Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows
Server 2012.
All servers run Windows Server 2016.
You create a new bastion forest named admin.contoso.com.
The forest functional level of admin.contoso.com is Windows Server 2012 R2.
You need to implement a Privileged Access Management (PAM) solution.
Which two actions should you perform? Each correct answer presents part of the solution.
A.
Raise the forest functional level of contoso.com.
B.
Deploy Microsoft Identity Management (MIM) 2016 to contoso.com.
C.
Configure contoso.com to trust admin.contoso.com.
D.
Deploy Microsoft Identify Management (MIM) 2016 to admin.contoso.com.
E.
Raise the forest functional level of admin.contoso.com.
F.
Configure admin.contoso.com to trust contoso.com.
Explanation:
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/deploy-pam-with-windows-server-2016
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/windows-server-2016-functional-levels
For the bastion forest which deploys MIM, you should raise the Forest Functional Level to “Windows Server
2016″, E is correct.
OK. What about this article?
https://docs.microsoft.com/en-us/windows-server/identity/whats-new-active-directory-domain-services#a-namebkmkpamaprivileged-access-management
Privileged access management
Privileged access management (PAM) helps mitigate security concerns for Active Directory environments that are caused by credential theft techniques such pass-the-hash, spear phishing, and similar types of attacks. It provides a new administrative access solution that is configured by using Microsoft Identity Manager (MIM). PAM introduces:
•A new bastion Active Directory forest, which is provisioned by MIM. The bastion forest has a special PAM trust with an existing forest. It provides a new Active Directory environment that is known to be free of any malicious activity, and isolation from an existing forest for the use of privileged accounts.
…bla-bla-bla…
Requirements
•Microsoft Identity Manager
•Active Directory forest functional level of Windows Server 2012 R2 or higher.
5
0
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/high-availability-disaster-recovery-considerations-bastion-environment
If the bastion environment forest functional level is Windows Server 2012 R2, ensure that the MIM PAM component service is also running on that server, using the command net start “PAM Component service”.
0
0
The correct answers are A and D. The forest functional level of contoso.com is lower than that of admin.contoso.com; therefore, raising the forest functional level of admin.contoso.com would not resolve that discrepancy. Raising the functional level of contoso.com to Windows 2012 R2 would result in the identical forest functional level for both forests.
5
3
i believe it’s C & D
it should be ok to establish trust with the set functional levels and i don’t think they interfere with the rest of the PAM setup
13
0
D and F
No need to increase forest functional level. BUt need to configure a trust between Bation forest and Production forest.
0
5
C & D, I believe
8
0
Answer is C and D
Corp must trust admin domain
There is no requirement to raise the functional level
What are the PAM system requirements?
* The management forest has to be Windows Server 2012 R2 with forest functional level set to 2012 R2
https://social.technet.microsoft.com/wiki/contents/articles/33363.mim-2016-privileged-access-management-pam-faq.aspx
3
0