Exam AZ-800 topic 1 question 20 discussion

BC are the correct answers

There is something wrong in answer for this question. In my opinion most suitable 2 action from given posibilities are: 1. On DC1, run the New-ADServiceAccount cmdlet 2. On Server1, run the Install-ADServiceAccount cmdlet Answer E (On DC1, run the Set-ADComputer cmdlet) does not help in configuration of gMSA at all. Maybe in original question answer E has form: "On DC1, run the Set-ADServiceAccount cmdlet" but without running Install-ADServiceAccount cmdlet gMSA will not be installed

B. On DC1, run the New-ADServiceAccount cmdlet: This command is used to create a new group managed service account (gMSA) in Active Directory. It is the first step to define the gMSA in the domain, associating it with the necessary servers or services. C. On Server1, run the Install-ADServiceAccount cmdlet: Once the gMSA is created, you need to install it on the server (Server1) where the application and custom service will run. This command ensures that the gMSA is installed and ready for use by the custom Windows service.

This question is valid Exam date - 27-07-2024

B, C To create, configure, and install the Group Managed Service Account (gMSA) for the new application on Server1, you should perform the following actions: B. On DC1, run the New-ADServiceAccount cmdlet. This cmdlet creates a new gMSA account in Active Directory. C. On Server1, run the Install-ADServiceAccount cmdlet. This cmdlet installs the gMSA on Server1, allowing it to be used by the new application. Therefore, the correct actions to perform are: B. On DC1, run the New-ADServiceAccount cmdlet. C. On Server1, run the Install-ADServiceAccount cmdlet. These actions will create and install the gMSA on Server1, ensuring that the custom Windows service for the LOB application can run under the context of the gMSA as required by the corporate security policy.

Correct Answers: B & C A. On Server1, run the setspn command. ->[incorrect] not needed B. On DC1, run the New-ADServiceAccount cmdlet. ->[correct] This is the command which will create the service account, and allow specified domain computer, access the gMSA password. C. On Server1, run the Install-ADServiceAccount cmdlet. ->[Correct] This is the command, used to install the gMSA on the member server, where we will use the gMSA account. D. On Server1, run the Get-ADServiceAccount cmdlet. ->[incorrect] Returns the gMSA account, does nothing else. E. On DC1, run the Set-ADComputer cmdlet. ->[incorrect] Not needeed, command in "B" is enough. This is command is used when you need to change the configuration. In this case not required. F. On DC1, run the Install-ADServiceAccount cmdlet. ->[incorrect] this command should be used on the domain server, where the service account is going to be used. Explanation video: https://www.youtube.com/watch?v=ZS4vufyKEHo

Solution : B & C: Expl: normally, we should do the below 3 actions: 1- New-ADServiceAccount with parameters like name, description, and so.... 2- Add-ADComputerServiceAccount on DC (to add the service account to the computer Object Server1) 3- Add Powershell Module "ActiveDirectory" to Server1 (because it is not DC) 3- Install-ADServiceAccount on Server1 https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts

B & C are correct.Account needs to be added, and then installed on the server that will use it.

Options A,D & E don't make sense so that leaves B,C & E "on server1" so B and C are the answers

BC are correct

Difference between gMSA and MSA is that its targeted on the group instead of the computeraccount. SInce we can only give two answers we need to presume that Server1 is already in a group. B is to create the gMSA C is to install it on Server1

Set-adserviceaccount used for gMSA , install-adserviceaccount for MSA

BC: To create, configure, and install the gMSA that will be used by the new application, you will need to perform the following actions: Create a new group managed service account (gMSA) by using the PowerShell cmdlet "New-ADServiceAccount -Name <gMSA_Name> -DNSHostName <gMSA_FQDN> -PrincipalsAllowedToRetrieveManagedPassword <Server1>" This cmdlet creates a new gMSA with a specific name and DNS hostname, and specifies the Server1 as the computer allowed to retrieve the managed password. Install the gMSA on the Server1 by using the PowerShell cmdlet "Install-ADServiceAccount -Identity <gMSA_Name>" This cmdlet installs the gMSA on the Server1, allowing the custom Windows service to use the gMSA to authenticate. These two actions will create and configure the gMSA that will be used by the new application, and install it on the Server1 so that the custom Windows service can use it for authentication. It's important to note that the gMSA should be installed before installing the LOB application.

We need to: create, configure, and install the gMSA that will be used by the new application. The Set-ADComputer cmdlet modifies the properties of an Active Directory computer object. Install-ADServiceAccount Reference Feedback Module: ActiveDirectory Installs an Active Directory managed service account on a computer or caches a group managed service account on a computer. So from the link provided the answer is B,C

B and E is correct, please see: https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts From link Microsoft: New-ADServiceAccount ITFarm1 -DNSHostName ITFarm1.contoso.com -PrincipalsAllowedToRetrieveManagedPassword ITFarmHosts$ -KerberosEncryptionType RC4, AES128, AES256 -ServicePrincipalNames http/ITFarm1.contoso.com/contoso.com, http/ITFarm1.contoso.com/contoso, http/ITFarm1/contoso.com, http/ITFarm1/contoso Set-ADServiceAccount [-Identity] ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword Host1$,Host2$,Host3$

B C sent to be the correct options here

B and C