{"id":6621,"date":"2016-01-05T17:53:33","date_gmt":"2016-01-05T16:53:33","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/"},"modified":"2016-01-05T17:53:33","modified_gmt":"2016-01-05T16:53:33","slug":"sql-server-2016-availability-groups-and-gmsas","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/","title":{"rendered":"SQL Server 2016 – availability groups and gMSAs"},"content":{"rendered":"

This blog post will probably not concern customers where either password policy change rules are not defined for service accounts or Kerberos authentication is not used. But I\u2019m sure that the number of these customers has decreased over at least the last decade. By the way, this is what I can notice at different customer places.<\/p>\n

But before beginning with group managed services let\u2019s introduce managed services \u2026 Why using managed services (MSAs) against traditional or \u201clegacy\u201d service accounts? Well, I think that system administrators may imagine how important this account type is.<\/p>\n

Let\u2019s set the scene: as a domain administrator, you\u2019re in charge to create a domain account for one or maybe several servers. In most cases, you will have to provide a domain user name and a password as well. After some times, because your security policy requires to change all of the domain account passwords in your active directory every month, the service account you\u2019ve created previously expires and no luck \u2026 the concerned application doesn\u2019t work anymore. What are the alternatives in this case? Change the password manually? Maybe but each month you\u2019ll have to execute the same task and coordinate with the application team in order to avoid the application failure. According to me, this not a good solution. Another way may be to exclude this service account from your security policy with no expiration password for your domain account. Great but what about password attacks from hackers?<\/p>\n

This is where MSAs may be very useful in this context. System administrators don\u2019t have any more to manage the password by themselves. The concerned server will refresh automatically the password in monthly-basis by default (note that a system administrator may still refresh the password manually).<\/p>\n

Another improvement for system administrators is the simplified management of service principal names (SPNs) with Kerberos authentication. With \u201clegacy service accounts\u201d, you will generally provide at least privilege domain account for SQL Server according to the security best practices but in this context the domain account will be unable to configure or update automatically the corresponding SPN for the SQL Server instance. Once again, this is a task that must be performed by the system administrators for each SQL Server that will use this domain account and Kerberos authentication. Fortunately, when you use MSAs with SQL Server, the corresponding SPN is automatically managed by the system.<\/p>\n

However the main problem of using MSAs is their limited scope because they cannot be shared across multiple hosts. If you use AlwaysOn availability groups, it means that you will have to setup as many managed service accounts as you have replicas in your infrastructure. Fortunately, Windows 2012 came to the rescue and has introduced the group managed service accounts (gMSAs) that extends the capabilities of the managed service accounts feature. A single gMSA can be shared across multiple hosts \u2026 very interesting for our availability group environment. But unfortunately this feature is only supported from SQL Server 2016.<\/p>\n

The most of work for configuring gMSAs concerns the active directory for which I\u2019m not an expert, so the following task was performed blindly according to the Microsoft documentation.<\/p>\n

First, you have to create the KDS root key from a domain controller. Indeed, password management is now performed by the key distribution service (KDS) and member hosts that wish to use the gMSA simply query the DC to get the password. Usage of the gMSA is restricted to only granted computers specified in the msDS-GroupMSAMembership<\/em> security descriptor. The DC will also determine if the password must be changed and uses a pre-determined algorithm to compute the password (120 characters).<\/p>\n

So let\u2019s create the KDS root key by using the following PowerShell command:<\/p>\n

