ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-800 All Questions

View all questions & answers for the AZ-800 exam
Go to Exam

Exam AZ-800 topic 1 question 38 discussion

Actual exam question from Microsoft's AZ-800
Question #: 38
Topic #: 1
[All AZ-800 Questions]

DRAG DROP
-

Your network contains an Active Directory domain named contoso.com. The domain contains group managed service accounts (gMSAs). You have a server named Server1 that runs Windows Server and is in a workgroup. Server1 hosts Windows containers.

You need to ensure that the Windows containers can authenticate to contoso.com.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Show Suggested Answer Hide Answer
Suggested Answer:
by skycrap at June 13, 2023, 12:39 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
skycrap
Highly Voted 2 years, 2 months ago
I think: Create a gMSA and a standard user account From a domain-joined computer, cerate a credential spec file and copy the file to Server1 On Server1, install and run ccg.exe https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts#use-case-for-creating-gmsa-account-for-non-domain-joined-container-hosts
upvoted 31 times
Tiago_MP
2 years ago
You nailed it! Nothing to add!
upvoted 4 times
...
MR_Eliot
1 year, 11 months ago
I agree
upvoted 1 times
...
Dools
1 year, 8 months ago
Your comment is correct From the MS doco. The credential spec file is created using the CredentialSpec PowerShell module on a domain-joined machine.
upvoted 3 times
...
...
rknichols01
Highly Voted 1 year, 7 months ago
the kds key is already created, because there are already gMSA accounts. 1) create a new gMSA account 2) from a domain joined computer create a credential spec file and copy to server 1. this can only be created from a domain joined computer. 3) run ccg.exe using the credentials file.
upvoted 5 times
...
Tr619899
Most Recent 1 month ago
1. In contoso.com, create a gMSA and a standard user account. Create the gMSA in Active Directory. The standard user account is used to query the domain for the gMSA. 2. From a domain-joined computer, create a credential spec file and copy the file to Server1. This file contains necessary metadata for the container to impersonate the gMSA. 3. On Server1, install and run ccg.exe. The CredentialSpec Config Generator (ccg.exe) enables the non-domain-joined host to use the spec file correctly for container authentication.
upvoted 1 times
...
albert_oc
11 months, 3 weeks ago
As per Copilot: To ensure that the Windows containers on Server1 can authenticate to contoso.com, follow these steps in sequence: 1. In contoso.com, generate a Key Distribution Service (KDS) root key: This is necessary to create group Managed Service Accounts (gMSAs). 2. In contoso.com, create a gMSA and a standard user account: This will provide the necessary accounts for authentication. 3. From a domain-joined computer, create a credential spec file and copy the file to Server1: This file will be used by the containers to authenticate using the gMSA12. https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/gmsa-run-container https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts
upvoted 3 times
Srle
6 months ago
You are correct, since "New-CredentialSpec" and "ccg.exe" commands CAN'T be run on non-domain joined server, so only 3 options are left to choose in sequence
upvoted 1 times
Tayhull2023
4 months ago
ccg.exe can be run on a non-domain computer. "gMSA for containers with a non-domain joined host provides the flexibility of creating containers with gMSA without joining the host node to the domain. Starting with Windows Server 2019, ccg.exe is supported, which enables a plug-in mechanism to retrieve gMSA credentials from Active Directory" - https://learn.microsoft.com/en-us/azure/aks/aksarc/prepare-windows-nodes-gmsa
upvoted 1 times
...
...
...
Bolo92
1 year, 8 months ago
valid 27.11.23
upvoted 4 times
...
Jothar
1 year, 9 months ago
Server 1 is NOT on the domain so it can't run new-credentialspec. https://www.fearofoblivion.com/running-a-windows-container-under-gmsa So that can be rules out.
upvoted 1 times
...
NazerRazer
1 year, 10 months ago
To enable Windows containers hosted on Server1 to authenticate to contoso.com using group Managed Service Accounts (gMSAs), you should perform the following actions in sequence: In contoso.com, generate a key distribution service (KDS) root key: This step is crucial for creating and managing gMSAs. In contoso.com, create a gMSA and a standard user account: This is necessary to associate the gMSA with a service and grant it appropriate permissions. On Server1, run new-credential spec: This step allows you to create a credential specification file for the gMSA, which you'll use to configure container authentication.
upvoted 1 times
Burkidur
1 year, 7 months ago
It says that the domain ALREADY contains gMSAs. That means KDC was already created.
upvoted 3 times
...
NazerRazer
1 year, 10 months ago
The other answers are incorrect for the following reasons: On Server1, install and run ccg.exe: This action is not needed to set up gMSA-based authentication for Windows containers. The "ccg.exe" tool (Container Credential Guard) is related to credential protection and is not directly involved in the process of configuring gMSAs. From a domain-joined computer, create a credential spec file and copy the file to Server1: While creating a credential spec file is part of the process, it should be performed on Server1, not on a domain-joined computer. The correct sequence of actions involves creating the credential spec file on Server1 after the necessary gMSA and KDS root key have been set up in the domain . Copying the file to Server1 is typically part of the final steps in configuring the container for gMSA-based authentication.
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel