

1. Use azdata command to rotate the password

Use the following azdata command to update the autogenerated passwords. For more information on azdata bdc rotate, see the azdata reference.

   azdata bdc rotate -n <clusterName> 

This initiates a control plane upgrade, followed by a big data cluster upgrade. For each rotation, a target AD Credential version will be generated to identify the same rotation across multiple services or different iterations of password rotations. For each service, if it contains a generated password, a newly-generated password will be generated will be updated in the Domain Controller. The passwords are 32 characters long, contain at least one uppercase character, one lowercase character, and one digit. A special character is not guaranteed. The corresponding pods will then be restarted.

2. Rotating password for the domain service account (DSA)

Use the PASS001 - Update Administrator Domain Controller Password notebook in order to update the SQL Server Big Data Clusters DSA password. For more information on this notebook and other cluster management notebooks, see Operational notebooks for SQL Server Big Data Clusters. You can manually update the DSA password, as the big data cluster does not manage it. Once changed, provide the DSA admin username and password as environment variable parameters to the notebook.


The password rotation and big data cluster upgrade can take some time to complete depending on network speed, the number of pods, and more. A password rotation is separate process, and cannot be done in parallel with the cluster upgrade operation or DSA password rotation.

Next steps