Add-KdsRootKey \u2013EffectiveTime ((get-date).addhours(-10));<\/pre>\n
The last part of this script is a trick for using immediately the KDS root key but don\u2019t use it in production<\/strong>!<\/p>\n
Let\u2019s continue and let\u2019s create our gMSA by using the following PowerShell command:<\/p>\n
New-ADServiceAccount sql_alwayson `\n   -DNSHostName dc.dbi-services-test `\n   -PrincipalsAllowedToRetrieveManagedPassword \"Domain Controllers\", \"CN=AlwaysOnMSA,OU=Clusters,DC=dbi-services,DC=test\" `\n   -KerberosEncryptionType RC4, AES128, AES256<\/pre>\n
I created a group named sql_always with several possible Kerberos encryption types (RC4, AES128 and AES256). In addition, domain controllers and computers that are members of the AlwaysOnMSA group are only authorized to use the sql_always group managed service account.<\/p>\n
Get-ADserviceAccount -Identity sql_alwayson;<\/pre>\n
\"blog<\/a><\/p>\n
Ok, my gMSA has been created correctly. You can notice the new object class msDS-GroupManagedServiceAccount \u2026<\/em><\/p>\n
Get-ADServiceAccount -Identity sql_alwayson \u2013Properties PrincipalsAllowedToRetrieveManagedPassword;<\/pre>\n
\"blog<\/a><\/p>\n
\u2026 And computers authorized to use it. In my case, the WIN20161 and WIN20162 replicas and my availability group listener LST-20161 as well.<\/p>\n
Now it\u2019s time to configure the gMSA on each replica (WIN20161 and WIN20162) by using these PowerShell commands:<\/p>\n
Enable-WindowsOptionalFeature -FeatureName ActiveDirectory-Powershell -Online \u2013All;\n\nInstall-AdServiceAccount sql_alwayson;<\/pre>\n
Next let\u2019s use this gMSA with the SQL Engine services on each replica as shown below:<\/p>\n
\"blog<\/a><\/p>\n
As MSA, you don\u2019t have to enter the password because it is directly managed by the system. Let\u2019s talk about the concept of \u201cAutomatic SPN management\u201d. According to \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 NedPyle (MSFT) here<\/a>, it refers to an application that inherently understands Kerberos and how to register itself with SPN’s. If that application supports writing its own SPN’s, *and* you use 2008 R2 DC’s, MSA’s will work for automatic SPN management. However in my case, the gMSA that I\u2019ve created previously didn\u2019t manage automatically the SPN with SQL Server. In fact, I had to add the \u201cRead servicePrincipalName\u201d to the gMSA before it works properly. Did I miss or misunderstand something? I will update this blog post accordingly.<\/p>\n
Let\u2019s take a look at the SQL Server error log of each replica:<\/p>\n
\"blog<\/a><\/p>\n
…<\/p>\n
\"blog<\/a><\/p>\n
Each replica (respectively WIN20161 and WIN20162) has successfully registered their SPN. However, this is another story for the listener because it is not used directly as a service. We must add manually the corresponding SPN to the gMSA by using the following script:<\/p>\n
Set-ADServiceAccount -Identity sql_alwayson `\n-ServicePrincipalNames @{Add=\"MSSQLSvc\/LST-2016.dbi-services.test:1433\"}<\/pre>\n
Let\u2019s take a look at the SPNs associated with our gMSA\u00a0:<\/p>\n
\"blog<\/a><\/p>\n
And finally let\u2019s verify if we are able to connect with Kerberos authentication.<\/p>\n
I ran a PowerShell script that tests the connections to the replica and the listener as well.<\/p>\n
\"blog<\/a><\/p>\n
Let\u2019s verify the protocol type used from the SQL Server side:<\/p>\n
select\n\tc.session_id,\n\tc.net_transport,\n\tc.protocol_type,\n\tc.auth_scheme,\n\ts.program_name\nfrom \n\tsys.dm_exec_connections c\njoin \n\tsys.dm_exec_sessions s\n\t\ton c.session_id = s.session_id\nwhere\n\ts.program_name like 'Powershell program%';\ngo<\/pre>\n
\"blog<\/p>\n
Et voil\u00e0!\n\nBy David Barbarin<\/pre>\n","protected":false},"excerpt":{"rendered":"
This blog post will probably not concern customers where either password policy change rules are not defined for service accounts or Kerberos authentication is not used. But I\u2019m sure that the number of these customers has decreased over at least the last decade. By the way, this is what I can notice at different customer […]<\/p>\n","protected":false},"author":26,"featured_media":6630,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[198],"tags":[297,729,84,730,25,566],"type_dbi":[],"class_list":["post-6621","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-database-management","tag-availability-groups","tag-gmsa","tag-high-availability","tag-managed-service","tag-security","tag-sql-server-2016"],"acf":[],"yoast_head":"\nSQL Server 2016 - availability groups and gMSAs<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SQL Server 2016 - availability groups and gMSAs\" \/>\n<meta property=\"og:description\" content=\"This blog post will probably not concern customers where either password policy change rules are not defined for service accounts or Kerberos authentication is not used. But I\u2019m sure that the number of these customers has decreased over at least the last decade. By the way, this is what I can notice at different customer […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2016-01-05T16:53:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/blog-72-1-GetADServiceAccount-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"645\" \/>\n\t<meta property=\"og:image:height\" content=\"118\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Microsoft Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/\"},\"author\":{\"name\":\"Microsoft