PrepAway - Latest Free Exam Questions & Answers

Does this meet the goal?

In this section, you’ll see one or more sets of questions with the same scenario and problem. Each
question presents a unique solution to the problem, and you must determine whether the solution
meets the stated goals Any of the solutions might solve the problem. It is also possible that none
of the solutions solve the problem. Once you answer a question in this section, you will NOT be
able to return to it. As a result, these questions will not appear in the review screen.
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution Determine whether the solution meets the
stated goals.
Your network contains an Active Directory forest named contoso.com. The forest contains a
member server named Server1 that runs Windows Server 2016. All domain controllers run
Windows Server 2012 R2. contoso.com has the following configuration.

You plan to deploy an Active Directory Federation Services (AD FS) farm on Server1 and to
configure device registration. You need to configure Active Directory to support the planned
deployment. Solution: You raise the domain functional level to Windows Server 2012 R2. Does this
meet the goal?

PrepAway - Latest Free Exam Questions & Answers

A.
Yes

B.
No

18 Comments on “Does this meet the goal?

  1. Darksider says:

    I think the right answer is no –> B
    There is a Windows Server 2016 and to allow Device Registration for Win10 and Server 2016 it is a requirement to have a 2016 Domain Controller.




    3



    1
  2. dermot says:

    A?

    This Doc; Configure a federation server with Device Registration Service https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/deployment/configure-a-federation-server-with-device-registration-service
    States: Your Active Directory forest must have the Windows Server 2012 R2 schema

    But to raise DFL to 2012 R2, 2012 R2 schema update must already be in place.

    Additionally, while this doc states: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/overview/ad-fs-2016-requirements

    Schema requirements
    •New installations of AD FS 2016 require the Active Directory 2016 schema (minimum version 85).
    •Raising the AD FS farm behavior level (FBL) to the 2016 level requires the Active Directory 2016 schema (minimum version 85).

    You can have 2016 schema update in place on the 2012 Domain
    so I say A.




    0



    5
    1. Reinhard says:

      Hi dermot,

      The next question I came across had the same environment and goal, but a different “solution” (You run adprep.exe from a Windows Server 2016 installation media. Does this meet the goal?” And the correct answer to that was “no”, and the reason/explanation is that Adprep just prepares the domain for a Windows Server 2016 (it extends the schema in the process), but it does not actually raise the domain function level to Windows Server 2016, which is required for Device Registration.

      So from the above I make the assumption that upgrading the schema to 2016 alone is not good enough to deploy an AD FS farm and enable device registration for Server1 (A Server 2016 O/S) in this particular question, so the answer should by B: No.

      Any further assistance or corrections to my assumption more than welcome.

      Thanks,
      Reinhard




      1



      0
  3. soma says:

    Domain controller requirements

    – AD FS requires Domain controllers running Windows Server 2008 or later.
    – At least one Windows Server 2016 domain controller is required for Microsoft Passport for Work.

    Domain functional-level requirements

    – All user account domains and the domain to which the AD FS servers are joined must be operating at the domain functional level of Windows Server 2003 or higher.
    – A Windows Server 2008 domain functional level or higher is required for client certificate authentication if the certificate is explicitly mapped to a user’s account in AD DS.

    Schema requirements

    – New installations of AD FS 2016 require the Active Directory 2016 schema (minimum version 85).
    – Raising the AD FS farm behavior level (FBL) to the 2016 level requires the Active Directory 2016 schema (minimum version 85).

    THE ANSWER IS B. NO

    https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/overview/ad-fs-2016-requirements#BKMK_4




    0



    0
  4. Nicolas G. says:

    It’s difficult to find the good answer for this question. Raise the domain functional level to Windows Server 2012 R2 doesn’t means the AD schema was in 2016 version 85. We have a 2016 server but it’s only a member server. So i think the answer is B.




    0



    0
  5. Tetra-Grammaton-Cleric says:

    Answer: B. No

    To use Device Registration Service (previously known as ‘Workplace Join’) functionality, the schema of the forest that the AD FS servers are joined to must be set to Windows Server 2012 R2. I.e., the Forest Functional Level MUST be Windows Server 2012 R2 or higher.

