#VMCA 2022 Official practice exam question 01 walkthrough

I will urge other Veeam Legends’ and Vanguards’ to find time to see these videos. Below is the second part.

So far watched first five videos and they are good. Trying to come back from failing the first shot to pass this one in the new year. 👍

VERY NICE!!

Thank yoi very much @haslund .

Your videos are very helpful 👍🏼

Great series @haslund! 👏 I hope I'll have time to watch the complete playlist.

About this question; I've gone with answer 1. While answer 3 with the seperare forest would be a better solution, I thought that two-factor authentication with service accounts won't work. It may depend on the definition of service account, but if those are for example the guest credentials, then we can't use two-factor?

I understand why using a separate mgmt domain/forest would satisfy the “easy to manage” requirement, how do you get around the “no domain accounts” requirement?  And, as someone else asked, how would you configure MFA for a service account, which has no other factors?

To me getting around “no domain accounts” is just that - use a workgroup not a domain.  MFA can be configured for a service account but typically those you set to no MFA so you can run Powershell, etc. with them, otherwise you need to turn off MFA for some tasks I have found.

We have another domain for our Veeam environment and a one-way trust to the Production domain (MGMT) where we back things up.  I use domain accounts with complex passwords on them without issues.

And that’s my question - @haslund answered to use a mgmt domain, not a workgroup.

That is what I would use as well in this case, if it weren’t for that one requirement.

I think the MGMT Domain referenced is a separate domain for Veeam is what he means.  This is what I used as reference when building our Veeam domain - Workgroup or Domain ? | Veeam Backup & Replication Security Best Practice Guide

I assumed that’s what he meant.  But is that sufficient to get around the “no domain accounts” rule?  It’s one thing to understand the thought processes in the question, but this seems like Best Practice is contradicting a stated requirement, and no indication which one is actually correct.

Well I use domain accounts in the separate domain I have.  So I guess it would not get around that rule based on the video.  This may have changed since then though.

In the video he selected the answer to use the mgmt domain, which is why I’m conflicted about what answer I put down if I see this question when I take the exam tomorrow :(

Best of luck.  I watched the videos just for thought process not answers.

​@RubinCompServ A general recommendation for the exam. Sometimes you need to look for the best answer, not for the correct one. So what fits best given the requirements. 

In the question above you need to provide the most secure solution which is easiest to manage and where you can quickly disable accounts. And that's exactly a management domain. 

Regarding the non-domain accounts; I would have referred that to the production domain and not as a blocker for a separate management domain.

Btw. Those are no real exam questions, so you might see similar ones but not the same 😉