DRAG DROP
Your network contains an Active Directory forest named contoso.com. All domain controllers run
Windows Server 2008 R2.
The schema is upgraded to Windows Server 2012 R2.
Contoso.com contains two servers. The servers are configured as shown in the following table.
Server1 and Server2 host a load-balanced application pool named AppPool1.
You need to ensure that AppPool1 uses a group Managed Service Account as its identity.
Which three actions should you perform?
To answer, move the three appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Answer: See the explanation
Explanation:
Box 1:Box 2:
Box 3: Modify the settings of AppPool1.
Note:
Box 1:
Group Managed Service Accounts Requirements:
At least one Windows Server 2012 Domain Controller
A Windows Server 2012 or Windows 8 machine with the ActiveDirectory PowerShell module, to
create/manage the gMSA.
A Windows Server 2012 or Windows 8 domain member to run/use the gMSA.
Box 2:
To create a new managed service account
On the domain controller, click Start, and then click Run. In the Open box, type ds
a. msc, and then click OK to open the Active Directory Users and Computers snap-in. Confirm that
the Managed Service Account container exists.
Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows PowerShell
icon.
Run the following command: New-ADServiceAccount [-SAMAccountName<String>] [-Path <String>].
Box 3:
Configure a service account for Internet Information Services
Organizations that want to enhance the isolation of IIS applications can configure IIS application
pools to run managed service accounts.
To use the Internet Information Services (IIS) Manager snap-in to configure a service to use a
managed service account
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
Double-click <Computer name>, double-click Application Pools, right-click <Pool Name>, and click
Advanced Settings.
In the Identity box, click …, click Custom Account, and then click Set.
Type the name of the managed service account in the format domainname\accountname.Service Accounts Step-by-Step Guide
WHY NOT?
1. Install Win 2012 DC
2. Run New-ADServiceAccount
3. Install-ADServiceAccount
Then you can configure the settings for AppPool1.
https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/
Your provided link says that while it is best practice to run Install-ADServiceAccount, just so you can run Test-ADServiceAccount and see that its working, it is not necessary. What is necessary is you need a 2012 DC, so that you have a system that can actually run Install-ADServiceAccount, and then you configure the apppool to use said gMSA.
answer is :
1, New-ADServiceAccount
2, Install-ADServiceAccount to the Servers.
3, change the Application Pool.
https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/
Fulis you’re wrong. Win 2012 DC is a requirement!!
I stick with the supplied answer…
The question says that schema is upgraded to 2012 r2. Now tell me pls how will you upgrade the schema to 2012 r2 without installed 2012 r2 domain controller? So you don’t need to install dc 2012 r2, it’s already exists!
It says all DC are 2008R2. But yea, a lot of tricky questions.
You can update schema without installing win2k12 dc, you just need install media and manualy upgrade schema witch adprep /forestprep, adprep /domainprep. So provided answer seems to be correct. I am only not sure for last box, it isn’t should be install-adserviceaccount after add-adserviceaccount ?
https://social.technet.microsoft.com/wiki/contents/articles/13422.manual-schema-upgrade-for-windows-server-2012windows-server-2012-r2.aspx
The answer does not seem correct. Even Microsoft Press’s MCSE 70-411: Administering Windows Server 2012 R2 says in the section “Creating and configuring group Managed Service Accounts (gMSAs)” that:
To create a gMSA, you need to use the New-ADServiceAccount cmdlet. And at a minimum, you need to specify the -Name parameter and the -DNSHostName parameters.
It goes on to say that you then need to install the gMSA by using the Install-ADServiceAccount cmdlet.
So the New-ADServiceAccount and the Install-ADServiceAccount cmdlets must be part of the answer.
Furthermore, before you can create a gMSA, you need to create the KDS root key. Note, this step is required only once per domain. But you can’t install the KDS root key without already having a Windows Server 2012 or Windows Server 2012 R2 domain controller to distribute keys.
So, the 3rd answer has to be “modify the settings of AppPool1.”
Provided answer is correct, since you need a DC running Server 2012 to manage gMSA’s.
Despite de Schema has been upgraded to Server 2012 R2, that doesn’t mean therer’s already a DC running Server 2012 R2, since you can upgrade the schema manually without having a DC running Server 2012 R2.
Source: http://social.technet.microsoft.com/wiki/contents/articles/13422.manual-schema-upgrade-for-windows-server-2012windows-server-2012-r2.aspx
agree with Fulis.this is from the link he provided:
When you extend your schema for Windows Server 2012, a new object class is added for gMSAs – msDSGroupManagedServiceAccount.
So win2012 doesn’t need to be installed.If you continue to read further you will see that you should first run the Add-KDSRootKey but that’s not an option.So correct answers from the above given are:
New-ADServiceAccount
Install-AdServiceAccount
modify settings of appool1