Which three actions should you perform?

DRAG DROP
Your network contains an Active Directory forest named contoso.com. All domain controllers run Windows
Server 2008 R2.
The schema is upgraded to Windows Server 2012 R2.
Contoso.com contains two servers. The servers are configured as shown in the following table.

Server1 and Server2 host a load-balanced application pool named AppPool1.
You need to ensure that AppPool1 uses a group Managed Service Account as its identity.
Which three actions should you perform?
To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in
the correct order.

A.
A Windows Server 2012 or Windows 8 domain member to run/use the gMSA.
Box 2:
To create a new managed service account
On the domain controller, click Start, and then click Run. In the Open box, type dsa. msc, and then click OK to
open the Active Directory Users and Computers snap-in. Confirm that the Managed Service Account container
exists.
Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows PowerShell icon.
Run the following command: New-ADServiceAccount [-SAMAccountName<String>] [-Path <String>].
Box 3:
Configure a service account for Internet Information Services
Organizations that want to enhance the isolation of IIS applications can configure IIS application pools to run
managed service accounts.
To use the Internet Information Services (IIS) Manager snap-in to configure a service to use a managed service
account
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
Double-click <Computer name>, double-click Application Pools, right-click <Pool Name>, and click Advanced
Settings.
In the Identity box, click …, click Custom Account, and then click Set.
Type the name of the managed service account in the format domainname\accountname.

Explanation:

Box 1:

Box 2:

Box 3: Modify the settings of AppPool1.

Note:
Box 1:
Group Managed Service Accounts Requirements:

At least one Windows Server 2012 Domain Controller
A Windows Server 2012 or Windows 8 machine with the ActiveDirectory PowerShell module, to
create/manage the gMS
Reference: Service Accounts Step-by-Step Guide

Show Hint

← Previous question

Next question →

kurt

JohnyBoy says:
December 11, 2014 at 10:25 pm
Correct answer is:

Schema is 2012 so we don’t need any new DC.

Answer is:
1-We need to add a New-ADServiceAccount
2-We need to Install-ADServiceAccount to the Servers.
3-We need to change the Application Pool.

IMPORTANT:

http://technet.microsoft.com/en-us/library/jj128431.aspx#BKMK_gMSA_Req

Important: Service Accounts were already supported in 2008 howerver for gMSA we have more requirements:

Requirements:

Active Directory Domain Service requirements
• The Active Directory schema in the gMSA domain’s forest needs to be updated to Windows Server 2012 to create a gMSA.

You can update the schema by installing a domain controller that runs Windows Server 2012 or by running the version of adprep.exe from a computer running Windows Server 2012. The object-version attribute value for the object CN=Schema,CN=Configuration,DC=Contoso,DC=Com must be 52.

• New gMSA account provisioned

• If you are managing the service host permission to use gMSA by group, then new or existing security group

• If managing service access control by group, then new or existing security group

• If the first master root key for Active Directory is not deployed in the domain or has not been created, then create it. The result of its creation can be verified in the KdsSvc Operational log, Event ID 4004.