Exam AZ-800 topic 1 question 13 discussion

Correct. several questions asked if different ways, come down to the same basic answer: Add-kdsrootkey (on a domain controller; if it was never configured in the past) Add-ADServiceAccount (on domain controller - specify a server name, with $ at the end: servername$ or a security group name) Install-ADServiceAccount (on the server where gMSA account will be used, specify with the servername$)

Answer is correct First you must create a key (process takes circa 10 hours) and then you can create an account for gMSA. If KDS does not exist you get an error. Last command to execute is Install-ADServiceAccount

Valid 05/28/2024

To ensure that the NLB service on the cluster nodes can use a Group Managed Service (gMSA) account to authenticate, you must run the following PowerShell cmdlets in sequence: Add-KdsRootKey: This cmdlet is used to create a new root key for the Key Distribution Service. This key is required for the generation of group-managed service accounts. New-ADServiceAccount: This cmdlet is used to create a new service account in Active Directory. Add-ADComputerServiceAccount: This cmdlet is used to add a service account to a computer. In this case, you would add the service account you just created to the servers in the NLB cluster. Please note that the cmdlets "Install-ADServiceAccount", "Set-KdsConfiguration" and "Add-ADGroupMember" are not required to meet the mentioned requirements.

the last step is set-adservoceaccount not install

Before you can create a group Managed Service Account (gMSA), you need to create the first master root key for Active Directory. Then, you can create the gMSA using the New-ADServiceAccount cmdlet. Finally, you can test and cache the gMSA on each of the web servers using the Install-ADServiceAccount cmdlet. Answer is correct