DRAG DROP
Your network contains an Active Directory forest named contoso.com. All domain controllers run Windows
Server 2008 R2.
The schema is upgraded to Windows Server 2012 R2.
Contoso.com contains two servers. The servers are configured as shown in the following table.
Server1 and Server2 host a load-balanced application pool named AppPool1.
You need to ensure that AppPool1 uses a group Managed Service Account as its identity.
Which three actions should you perform?
To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in
the correct order.
A.
A Windows Server 2012 or Windows 8 domain member to run/use the gMSA.
Box 2:
To create a new managed service account
On the domain controller, click Start, and then click Run. In the Open box, type dsa. msc, and then click OK to
open the Active Directory Users and Computers snap-in. Confirm that the Managed Service Account container
exists.
Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows PowerShell icon.
Run the following command: New-ADServiceAccount [-SAMAccountName<String>] [-Path <String>].
Box 3:
Configure a service account for Internet Information Services
Organizations that want to enhance the isolation of IIS applications can configure IIS application pools to run
managed service accounts.
To use the Internet Information Services (IIS) Manager snap-in to configure a service to use a managed service
account
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
Double-click <Computer name>, double-click Application Pools, right-click <Pool Name>, and click Advanced
Settings.
In the Identity box, click …, click Custom Account, and then click Set.
Type the name of the managed service account in the format domainname\accountname.
Explanation:
Box 1:
Box 2:
Box 3: Modify the settings of AppPool1.Note:
Box 1:
Group Managed Service Accounts Requirements:At least one Windows Server 2012 Domain Controller
A Windows Server 2012 or Windows 8 machine with the ActiveDirectory PowerShell module, to
create/manage the gMS
Reference: Service Accounts Step-by-Step Guide
I have this TechNet article applying to 2008R2, makes me wonder why I have to upgrade the domain controller:
https://technet.microsoft.com/en-us/library/Dd391964%28v=WS.10%29.aspx
https://technet.microsoft.com/en-us/library/dd367859%28WS.10%29.aspx
maybe someone can help me out with what the point is that i’m overseeing…
0
0
The gMSA —group managed account—did not come out until 2012.
http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
0
0
The original awnser is corrent. More info: http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
0
0
but your article states you have to use Install-ADServiceAccount on the host where the gMSA will be used
0
0
Can the Schema be upgraded to 2012 R2 without a 2012 R2 domain controller? If not, then the given answer is wrong.
0
0
Yes you can. (This is BASIC knowledge)
0
0
This seems to have been settled about a year ago. The given answer appears to be correct.
http://www.aiotestking.com/microsoft/which-three-actions-should-you-perform-126/
0
0
Going to throw a spanner in the works. I think it is:
Install a 2012R2 DC
Set-ADServiceAccount
Install- ADServiceAccount
0
0
it has to be:
Install a 2012R2 DC
New-ADServiceAccount
Install- ADServiceAccount
modify settings
it is in the friggin microsoft books
u have to install the service before you modify the settings
0
0
however it is an application pool. so install-adserviceaccount may not be required
0
0
it still doesnt make sense. you install a dc 2012r2 but you stil have to create the kds root key. there are no options for this.
0
0
JohnyBoy says:
December 11, 2014 at 10:25 pm
Correct answer is:
Schema is 2012 so we don’t need any new DC.
Answer is:
1-We need to add a New-ADServiceAccount
2-We need to Install-ADServiceAccount to the Servers.
3-We need to change the Application Pool.
IMPORTANT:
http://technet.microsoft.com/en-us/library/jj128431.aspx#BKMK_gMSA_Req
Important: Service Accounts were already supported in 2008 howerver for gMSA we have more requirements:
Requirements:
Active Directory Domain Service requirements
• The Active Directory schema in the gMSA domain’s forest needs to be updated to Windows Server 2012 to create a gMSA.
You can update the schema by installing a domain controller that runs Windows Server 2012 or by running the version of adprep.exe from a computer running Windows Server 2012. The object-version attribute value for the object CN=Schema,CN=Configuration,DC=Contoso,DC=Com must be 52.
• New gMSA account provisioned
• If you are managing the service host permission to use gMSA by group, then new or existing security group
• If managing service access control by group, then new or existing security group
• If the first master root key for Active Directory is not deployed in the domain or has not been created, then create it. The result of its creation can be verified in the KdsSvc Operational log, Event ID 4004.
0
0
Collect.
1-We need to add a New-ADServiceAccount
2-We need to Install-ADServiceAccount to the Servers.
3-We need to change the Application Pool.
0
0