Your network contains an Active Directory domain

named contoso.com. The functional level of the domain and the forest is Windows Server 2008 R2.

All domain controllers run Windows Server 2008 R2.

You plan to deploy a new line-of-business application named App1 that uses claims-based authentication.

Yo

u need to recommend changes to the network to ensure that Active Directory can provide claims for App1.

What should you include in the recommendation? (Each correct answer presents part of the solution. Choose all that apply.)

A. From the properties of t

he computer accounts of the domain controllers, enable Kerberos constrained delegation.

B. From the Default Domain Controllers Policy, enable the Support for Dynamic Access Control and Kerberos armoring setting.

C. Deploy Active Directory Lightweight Direc

tory Services (AD LDS).

D. Raise the domain functional level to Windows Server 2012.

E. Add domain controllers that run Windows Server 2012.

Explanation:

E: You must perform several steps to enable claims in Server 2012 AD. First, you must

upgrade the forest schema to Server 2012. You can do so manually through Adprep, but Microsoft strongly recommends that you add the AD DS role to a new Server 2012 server or upgrade an existing DC to Server 2012.

B: Once AD can support claims, you must en

able them through Group Policy:

From the Start screen on a system with AD admin rights, open Group Policy Management and select the Domain Controllers Organizational Unit (OU) in the domain in which you wish to enable claims.

Right-click the Default Domain

Controllers Policy and select Edit.

In the Editor window, drill down to Computer Configuration, Policies, Administrative Templates, System, and KDC (Key Distribution Center).

Open KDC support for claims, compound authentication, and Kerberos armoring.

Sel

ect the Enabled radio button. Supported will appear under Claims, compound authentication for Dynamic Access Control and Kerberos armoring options