You need to create a Managed service Account

You have the following Windows PowerShell output.
PS C:\Users\Administrator> New-AdServiceAccount service01 –DNSHostName service01.contoso.com New-ADServiceAccount : Key does not exist
At line : 1 char : 1
+ New-ADServicAccount service01
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: {CN=service01,CN… =contoso,DC=com:String} [New-ADServiceAccount], ADException
+FullyQualifiedErrorId :
ActiveDirectoryserver : -2146893811,Microsoft. ActiveDirectory . Management . Commands . NewADServiceAccount

You need to create a Managed service Account.
What should you do?

You have the following Windows PowerShell output.
PS C:\Users\Administrator> New-AdServiceAccount service01 –DNSHostName service01.contoso.com New-ADServiceAccount : Key does not exist
At line : 1 char : 1
+ New-ADServicAccount service01
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: {CN=service01,CN… =contoso,DC=com:String} [New-ADServiceAccount], ADException
+FullyQualifiedErrorId :
ActiveDirectoryserver : -2146893811,Microsoft. ActiveDirectory . Management . Commands . NewADServiceAccount

You need to create a Managed service Account.
What should you do?

A.
Run Set-KDSConfiguration and then run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com

B.
Run New-AuthenticationPolicySilo, and then run New-ADServiceAccount – Name “service01” – DNSHostName

C.
Run New-ADServiceAccount – Name “service01” – DNSHostName service01.contoso.com – RestrictToSingleComputer

D.
Run New-ADServiceAccount – Name “service01” – DNSHostName service01.contoso.com – SAMAccountName service01.



Leave a Reply to David Cancel reply45

Your email address will not be published. Required fields are marked *

19 + 6 =


spamme

spamme

A. and it’s been typo’d
The correct syntax is ADD-KDSRootKey
New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com

spamme

spamme

Except that the -RestrictToSingleComputer doesn’t work with the -DNSHostName switch
Give it a try

David

David

Another vote for C. The question specifically says “You need to create a Managed service Account”, leaving out the word “Group”.

https://technet.microsoft.com/en-us/library/hh852236(v=wps.630).aspx

“The New-ADServiceAccount cmdlet creates a new Active Directory managed service account. By default, the cmdlet creates a group managed service account. To create a standalone managed service account which is linked to a specific computer, use the -RestrictToSingleComputer parameter.”

If answer A had used the command “Add-KdsRootKey”, then it could have possibly been the correct answer, but “Set-KDSConfiguration” does not sound right.

spamme

spamme

I would’ve agreed with C, except for the DNSHOSTNAME switch, like I said, it doesn’t work with the RESTRICT switch

Josef

Josef

Its C for sure, cause we are not creating Group Managed Accounts. If we would do so we would need a KDS!

spamme

spamme

For what it’s worth, since people are still suggesting the wrong answer, I sat the exam on Monday.
Like I said, A is typo’d here, it’s add-kdsrootkey
Also -restricttosinglecomputer isnt there at all, it’s restricttooutbound

I’d suggest people saying it’s C, actually try it.

BrewMaster

BrewMaster

I had this question last time I took the test. I left some fiery comments for Microsoft. Ultimately, i chose C because it was the only answer that made any sense. When you actually run it though in a lab, it throws errors.

Josef

Josef

You dont need any keys when using oldschool “Managed service Account”!!! If you use the new “Group Managed Service Account” you have to get a key first!

Who

Who

Looks like the answer is this for the gMSA, group managed service account: Add-KDSRootKey –EffectiveImmediately
if the error states that there is no key. Reference: http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
However, Josef points out that this is for one server and therefore it looks like C might be the answer if it is not a gMSA, but the answer might be C.
However, Spamme points out that -restricttosinglecomputer isnt there at all and that the answer was Add-KDSRootKey on the exam. Good luck to everyone!

spamme

spamme

That’s the thing Josef, I’m aware that you don’t need a key for an MSA. However none of their options above work.

As I stated, I did get the question on my test and it had add-kdsrootkey rather than the rootconfiguration. It does seem however that there may be a few reworded versions of this question in the exam.
Unfortunately it doesn’t fix the fact that their answer selection doesn’t even accomplish the task they’ve requested.

wish1

wish1

Hello Guys, i have 12 more new questions. Does anybody have the Avancet Creator so we can create a VCE?

Bruce941

Bruce941

I don’t have Avancet Creator, but I’m resitting very soon and this is my fifth time – just something with some of the subject matter so any new questions would be really helpful. I can’t afford to fail and be locked out for who knows how long.

410 – passed first time
412 – passed second time
411 – still trying (four fails so far – last one by only a question or two)

Really...

Really...

Bruce. You are a loser.

Cody

Cody

Cant you add them in the comments of one of the questions ?

