Information Technology Reference
In-Depth Information
EXAM TIP
the cmdlet names and interaction between the two sets of Windows powerShell nouns,
ADServiceAccount and ADComputerServiceAccount, are the sorts of
sound-alike
cmdlets
that lend themselves to tempting distracters for exam questions. plus, if you remove the
MSa from active Directory without first modifying any services that rely on it, bad things
will happen.
(gMSAs)
The group Managed Service Account (gMSA), introduced in Windows Server 2012, takes the
functionality of the stand-alone MSA and extends that functionality across multiple servers.
This change allows gMSAs to be used for services that span multiple hosts and also extends
the basic MSA to allow it to be used for scheduled tasks, Internet Information Services (IIS)
application pools, SQL 2012, and Microsoft Exchange.
To enable automatic password management across multiple computers, gMSAs use the
Key Distribution Services (KDS) running on a Windows Server 2012 or Windows Server 2012
R2 domain controller to distribute keys.
Creating a gMSA
Before you can create a gMSA, you need to create the KDS root key. This step is required only
once per domain. Use the following command:
Add-KDSRootKey -EffectiveImmediately
Even though you specified that the root key should be effective immediately, it actually
takes 10 hours before the key is effective, which ensures that the key is fully deployed to all
domain controllers in the domain.
EXAM TIP
In the heat of the exam, it's easy to forget that not only do you need to create the KDS root
key but also that it isn't effective for 10 hours. read the question carefully and see whether
there's a time-sensitive clue. It could be an indicator.
To simplify managing a gMSA and the computers that can use it, it's useful to have the
computers that will use the gMSA in a security group. However, if you create a new secu-
rity group and assign computers to it, you have to restart the computers before the group
membership is recognized.
