DRAG DROP
Your network contains an Active Directory forest named contoso.com. All domain controllers
run Windows Server 2008 R2.
The schema is upgraded to Windows Server 2012 R2.
Contoso.com contains two servers. The servers are configured as shown in the following table.
Server1 and Server2 host a load-balanced application pool named AppPool1.
You need to ensure that AppPool1 uses a group Managed Service Account as its identity.
Which three actions should you perform?
To answer, move the three appropriate actions from the list of actions to the answer area
and arrange them in the correct order.
Answer: See the explanation.
Explanation:
Box 1:
Box 2:
Box 3: Modify the settings of AppPool1.Note:
Box 1:
Group Managed Service Accounts Requirements:
At least one Windows Server 2012 Domain Controller
A Windows Server 2012 or Windows 8 machine with the ActiveDirectory PowerShell module,
to create/manage the gMSA.
A Windows Server 2012 or Windows 8 domain member to run/use the gMSA.
Box 2:
To create a new managed service account
1. On the domain controller, click Start, and then click Run. In the Open box, type dsa.
msc, and then click OK to open the Active Directory Users and Computers snap-in. Confirm
that the Managed Service Account container exists.
2. Click Start, click All Programs, click Windows PowerShell 2.0, and then click the
Windows PowerShell icon.
3. Run the following command: New-ADServiceAccount [-SAMAccountName<String>]
[-Path <String>].
Box 3:
Configure a service account for Internet Information Services
Organizations that want to enhance the isolation of IIS applications can configure IIS
application pools to run managed service accounts.
To use the Internet Information Services (IIS) Manager snap-in to configure a service to use
a managed service account1. Click Start, point to Administrative Tools, and then click Internet Information Services
(IIS) Manager.
2. Double-click <Computer name>, double-click Application Pools, right-click <Pool
Name>, and click Advanced Settings.
3. In the Identity box, click …, click Custom Account, and then click Set.
4. Type the name of the managed service account in the format
domainname\accountname.
Reference: Service Accounts Step-by-Step Guide
Correct answer is:
Schema is 2012 so we don’t need any new DC.
Answer is:
1-We need to add a New-ADServiceAccount
2-We need to Install-ADServiceAccount to the Servers.
3-We need to change the Application Pool.
IMPORTANT:
http://technet.microsoft.com/en-us/library/jj128431.aspx#BKMK_gMSA_Req
Important: Service Accounts were already supported in 2008 howerver for gMSA we have more requirements:
Requirements:
Active Directory Domain Service requirements
• The Active Directory schema in the gMSA domain’s forest needs to be updated to Windows Server 2012 to create a gMSA.
You can update the schema by installing a domain controller that runs Windows Server 2012 or by running the version of adprep.exe from a computer running Windows Server 2012. The object-version attribute value for the object CN=Schema,CN=Configuration,DC=Contoso,DC=Com must be 52.
• New gMSA account provisioned
• If you are managing the service host permission to use gMSA by group, then new or existing security group
• If managing service access control by group, then new or existing security group
• If the first master root key for Active Directory is not deployed in the domain or has not been created, then create it. The result of its creation can be verified in the KdsSvc Operational log, Event ID 4004.
install or set- adserviceaccount
http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx
The choices are missing the step to add the service account
It’s
New-
Add-
Install-
@sysadmin
The question is about Group Managed Service Accounts (new feature in Windows 2012), not Managed Service Accounts.
The main answer is correct!
You can create a gMSA only if the forest schema has been updated to Windows Server 2012, the master root key for Active Directory has been deployed, and there is at least one Windows Server 2012 DC in the domain in which the gMSA will be created.
https://technet.microsoft.com/en-us/library/jj128431.aspx
What you have stated is applied on windows server 2008 r2 SMA not win 2012. there is no group Managed Service Account gMSA in 2008 r2.
Mark is right.
Mark is right. gMSA requirement:”Windows Server 2012 DCs available for host to retrieve the password.” We need to install 2012 DC first as currently all DCs are 2008.
The main answer is correct.
Steps are :
1. Install a domain controller that runs Windows Server 2012 R2
2. Run New-ADServiceAccount
3. Run Install-ADServiceAccount
see link:
http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
Have you done this yourself? I set pools for years now and never used your way .. like answer is saying is correct!
also disagree about the install-ADserviceaccount.
https://technet.microsoft.com/en-us/library/jj128431.aspx doesn’t mention it and your link says it isn’t required, just best practice.
the “show answer” is correct.
it absolutely does not say this. Pirulo is correct
I had this question today, but with different anwsers. DomainController was not part of it. Answers were: New, Install, Set, Modify and somthing about a reg…
1- install a DC
2-new-adserviceacctount
3-modify the settings
1- Install a DC
2- new-adserviceaccount to create a gmsa
3- set-adserviceaccount with -PrincipalsAllowedToRetrieveManagedPassword arg to specify the hosts allowed to use gsma account
The steps are
On the Windows Server 2012 domain controller, run Windows PowerShell from the Taskbar.
At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:
New-ADServiceAccount [-Name] -RestrictToOutboundAuthenticationOnly [-ManagedPasswordIntervalInDays ] [-PrincipalsAllowedToRetrieveManagedPassword ]
Next step is to modify the application service identity appPool
Step 1& 2
https://technet.microsoft.com/en-us/library/jj128431.aspx
Key thing here is that the domain controller needs to be win2012 right now it is win 2008
For this example, the schema is updated, but we do not have a Server 2012 that is a DC.
1. Upgrade at least one DC Server to 2012
2. From Windows 2012 Server Run:
Add-KDSRootKey –EffectiveImmediately
wait ten hours…
3. New-ADServiceAccount -name -DNSHostName -PrincipalsAllowedToRetrieveManagedPassword -ServicePrincipalNames
4. Install-AdServiceAccount
from: http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
I think that because We have a 2012rd schema we must have a 2012rd DC so I agree with jhonnyboy
2012R2, sorry
Well the main answer is correct. steps should be like
1. Upgrade at least one DC Server to 2012
2. New-ADServiceAccount
2a. Install-AdServiceAccount (install and test the gMSA on the host. While this isn’t always necessary, it’s safe practice)
3-modify the settings
Install DC
New-ADServiceAccount
Modify the settings
https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/
3. Configure the gMSA on the host – “While this isn’t always necessary, it’s safe practice.” So it’s looks like Install-AdServiceAccount is not relay needed, it’s only good practice.