Team\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/bfab48333280d616e1170e7369df90a4\"},\"headline\":\"SQL Server 2016 – availability groups and gMSAs\",\"datePublished\":\"2016-01-05T16:53:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/\"},\"wordCount\":1014,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/blog-72-1-GetADServiceAccount-1.jpg\",\"keywords\":[\"Availability groups\",\"gMSA\",\"High availability\",\"managed service\",\"Security\",\"SQL Server 2016\"],\"articleSection\":[\"Database management\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/\",\"name\":\"SQL Server 2016 - availability groups and gMSAs\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/blog-72-1-GetADServiceAccount-1.jpg\",\"datePublished\":\"2016-01-05T16:53:33+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/bfab48333280d616e1170e7369df90a4\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/#primaryimage\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/blog-72-1-GetADServiceAccount-1.jpg\",\"contentUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/blog-72-1-GetADServiceAccount-1.jpg\",\"width\":645,\"height\":118},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SQL Server 2016 – availability groups and gMSAs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/bfab48333280d616e1170e7369df90a4\",\"name\":\"Microsoft Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/c44a1a792c059f24055763aa77d80a244467f6eef724a8bd13db8d4a350b7a4c?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c44a1a792c059f24055763aa77d80a244467f6eef724a8bd13db8d4a350b7a4c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c44a1a792c059f24055763aa77d80a244467f6eef724a8bd13db8d4a350b7a4c?s=96&d=mm&r=g\",\"caption\":\"Microsoft Team\"},\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/microsoft-team\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"SQL Server 2016 - availability groups and gMSAs","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/","og_locale":"en_US","og_type":"article","og_title":"SQL Server 2016 - availability groups and gMSAs","og_description":"This blog post will probably not concern customers where either password policy change rules are not defined for service accounts or Kerberos authentication is not used. But I\u2019m sure that the number of these customers has decreased over at least the last decade. By the way, this is what I can notice at different customer […]","og_url":"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/","og_site_name":"dbi Blog","article_published_time":"2016-01-05T16:53:33+00:00","og_image":[{"width":645,"height":118,"url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/blog-72-1-GetADServiceAccount-1.jpg","type":"image\/jpeg"}],"author":"Microsoft Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Team","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/"},"author":{"name":"Microsoft Team","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/bfab48333280d616e1170e7369df90a4"},"headline":"SQL Server 2016 – availability groups and gMSAs","datePublished":"2016-01-05T16:53:33+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/"},"wordCount":1014,"commentCount":0,"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/blog-72-1-GetADServiceAccount-1.jpg","keywords":["Availability groups","gMSA","High availability","managed service","Security","SQL Server 2016"],"articleSection":["Database management"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/","url":"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/","name":"SQL Server 2016 - availability groups and gMSAs","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/#primaryimage"},"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/blog-72-1-GetADServiceAccount-1.jpg","datePublished":"2016-01-05T16:53:33+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/bfab48333280d616e1170e7369df90a4"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/#primaryimage","url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/blog-72-1-GetADServiceAccount-1.jpg","contentUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/blog-72-1-GetADServiceAccount-1.jpg","width":645,"height":118},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/sql-server-2016-availability-groups-and-gmsas\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"SQL Server 2016 – availability groups and gMSAs"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/bfab48333280d616e1170e7369df90a4","name":"Microsoft Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/c44a1a792c059f24055763aa77d80a244467f6eef724a8bd13db8d4a350b7a4c?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/c44a1a792c059f24055763aa77d80a244467f6eef724a8bd13db8d4a350b7a4c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c44a1a792c059f24055763aa77d80a244467f6eef724a8bd13db8d4a350b7a4c?s=96&d=mm&r=g","caption":"Microsoft Team"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/microsoft-team\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/6621","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=6621"}],"version-history":[{"count":0,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/6621\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media\/6630"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=6621"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=6621"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=6621"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=6621"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}