23ds

23ds

please send it or post it up? thank you

Bruce941

Bruce941

After checking out the reference link that @sepp posted, I now tend to agree that it’s choice A. I was shooting for C because the question said MANAGED SERVICE ACCOUNT and a MSA doesn’t require a key. However, I’ll have to see the actual question to know for sure, and I hope I don’t on my next retake.

I wonder if there are any typos when this question was posted? Overall, it doesn’t sound like one of Microsoft’s best written questions ’cause to me, the answer could be either A or C. Sigh.

frank

frank

Mcsa.freeforums.net

Kaye

Kaye

None of the answers provided is correct. I think the correct one should be “Run Add-KDSRootKey and then run New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com”

Below is what I read from my reference book for 70-411
——————————————————

Note: For Windows Server 2012, the Windows PowerShell cmdlets default to managing the
group managed service accounts (covered in the next section) rather than the original
standalone MSAs

Before you can create an MSA object type, you need to create a key distribution services root key for the domain.
To create the root key, run the following cmdlet from the Active Directory PowerShell module for Windows
PowerShell:
Add-KDSRootKey –EffectiveTime ((Get-Date).AddHours(-10))
You specify 10 hours so that AD DS replication has a chance to replicate the changes to other domain controllers
in the domain. For testing environments, you can use the add-kdsrootkey –EffectiveImmediately
instead.

iBecher

iBecher

Passed my 70-411 exam yesterday. About 5 new questions, all new questions can be found in PassLeader 70-411 dumps (http://www.passleader.com/70-411.html). Also, PassLeader’s 70-411 dumps have corrected many wrong answers. Good Luck for All.

Theodore Dave

Theodore Dave

Hi @iBecher can you share the PassLeader 70-411 dump with us. thanx

Theodore Dave

Theodore Dave

Hi @iBecher can you share the PassLeader 70-411 dump with us.thanx_ ” [email protected]

kurt

kurt

did my 70-411 yesterday i got 947. really good site. better than my 70-410 exam of 770

Dev7

Dev7

Does a higher score on the exam mean anything really? If you get a score of 700 and someone gets a score of 1000 you all get the same certificate no?

kurt

kurt

doesnt matter however on a 50/50 question, when u see my name and comments. know that i got a 95

Sonya

Sonya

Just thought I should add that I had this question on a test, and A was not one of the options given. In it’s place was something like “Run New-AuthenticationPolicy, and then run New-ADServiceAccount – Name “service01” – DNSHostName service01.contoso.com”

Failed 411

Failed 411

I actually had this on the exam and i had option Add-KDSRootKey what i picked as only option.

Noury

Noury

Passed yesterday with 920! About 5 – 10 new questions only saw from lead2pass dumps. Some answers between exams differ just follow l2p one.

karl

karl

“1. Create the KDS Root Key (only once per domain). This is used by the KDS service on DCs (along with other information) to generate passwords.

From a Windows Server 2012 Domain Controller (or Windows Server 2012/Windows 8 host with the ActiveDirectory PowerShell module) run:

Add-KDSRootKey –EffectiveImmediately…

..If you get a “key does not exist” error you forgot to do Step 1, or you were too impatient.”
https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/

My vote is for A

Raei Siva

Raei Siva

New 70-411 Exam Questions and Answers Updated Recently (6/May/2016):

NEW QUESTION 435
You have a server named Server1 that is a number of a domain named contoso.com. You view the properties of a service on Server1 as shown in the graphic.
Image URL: examgod.com/plimages/257a8e899d68_F2B9/new-70-411-exam-dumps-4351_thumb.png
Use the drop-down menus to select the answer choice that completes each statement. NOTE: Each correct selection is worth one point.
Image URL: examgod.com/plimages/257a8e899d68_F2B9/new-70-411-exam-dumps-4352_thumb.jpg

Answer:
Image URL: examgod.com/plimages/257a8e899d68_F2B9/new-70-411-exam-dumps-4353_thumb.jpg
Explanation:
Virtual accounts are “managed local accounts” that provide the following features to simplify service administration:
– No password management is required.
– The ability to access the network with a computer identity in a domain environment.
Virtual accounts require very little management. They cannot be created or deleted, nor do they require any password management. You must be a member of the Administrators group on the local computer to perform the following procedures. To configure a service to use a virtual account:
– Click Start, point to Administrative Tools, and then click Services.
– In the details pane, right-click the service that you want to configure, and then click Properties.
– Click the Log On tab, click This account, and then type NT SERVICE\ServiceName. When you are finished, click OK.
– Restart the service for the change to take effect.
READ MORE — technet.microsoft.com/en-us/library/dd548356%20(v=WS.10).aspx

NEW QUESTION 436
You have a Windows Server Update Services (WSUS) server named Server1. Server1 synchronizes from Microsoft Update. You plan to deploy a new WSUS server named Server2. Server2 will synchronize updates Server2 will be separated from Server1 by a firewall from Server1. You need to identify which port must be open on the firewall so that Server2 can synchronize the updates. Which port should you identify?

