Your network contains an Active Directory forest.
The forest contains one domain named adatum.com. The domain contains three domain controllers.
The domain controllers are configured as shown in the following table.
DC2 has all of the domain-wide operations master roles.
DC3 has all of the forest-wide operation master roles.
You need to ensure that you can use Password Settings objects (PSOs) in the domain.
What should you do first?
A.
Uninstall Active Directory from DC1.
B.
Change the domain functional level.
C.
Transfer the domain-wide operations master roles.
D.
Transfer the forest-wide operations master roles.
Explanation:
In Windows Server 2008 and later, you can use fine-grained password policies to specify multiple
password policies and apply different password restrictions and account lockout policies to
different sets of users within a single domain.
Note: In Microsoft Windows 2000 and Windows Server 2003 Active Directory domains, you could
apply only one password and account lockout policy, which is specified in the domain’s Default
Domain Policy, to all users in the domain. As a result, if you wanted different password and
account lockout settings for different sets of users, you had to either create a password filter or
deploy multiple domains. Both options were costly for different reasons.
Q96: You need to ensure that you can use Password Settings objects (PSOs) in the domain.
The answer is:
B. Change the domain functional level.
Why? Because after reading this https://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx, it states that, “The domain functional level must be Windows Server 2008”.
So, it doesn’t matter if you uninstall Active Directory from DC1, you would still be required to change the domain functional level to 2008.
The three domain controllers are on the same domain, “Adatum.com”. You do not need to migrate the active directory because it synchronized across all three domain controllers in advanced. To utilize PSO, you will need to have the DFL set to 2008. Then you can uninstall active directory and decommission the 2003 server or use it for a file server, printer server, or whatever.
I know what some of you are thinking… “If a windows 2003 domain server is on my domain, can I raise the DFL to 2008?” The answer is yes, you can. See here: https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx. Under, “Features that are available at the domain functional levels”.
So you see, the question is not about Active Directory, it’s about the requirements for PSO.
0
3
By the way… that’s the wrong picture. There is no DC4.
0
2