    Note that is is possible to set the Domain Functional Level to a value that is higher than the Forest Functional Level, so in this case, the DFL is Windows Server 2012 R2, but the FFL is still Windows Server 2008 R2.




    2



    0
    1. Shadowner says:

      I agree on answer B as stated by Tetra.

      The answer only states to raise de DFL to 2012R2 (which can be done). However the FFL is still indeed 2008R2. So it’s still not complying to the requirements.




      0



      1
  6. Renato says:

    Actually you can add Windows 2016 ADFS server to Windows server 2012 Domain Functional Level, but it will work on Windows 2012 R2 FBL.Thats called mixed farm.
    Only if you want to use new features from ADFS on Windows server 2016, you need to raise not only DFL, but also FFL too. In that case you need atleast one Windows 2016 domain controller.

    ” A Windows Server 2016 AD FS server can be added to a Windows Server 2012 R2 farm and it will operate at the same FBL as a Windows Server 2012 R2. When you have a Windows Server 2016 AD FS server operating in this fashion, your farm is said to be “mixed”. However, you will not be able to take advantage of the new Windows Server 2016 features until the FBL is raised to Windows Server 2016. With a mixed farm.”

    So I think the answer is A.




    0



    0
  7. dziri says:

    Work Place = Windows server 2012
    Devise Registration = Windows Server 2016

    In this question we want to install a new Farm –>> A is Correct

    **************
    Moving from AD FS in Windows Server 2012 R2 to AD FS in Windows Server 2016 is easier
    **************
    Previously, migrating to a new version of AD FS required exporting configuration from the old farm and importing to a brand new, parallel farm.

    Now, moving from AD FS on Windows Server 2012 R2 to AD FS on Windows Server 2016 has become much easier. Simply add a new Windows Server 2016 server to a Windows Server 2012 R2 farm, and the farm will act at the Windows Server 2012 R2 farm behavior level, so it looks and behaves just like a Windows Server 2012 R2 farm.

    Then, add new Windows Server 2016 servers to the farm, verify the functionality and remove the older servers from the load balancer. Once all farm nodes are running Windows Server 2016, you are ready to upgrade the farm behavior level to 2016 and begin using the new features.




    0



    1
  8. Ken says:

    I believe the answer id A) yes

    New in AD FS for Windows Server 2016 is the farm behavior level feature (FBL). This features is farm wide and determines the features that the AD FS farm can use. By default, the FBL in a Windows Server 2012 R2 AD FS farm is at the Windows Server 2012 R2 FBL.

    A Windows Server 2016 AD FS server can be added to a Windows Server 2012 R2 farm and it will operate at the same FBL as a Windows Server 2012 R2. When you have a Windows Server 2016 AD FS server operating in this fashion, your farm is said to be “mixed”. However, you will not be able to take advantage of the new Windows Server 2016 features until the FBL is raised to Windows Server 2016. With a mixed farm:

    Administrators can add new, Windows Server 2016 federation servers to an existing Windows Server 2012 R2 farm. As a result, the farm is in “mixed mode” and operates the Windows Server 2012 R2 farm behavior level. To ensure consistent behavior across the farm, new Windows Server 2016 features cannot be configured or used in this mode.




    0



    1
  9. Ken says:

    Configure a federation server with Device Registration Service

    Prepare your Active Directory forest to support devices
    Note

    This is a one-time operation that you must run to prepare your Active Directory forest to support devices. You must be logged on with enterprise administrator permissions and your Active Directory forest must have the Windows Server 2012 R2 schema to complete this procedure. Additionally, DRS requires that you have at least one global catalog server in your forest root domain.
    Additionally, DRS requires that you have at least one global catalog server in your forest root domain. The global catalog server is required in order to run Initialize-ADDeviceRegistration and during AD FS authentication. AD FS initializes an in-memory representation of the DRS config object on each authentication request and if the DRS config object cannot be found on a DC in the current domain, the request is attempted against the GC on which the DRS objects were provisioned during Initialize-ADDeviceRegistration.

