MicrosoftDocs · zjorz · Jun 6, 2025
@@ -22,11 +22,11 @@ sections:
         answer: | 
           Yes, this configuration is supported provided the following prerequisites are met:
 
-          1. The dMSA account must be cached on the RODC.
-          1. The dMSA account must be manually added to the **PrincipalsAllowedToRetrieveManagedPassword** attribute of the machine by running the following command:
+          1. The dMSA account must be cached on the RODC. For this to be possible the dMSA account must first be added to the "Allowed To Be Cached" list of the corresponding RODC
+          2. The machine must be manually added to the **PrincipalsAllowedToRetrieveManagedPassword** attribute of the dMSA account by running the following command:
 
              ```powershell
-             Set-ADServiceAccount -Identity dMSAFinApp -PrincipalsAllowedToRetrieveManagedPassword Client$
+             Set-ADServiceAccount -Identity dMSAAccount$ -PrincipalsAllowedToRetrieveManagedPassword machine$
              ```
 
       - question: Can I force a password reset for a dMSA account?
@@ -46,9 +46,11 @@ sections:
         answer: |
           Yes, you can replace the service account with a dMSA. This process would require:
 
-          1.	Creating a new dMSA account.
-          1.	Reconfiguring the service to use the new dMSA account.
-          1.	Retiring the old service account.
+          1.	Enable the use of the dMSA on the target server
+          2.	Creating a new dMSA account.
+          3.	Using PowerShell, add the machine account manually to the PrincipalsAllowedToRetrieveManagedPassword attribute of the dMSA account
+          4.	Reconfiguring the service to use the new dMSA account.
+          5.	Retiring the old service account.
 
       - question: Will my service start using the dMSA during the migration process or only after the migration is complete?
         answer: The service will start using the newly created and configured dMSA only after the migration process is complete.