Your network contains an Active Directory forest named contoso.com. The forest contains two
domains named contoso.com and childl.contoso.com. The domains contain three domain
controllers. The domain controllers are configured as shown in the following table.
You need to ensure that the KDC support for claims, compound authentication, and kerberos
armoring setting is enforced in both domains.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose
two.)
A.
Raise the domain functional level of contoso.com.
B.
Raise the domain functional level ofchildl.contoso.com.
C.
Raise the forest functional level of contoso.com.
D.
Upgrade DC11 to Windows Server 2012 R2.
E.
Upgrade DC1 to Windows Server 2012 R2.
Explanation:
The root domain in the forest must be at Windows Server 2012 level. First upgrade DC1 to this level
(E), then raise the contoso.com domain functional level to Windows Server 2012 (A).
* (E) To support resources that use claims-based access control, the principal’s domains will need to
be running one of the following:
/ All Windows Server 2012 domain controllers.
/ Sufficient Windows Server 2012 domain controllers to handle all the Windows 8 device
authentication requests.
/ Sufficient Windows Server 2012 domain controllers to handle all the Windows Server 2012
resource protocol transition requests to support non-Windows 8 devices.What’s New in Kerberos Authentication
http://tecHYPERLINK “http://technet.microsoft.com/enus/library/hh831747.aspx#_blank”hnet.microsoft.com/en-us/library/hh831747.aspx.
From the comments a read about this question in other 412 versions, i would go with D+E.
0
0
no. you MUST raise the domain level.
0
0
All proposed answers should be correct, because min.funct.levels must be raised in both domain. Maybe it’s bad question?
0
0
I believe answer is correct. 2012 domain functional level is not “required”. Only that a 2012 server exists. More info: https://social.technet.microsoft.com/Forums/windowsserver/en-US/1ab3eca9-6d8a-4117-a289-00af159186c3/kdc-support-for-claims-compound-authentication-and-kerberos-armoring-is-ws-2012-domain?forum=winserver8gen
0
0
i will go with A and E too
0
0
Same as question 8 but comment are different.
0
0
feature is enabled at the domain functional level, not forest.
https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
0
0
Let me clarify the difference. Number 8 was specifically referencing the child domain. This one is requiring BOTH to have Kerberos Armoring enforced (the sole deciding factor on which to choose).
In this case, A and E.
If it only asked for child1.contoso.com, the it would instead be D and B.
Microsoft likes to throw us curveballs, as we all know. Be ready for those “gotcha” words.
0
0
TDAC, be careful about that. What that’s referring to is the replication across your domain, which could potentially take hours. What that is saying is that once you set the functional level and it goes through on that domain, you can start tinkering with your templates right away.
0
0
*domain controller
0
0
its said in the question “in both domains” – A, E…. there is also identical question that said “enforced in the child1.contoso.com domain — Thats should be ( Upgrade dc11 to Win2k12 and Raise the domain functional level of child1.contoso.com
0
0
The answer is A and E.
Why? Because after reading https://technet.microsoft.com/en-us/library/d7d7f393-6ca8-4ade-88a9-802d51717952#BKMK_Sup4ClaimsCAarmoring it says that you do not have to upgrade 2008 servers if any domain server is 2012 in that domain. The 2008 domain server under that domain will comply there after. child1.contoso.com has a 2012 server in the domain already. No need to do anything with those servers.
dc1.contoso.com does not have a 2012 server so it is required to upgrade to 2012 and to upgrade would also require raising the domain functional level.
0
0
D, E
To support resources that use claims-based access control, the principal’s domains will need to be running one of the following:
All Windows Server 2012 domain controllers
Sufficient Windows Server 2012 domain controllers to handle all the Windows 8 device authentication requests
Sufficient Windows Server 2012 domain controllers to handle all the Windows Server 2012 resource protocol transition requests to support non-Windows 8 devices
Additionally, you will need to configure on the domain controller OU, the new KDC support for claims, compound authentication and Kerberos armoring policy with “Supported” or higher setting, and if the client is retrieving claims, configure the new Kerberos client support for claims, compound authentication and Kerberos armoring policy on each client.
To support access control across forests, the forest root domains need the following:
All Windows Server 2012 domain controllers. This helps ensure that claims are not lost from trusted forests.
If users across forests sign in to devices in child domains, you must apply the QFE NetBIOS domain name\username format cannot be used with the Kerberos referral mechanism to log on to a computer in an across forest environment to down-level global catalogs.
To support access control for branch offices, you need the following:
If groups or claims are generated from certificate-based sign-ins, sufficient hub domain controllers running Windows Server 2012 for the corresponding branch office read-only domain controllers (RODC) to handle all the Windows 8 device authentication requests for resources outside the branch office.
For resources that do not sign in to an RODC, sufficient hub domain controllers running Windows Server 2012 for the corresponding branch office user’s RODC. These domain controllers handle all the Windows Server 2012 resource protocol transition requests to support devices that are not running Windows 8.
0
0
* A E
0
0