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/configure-a-federation-server-with-device-registration-service

    After further research it looks like devicewill make the answer B)no




    0



    0
  10. Clarity says:

    I think the biggest confusion comes from the fact people think you need to raise the FFL/DFL to 2012 R2 in order for Device Registration to work. According to article https://technet.microsoft.com/en-us/library/dn550982(v=ws.11).aspx:

    “You do not need a domain controller running Windows Server 2012 R2 for this solution. All you need is a schema update from your current AD DS installation. You can update the schema on existing domain controllers without installing a domain controller that runs Windows Server 2012 R2 by Running Adprep.exe.”

    According to information from question:
    1. All domain controllers run Windows Server 2012 R2. (Schema has been extended to Windows Server 2012 R2 in the process of installing the DCs).
    2. The forest contains a member server named Server1 that runs Windows Server 2016. (This will be the future ADFS server).

    Device Registration requirements:
    1. Active Directory forest must have the Windows Server 2012 R2 schema.
    2. DRS requires that you have at least one global catalog server in your forest root domain.

    ADFS 2016 requirements:
    1. AD FS requires Domain controllers running Windows Server 2008 or later. (Already present).
    2. At least one Windows Server 2016 domain controller is required for Microsoft Passport for Work. (We do not need MS Passport for Work).
    3. All user account domains and the domain to which the AD FS servers are joined must be operating at the domain functional level of Windows Server 2003 or higher. (Already present).
    3. A Windows Server 2008 domain functional level or higher is required for client certificate authentication if the certificate is explicitly mapped to a user’s account in AD DS. (Already available).
    4. New installations of AD FS 2016 require the Active Directory 2016 schema (minimum version 85). (Not present, should be considered).
    5. Raising the AD FS farm behavior level (FBL) to the 2016 level requires the Active Directory 2016 schema (minimum version 85). (Not present, should be considered).

    Conclusion:
    In order to deploy ADFS 2016 with Device Registration you will need:
    1. AD schema extended to Active Directory 2016 (minimum version 85). (Required)
    2. Domain Controllers should be 2016 only if you need MS Passport for Work. (Optional)
    3. A Windows Server 2008 domain functional level or higher is required for client certificate authentication if the certificate is explicitly mapped to a user’s account in AD DS. (Optional)

    Answer:
    NO. Raising the DFL to 2012R2 will not be sufficient to implement ADFS 2016, because it requires AD schema to be extended to Active Directory 2016 (minimum version 85).




    10



    0
  11. Martijn says:

    Answer –> B

    I tested this in my LAB.
    1. Installed a Windows 2012R2 DC with Forest and Domain mode Windows 2008R2.
    2. Installed A Windows 2016 member server
    3. Configured AD FS. (This is still working).
    4. When I try to enable device registration with the Powershell command Initialize-ADDeviceRegistration I get the following error:

    Initialize-ADDeviceRegistration : Active Directory schema needs to be upgraded to Windows Server 2016 before the
    federation service can be installed.
    At line:1 char:1
    + Initialize-ADDeviceRegistration




    2



    0
  12. Knox says:

    Tough question. As I understand, 1) Raising the domain functional level would not be sufficient enough, because the forest functional level must also be raised in order to support Device Registration and 2) The first server in the ADFS Farm, as indicated in the question, will be running Server 2016. There are no DCs running Server 2016, so the schema will have to be extended first (either running ADPrep or just promoting a new Server 2016 DC) before you can complete this config.

    So I say B) No




    2



    0
  13. Knox says:

    Also, you do not need to raise the domain functional level because the schema has already been extended to 2012 R2 since the domain controllers are 2012 R2. ADPrep.exe runs automatically on 2012 R2 during the promotion process. So the solution to raise the domain functional level accomplishes nothing, when really ADprep needs to be run from 2016 installation media to support ADFS 2016




    0



    0

Leave a Reply