Your network contains an Active Directory domain named contoso.com. All domain
controllers run either Windows Server 2008 or Windows Server 2008 R2.
You deploy a new domain controller named DC1 that runs Windows Server 2012 R2.
You log on to DC1 by using an account that is a member of the Domain Admins group.
You discover that you cannot create Password Settings objects (PSOs) by using Active
Directory Administrative Center.
You need to ensure that you can create PSOs from Active Directory Administrative Center.
What should you do?
A.
Modify the membership of the Group Policy Creator Owners group.
B.
Transfer the PDC emulator operations master role to DC1.
C.
Upgrade all of the domain controllers that run Window Server 2008.
D.
Raise the functional level of the domain.
Explanation:
Fine-grained password policies allow you to specify multiple password policies within a
single domain so that you can apply different restrictions for password and account lockout
policies to different sets of users in a domain. To use a fine-grained password policy, your
domain functional level must be at least Windows Server 2008. To enable fine-grained
password policies, you first create a Password Settings Object (PSO). You then configure
the same settings that you configure for the password and account lockout policies. You can
create and apply PSOs in the Windows Server 2012 environment by using the Active
Directory Administrative Center (ADAC) or Windows PowerShell.
Step 1: Create a PSO
Applies To: Windows Server 2008, Windows Server 2008 R2
http: //technet. microsoft. com/en-us//library/cc754461%28v=ws. 10%29. aspx
Shouldn´t it be C? Because you need to upgrade all DC to 2008r2 and then you can raise the level.
Servers are 2008, no need to upgrade to 2008 R2 for fine-grained password policy
Answer: D
Since the domain functional level is not mentioned this is the most logical answer.
To use a fine-grained password policy, your domain functional level must be at least Windows Server 2008. https://technet.microsoft.com/en-us/library/cc770394%28v=ws.10%29.aspx
Disagree, to use ADAC fine-grained password policy, Servers must be running at least Server 2008 R2 because the fgpp cmdlets changed functionality between 2008 and 2008 R2. That functionality remains the same from 2008 R2 thru Server 2012 R2.
Yes you can create PSOs with Server 2008 using Powershell and ADSIEdit and the Domain functional level must be 2008, but based on the question of using ADAC, raising a functional level is not the answer. The question never stipulates what functional level it is running at. Of course we can assume that at the bare minimum is it running at Domain functional level of 2003 since we were able to install a 2012 server and also could assume the highest domain functional level could be 2008 since that is the lowest level server we have on this question.
Here a link for requirements for ADAC and overview of ADAC and the OSs it supports.
https://technet.microsoft.com/en-us/library/dd560651(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/dd560631(v=ws.10).aspx
Good luck to all you Test Takers, use these sites as STUDY materials not a Means to an end.
I’m sorry I forgot to state then answer in my last post.
Answer is C:
Upgrade is the choice you want to make, and the upgrade must be at least Server 2008 R2 for the ADAC policies to function.
from your links theirs no evidence that the PSO’s set from ADAC do not work on windows 2008. Only that ADAC doesn’t run on Windows 2008, which is fine as we’re running ADAC from a windows 2012 server.
Bottomline, do PSOs set from ADAC work? I imagine they do as you’d probably need to raise ur functional level even more if they’ve changed that much. http://blogs.technet.com/b/reference_point/archive/2013/04/12/fine-grained-password-policies-gui-in-windows-server-2012-adac.aspx
I still go for D. untill i see proof of PSOs created by ADAC don’t work on Windows 2008 DC’s.
https://technet.microsoft.com/nl-NL/library/cc754461.aspx
windows 2008 doesn’t seem to have a powershell command for pso, which is present in 2008r2. But cmdlet is just another interface it doesnt change a thing to the policy itself > still D 🙂
Tricky question. No mention of the functional level and the first line says that all DCs are running 2008/2008R2. So what I take from that is the information that the functional level is 2008.
But when you start reading the options, they make no sense, except for one:
A – Not related with the problem;
B – Searched TechNet and didn’t find any document that obligates you to perform such task on a PDC;
C – Upgrading the DCs won’t make change to functional level;
D – That’s the only option that makes sense. You are probably running you domain on a 2003 functional level, so raise that!
What do you guys think?
I don’t think any of them are really “good” answers, since there’s not really enough information in the question to know for sure, but I agree, I think this one is the “best” answer.
In Windows 2008 you can only control PSOs via PowerShell, in 2008 R2 you can you ADAC. Not sure if you have to upgrade the 2008 DC or whther by transfering a role from the 2008 server to 2008 r2 would be enough?
http://www.unitek.com/training/blog/using-active-directory-administrative-center-adac-in-windows-server-2012-r2/