From 786652908ece5e2efa6416c3140b0694a563913b Mon Sep 17 00:00:00 2001
From: Jorge de Almeida Pinto | IAMTEC <jorge@iamtec.eu>
Date: Fri, 6 Jun 2025 18:15:38 +0200
Subject: [PATCH] Update delegated-managed-service-accounts-faq.yml

Fixed the steps listed in "Yes, this configuration is supported provided the following prerequisites are met"

Added more detail to the steps in "Yes, you can replace the service account with a dMSA. This process would require:"
---
 .../delegated-managed-service-accounts-faq.yml     | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/WindowsServerDocs/identity/ad-ds/manage/delegated-managed-service-accounts/delegated-managed-service-accounts-faq.yml b/WindowsServerDocs/identity/ad-ds/manage/delegated-managed-service-accounts/delegated-managed-service-accounts-faq.yml
index d5544160b1..3db5455fbc 100644
--- a/WindowsServerDocs/identity/ad-ds/manage/delegated-managed-service-accounts/delegated-managed-service-accounts-faq.yml
+++ b/WindowsServerDocs/identity/ad-ds/manage/delegated-managed-service-accounts/delegated-managed-service-accounts-faq.yml
@@ -22,11 +22,11 @@ sections:
         answer: | 
           Yes, this configuration is supported provided the following prerequisites are met:
         
-          1. The dMSA account must be cached on the RODC.
-          1. The dMSA account must be manually added to the **PrincipalsAllowedToRetrieveManagedPassword** attribute of the machine by running the following command:
+          1. The dMSA account must be cached on the RODC. For this to be possible the dMSA account must first be added to the "Allowed To Be Cached" list of the corresponding RODC
+          2. The machine must be manually added to the **PrincipalsAllowedToRetrieveManagedPassword** attribute of the dMSA account by running the following command:
         
              ```powershell
-             Set-ADServiceAccount -Identity dMSAFinApp -PrincipalsAllowedToRetrieveManagedPassword Client$
+             Set-ADServiceAccount -Identity dMSAAccount$ -PrincipalsAllowedToRetrieveManagedPassword machine$
              ```
 
       - question: Can I force a password reset for a dMSA account?
@@ -46,9 +46,11 @@ sections:
         answer: |
           Yes, you can replace the service account with a dMSA. This process would require:
 
-          1.	Creating a new dMSA account.
-          1.	Reconfiguring the service to use the new dMSA account.
-          1.	Retiring the old service account.
+          1.	Enable the use of the dMSA on the target server
+          2.	Creating a new dMSA account.
+          3.	Using PowerShell, add the machine account manually to the PrincipalsAllowedToRetrieveManagedPassword attribute of the dMSA account
+          4.	Reconfiguring the service to use the new dMSA account.
+          5.	Retiring the old service account.
  
       - question: Will my service start using the dMSA during the migration process or only after the migration is complete?
         answer: The service will start using the newly created and configured dMSA only after the migration process is complete.