PrepAway - Latest Free Exam Questions & Answers

Which two actions should you perform?

Your network contains an Active Directory forest named contoso.com. The forest contains two
domains named contoso.com and childl.contoso.com. The domains contain three domain
controllers.
The domain controllers are configured as shown in the following table.

You need to ensure that the KDC support for claims, compound authentication, and kerberos
armoring setting is enforced in the child1.contoso.com domain.

Which two actions should you perform? (Each correct answer presents part of the solution. Choose
two.)

PrepAway - Latest Free Exam Questions & Answers

A.
Upgrade DC1 to Windows Server 2012 R2.

B.
Upgrade DC11 to Windows Server 2012 R2.

C.
Raise the domain functional level of childl.contoso.com.

D.
Raise the domain functional level of contoso.com.

E.
Raise the forest functional level of contoso.com.

Explanation:
The root domain in the forest must be at Windows Server 2012 level. First upgrade DC1 to this level
(A), then raise the contoso.com domain functional level to Windows Server 2012 (D).
* (A) To support resources that use claims-based access control, the principal’s domains will need to
be running one of the following:
/ All Windows Server 2012 domain controllers
/ Sufficient Windows Server 2012 domain controllers to handle all the Windows 8 device
authentication requests
/ Sufficient Windows Server 2012 domain controllers to handle all the Windows Server 2012
resource protocol transition requests to support non-Windows 8 devices.

What’s New in Kerberos Authentication
http://tecHYPERLINK “http://technet.microsoft.com/enus/library/hh831747.aspx#_blank”hnet.microsoft.com/en-us/library/hh831747.aspx.

18 Comments on “Which two actions should you perform?

    1. kurt says:

      skippy this doesnt seem correct. even if what you assert is true the domains would not be at 2012 functional level if u did A and D. Contoso would be at the 2012 domain functional level but child1.contoso would not.
      further i havent read that hte root domain must be at 2012 for the child domains to support this. it is non sensical.
      it cant be A and D. it is B C.




      0



      0
  3. Clever4ever says:

    Thanks Skippy, your right.

    You must perform several steps to enable claims in Server 2012 AD. First, you must upgrade the forest schema to Server 2012.

    from

    I would go with: B, E




    0



    0
    1. Kilo says:

      The schema is different than the functional level. The schema must be upgraded to allow the installation of 2012 R2 domain controllers. So we can assume this is already done. I believe the answer is to update the other domain controller in the child domain and then raise the functional level of the child domain.




      0



      0
  7. Skippy says:

    Isa,

    Now that I look at it I would tend to agree. We must assume the DFL of the child domain is 2008R2. In order for this to be enforced on the child domain we have to upgrade dc11 to at least 2012. From there we raise the DFL to 2012.

    That makes sense




    0



    0
  8. tmkreddy55 says:

    You cannot set the domain functional level to a value that is lower than the forest functional level, but you can set it to a value that is equal to or higher than the forest functional level.




    0



    0
  9. tmkreddy55 says:

    I’d go with Clever4ever, B and C.

    As per https://technet.microsoft.com/en-us/library/hh831747.aspx

    Configuration- Always provide claims

    Results -All domain controllers advertise support for claims and compound authentication for Dynamic Access Control and Kerberos armoring
    Requires Windows Server 2012 domain functional level

    Dc behavior in Windows Server 2012 –
    Claims always provided
    Compound authentication provided on request when resource supports it
    Kerberos armoring supported and Flexible Authentication via Secure Tunneling (RFC FAST) behavior supported




    0



    0
  11. Mnoble says:

    I chose B&C off the bat and was surprised to see the answer (It’s wrong).

    If you have a forest with multiple domain partitions each partition can run at a higher level than the forest. Just not lower.

    This is due to the Schema Database being forest wide.




    0



    0
  12. PeterN says:

    I think it is B & C as well. I’ve seen another similar question that asks about implementing KDC in the contoso domain, and I think the answers supplied here would be correct for that question.

    I can’t find anything that says the root domain has to be 2012 to support it.




    0



    0
  13. Gary Trembath says:

    Configuration 3: Device-based access control needed, but cannot wait until all domain controllers can be upgraded

    This configuration will be unique to your environment and can be difficult to support when Windows 8 devices have different configurations.
    General requirements for all environments:
    If across-forest trusts exist, then root domain must have all Windows Server 2012domain controllers (a cross-forest trust exists in this scenario)

    For each domain which provides claims and compound authentication on request, there cannot be Windows Server 2003 domain controllers

    For resources using device-based access control, receiving compound authentication must be enabled unless a central access policy is being used.

    https://technet.microsoft.com/en-us/library/hh831366(v=ws.11).aspx




    1



    0
  14. Gilbert says:

    Domain Functional Level: Windows Server 2012

    Available features:
    The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that [b]require Windows Server 2012 domain functional level[/b].

    DC OS versions supported on DFL Server 2012:
    Windows Server 2012 R2
    Windows Server 2012




    0



    0

Leave a Reply