A. 8530
B. 3389
C. 443
D. 80

Answer: A
Explantion:
WSUS upstream and downstream servers will synchronize on the port configured by the WSUS Administrator. By default, these ports are configured as follows:
– On WSUS 3.2 and earlier, port 80 for HTTP and 443 for HTTPS
– On WSUS 6.2 and later (at least Windows Server 2012), port 8530 for HTTP and 8531 for HTTPS The firewall on the WSUS server must be configured to allow inbound traffic on these ports
READ MORE — technet.microsoft.com/en-us/library/hh852346.aspx

NEW QUESTION 437
A technician installs a new server that runs Windows Server 2012 R2. During the installation of Windows Server Update Services (WSUS) on the new server, the technician reports that on the Choose Languages page of the Windows Server Update Services Configuration Wizard, the only available language is English. The technician needs to download updates in French and English. What should you tell the network technician to do to ensure that the required updates are available?

A. Complete the Windows Server Update Services Configuration Wizard, and then modify the update language on the server.
B. Uninstall all instances of the Windows Internal Database.
C. Change the update languages on the upstream server.
D. Change the System Local of the server to French.

Answer: C
Explanation:
Configure upstream servers to synchronize updates in all languages that are required by downstream replica servers.
You will not be notified of needed updates in the unsynchronized languages.
The Choose Languages page of the WSUS Configuration Wizard allows you to get updates from all languages or from a subset of languages. Selecting a subset of languages saves disk space, but it is important to choose all the languages that are needed by all the downstream servers and client computers of a WSUS server.
Downstream servers and client computers will not receive all the updates they need if you have not selected all the necessary languages for the upstream server. Make sure you select all the languages that will be needed by all the client computers of all the downstream servers.
You should generally download updates in all languages on the root WSUS server that synchronizes to Microsoft Update. This selection guarantees that all downstream servers and client computers will receive updates in the languages that they require.
To choose update languages for a downstream server:
If the upstream server has been configured to download update files in a subset of languages:
In the WSUS Configuration Wizard, click Download updates only in these languages (only languages marked with an asterisk are supported by the upstream server), and then select the languages for which you want updates.
READ MORE — technet.microsoft.com/en-us/library/hh328568(v=ws.10).aspx

NEW QUESTION 438
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question. Your network contains an Active Directory domain named contoso.com. The domain contains more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs. You have a GPO named GPO1 that is linked to the domain. You need to configure GPO1 to apply settings to Group1 only. What should you use?

A. Dcgpofix
B. Get-GPOReport
C. Gpfixup
D. Gpresult
E. Gpedit. msc
F. Import-GPO
G. Restore-GPO
H. Set-GPInheritance
I. Set-GPLink
J. Set-GPPermission
K. Gpupdate
L. Add-ADGroupMember

Answer: C

NEW QUESTION 439
……

NEW QUESTION 440
Your network contains one Active Directory forest named contoso.com. You create a starter Group Policy object (GPO) named Starter_GPO1. From the Delegation tab of Starter_GPO1, you add a group named GPO_Admins and you assign the Edit settings permissions to the group. You create a new GPO named GPO1 from Starter_GPO1. You need to identity which action can he performed by the members of the GPO Admins group. What should you identify?

A. Modify the Delegation settings of Starter_GPO1.
B. Modify the Group Policy Preferences in Starter_GPO1.
C. Link a WMI filter to GPO1.
D. Modify the Administrative Templates in GPO1.

Answer: A
Explanation:
Permission rights applied to starter GPO objects are relative to the starter GPO objects only; they are not inherited from actual GPOs created from starter GPOs.
B is wrong because Starter GPOs do not have preferences, only Administrative Template policy settings.
READ MORE — technet.microsoft.com/en-us/library/cc753200.aspx

NEW QUESTION 441
……

P.S. These New 70-411 Exam Questions Were Just Updated From The Real 70-411 Exam, You Can Get The Newest 70-411 Dumps In PDF And VCE From — http://bitly.com/70-411-dumps-vce-pdf (447q)

Good Luck !!!

Guram

Guram

correct answer should be A first you need add-kdsrootkey command and than New-ADServiceAccount –Name “service01” –DNSHostName service01.contoso.com TESTED IN LAB AND IT WORKS,

if you will not use command add-kdsrootkey Key does not exist error will be displayed.

So firs you will need to run KDSconfiguration first.

i think this question is not completed or some bad writting. hope microsoft will fix it.

Colin Evans

Colin Evans

Hi Guys, 411 v.8 and 411.wish1 are valid gave exam (sydney) yesterday and cleared with 9++.