Your network contains an Active Directory forest named contoso.com. The forest contains two
domains named contoso.com and childl.contoso.com. The domains contain three domain
controllers. The domain controllers are configured as shown in the following table.
You need to ensure that the KDC support for claims, compound authentication, and kerberos
armoring setting is enforced in both domains.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose
two.)
A.
Raise the domain functional level of contoso.com.
B.
Raise the domain functional level ofchildl.contoso.com.
C.
Raise the forest functional level of contoso.com.
D.
Upgrade DC11 to Windows Server 2012 R2.
E.
Upgrade DC1 to Windows Server 2012 R2.
Explanation:
The root domain in the forest must be at Windows Server 2012 level. First upgrade DC1 to this level
(E), then raise the contoso.com domain functional level to Windows Server 2012 (A).
* (E) To support resources that use claims-based access control, the principal’s domains will need to
be running one of the following:
/ All Windows Server 2012 domain controllers.
/ Sufficient Windows Server 2012 domain controllers to handle all the Windows 8 device
authentication requests.
/ Sufficient Windows Server 2012 domain controllers to handle all the Windows Server 2012
resource protocol transition requests to support non-Windows 8 devices.
What’s New in Kerberos Authentication
http://technet.microsoft.com/en-us/library/hh831747.aspx.
https://technet.microsoft.com/en-us/library/hh831747(v=ws.11).aspx
0
0
I’m going with B & D.
It’s just as the explanation says except that the principal domain is the child domain in this case. The root domain needs to be 2012 if these services are going across forests.
0
0
If you choose B & D, then the functional level of Contoso.com will remain 2008
which will not support the requirements.
0
1
The answers are B&D
0
0
I believe the given answer is correct.
To support resources that use claims-based access control, the principal’s domains will need to be running one of the following:
•All Windows Server 2012 domain controllers
•Sufficient Windows Server 2012 domain controllers to handle all the Windows 8 device authentication requests
•Sufficient Windows Server 2012 domain controllers to handle all the Windows Server 2012 resource protocol transition requests to support non-Windows 8 devices.
Principal domain in our case is contoso (parent) and not contoso.child1 (child domain).
Also, pay attention that Q is asking:
“You need to ensure that the KDC support for claims, compound authentication, and kerberos armoring setting is enforced in BOTH domains.”
If we would be asked for support in child domain then B & D would be correct.
(that is what Q no.9 in this test is asking)
4
0
I’m pretty sure it’s D & E. The technet article linked by GuraM states that to support Kerberos armoring, KDC support for claims and compound aithentication only requires a 2012 DC, not 2012 DFL.
0
1
tilke is correct.
Answer: D & E
They are enforcing the requirement in the question.
The below comment was taken from the technet link provided by GuraM and enforces the answer of D & E (because of the enforced requirement):
Always provide claims and Fail unarmored authentication requests options cause intermittent authentication or access control failures if there are any domain controllers not running -Windows Server 2012 in the domain. So neither of these options will take effect until the domain is set at the Windows Server 2012 functional level. Until then, domain controllers running Windows Server 2012 will behave as if the Supported option is configured.
1
1
Actually, the correct answer is A, D, & E.
All domain controllers need to be 2012 (to prevent authentication failures) & domain functional level needs to be 2012 (to enable Always provide claims and Fail unarmored authentication requests).
Since it is a choose 2 question, I would go with A & E, which would lead to sporadic authentication failures. Bad question.
0
0
sorry, it must be A & E surely? The child domain can already handle the KDC requests as it has a 2012 DC. Upgrade the DC in contoso so that it also now has a 2012 DC and can handle requests. Then upgrade the DFL of the root domain
0
0
I agree with tilke. The given answer of A and E are correct.
0
0
Answer: A & E
This answer is due to the following part of the question:
You need to ensure that the KDC support for claims, compound authentication, and kerberos armoring setting is ENFORCED in both domains.
These are requirements for DAC. I spent quite a bit of time unsuccessfully looking for DAC requirements on technet. Details I found from other sites stated it would work with a Forest Functional Level of 2003 and Domain Functional Level of 2008. It does require at least 1 2012 DC in each domain.
The below comment was taken from the technet link provided by GuraM and enforces the answer of A & E (because of the enforced requirement):
Always provide claims and Fail unarmored authentication requests options cause intermittent authentication or access control failures if there are any domain controllers not running -Windows Server 2012 in the domain. So neither of these options will take effect until the domain is set at the Windows Server 2012 functional level. Until then, domain controllers running Windows Server 2012 will behave as if the Supported option is configured.
0
0
CORRECTION: ANSWER IS D & E
Answer is D & E not A & E.
See above post for reason why. It is not a Forest Functional Level or Domain Functional Level issue, it is that EVERY DC needs to be 2012.
1
0
…actually it is A, D, & E.
Been looking at this too long now….
All domain controllers need to be 2012 (to prevent authentication failures) & domain functional level needs to be 2012 (to enable Always provide claims and Fail unarmored authentication requests).
0
0