PrepAway - Latest Free Exam Questions & Answers

Which three actions should you perform?

DRAG DROP
Your network contains an Active Directory forest named contoso.com. All domain controllers
run Windows Server 2008 R2.
The schema is upgraded to Windows Server 2012 R2.
Contoso.com contains two servers. The servers are configured as shown in the following table.

Server1 and Server2 host a load-balanced application pool named AppPool1.
You need to ensure that AppPool1 uses a group Managed Service Account as its identity.
Which three actions should you perform?
To answer, move the three appropriate actions from the list of actions to the answer area
and arrange them in the correct order.

PrepAway - Latest Free Exam Questions & Answers

Answer: See the explanation.

Explanation:
Box 1:

Box 2:

Box 3: Modify the settings of AppPool1.

Note:
Box 1:
Group Managed Service Accounts Requirements:
At least one Windows Server 2012 Domain Controller
A Windows Server 2012 or Windows 8 machine with the ActiveDirectory PowerShell module,
to create/manage the gMSA.
A Windows Server 2012 or Windows 8 domain member to run/use the gMSA.
Box 2:
To create a new managed service account
1. On the domain controller, click Start, and then click Run. In the Open box, type dsa.
msc, and then click OK to open the Active Directory Users and Computers snap-in. Confirm
that the Managed Service Account container exists.
2. Click Start, click All Programs, click Windows PowerShell 2.0, and then click the
Windows PowerShell icon.
3. Run the following command: New-ADServiceAccount [-SAMAccountName<String>]
[-Path <String>].
Box 3:
Configure a service account for Internet Information Services
Organizations that want to enhance the isolation of IIS applications can configure IIS
application pools to run managed service accounts.
To use the Internet Information Services (IIS) Manager snap-in to configure a service to use
a managed service account

1. Click Start, point to Administrative Tools, and then click Internet Information Services
(IIS) Manager.
2. Double-click <Computer name>, double-click Application Pools, right-click <Pool
Name>, and click Advanced Settings.
3. In the Identity box, click …, click Custom Account, and then click Set.
4. Type the name of the managed service account in the format
domainname\accountname.
Reference: Service Accounts Step-by-Step Guide

21 Comments on “Which three actions should you perform?

  1. JohnyBoy says:

    Correct answer is:

    Schema is 2012 so we don’t need any new DC.

    Answer is:
    1-We need to add a New-ADServiceAccount
    2-We need to Install-ADServiceAccount to the Servers.
    3-We need to change the Application Pool.

    IMPORTANT:

    http://technet.microsoft.com/en-us/library/jj128431.aspx#BKMK_gMSA_Req

    Important: Service Accounts were already supported in 2008 howerver for gMSA we have more requirements:

    Requirements:

    Active Directory Domain Service requirements
    • The Active Directory schema in the gMSA domain’s forest needs to be updated to Windows Server 2012 to create a gMSA.

    You can update the schema by installing a domain controller that runs Windows Server 2012 or by running the version of adprep.exe from a computer running Windows Server 2012. The object-version attribute value for the object CN=Schema,CN=Configuration,DC=Contoso,DC=Com must be 52.

    • New gMSA account provisioned

    • If you are managing the service host permission to use gMSA by group, then new or existing security group

    • If managing service access control by group, then new or existing security group

    • If the first master root key for Active Directory is not deployed in the domain or has not been created, then create it. The result of its creation can be verified in the KdsSvc Operational log, Event ID 4004.




    1



    0
  6. Kiebok says:

    Mark is right. gMSA requirement:”Windows Server 2012 DCs available for host to retrieve the password.” We need to install 2012 DC first as currently all DCs are 2008.

    The main answer is correct.




    0



    0
  8. kevin says:

    I had this question today, but with different anwsers. DomainController was not part of it. Answers were: New, Install, Set, Modify and somthing about a reg…




    0



    0
  10. Nuno says:

    1- Install a DC
    2- new-adserviceaccount to create a gmsa
    3- set-adserviceaccount with -PrincipalsAllowedToRetrieveManagedPassword arg to specify the hosts allowed to use gsma account




    0



    0
  11. ry says:

    The steps are

    On the Windows Server 2012 domain controller, run Windows PowerShell from the Taskbar.

    At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:

    New-ADServiceAccount [-Name] -RestrictToOutboundAuthenticationOnly [-ManagedPasswordIntervalInDays ] [-PrincipalsAllowedToRetrieveManagedPassword ]

    Next step is to modify the application service identity appPool

    Step 1& 2
    https://technet.microsoft.com/en-us/library/jj128431.aspx

    Key thing here is that the domain controller needs to be win2012 right now it is win 2008




    0



    0
  12. Who says:

    For this example, the schema is updated, but we do not have a Server 2012 that is a DC.

    1. Upgrade at least one DC Server to 2012

    2. From Windows 2012 Server Run:
    Add-KDSRootKey –EffectiveImmediately

    wait ten hours…

    3. New-ADServiceAccount -name -DNSHostName -PrincipalsAllowedToRetrieveManagedPassword -ServicePrincipalNames

    4. Install-AdServiceAccount

    from: http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx




    2



    0
  14. david says:

    Well the main answer is correct. steps should be like

    1. Upgrade at least one DC Server to 2012

    2. New-ADServiceAccount

    2a. Install-AdServiceAccount (install and test the gMSA on the host. While this isn’t always necessary, it’s safe practice)

    3-modify the settings




    0



    0

Leave a Reply