Your network contains an Active Directory domain named contoso.com. All domain controllers run
either Windows Server 2008 or Windows Server 2008 R2.
You deploy a new domain controller named DC1 that runs Windows Server 2012 R2.
You log on to DC1 by using an account that is a member of the Domain Admins group.
You discover that you cannot create Password Settings objects (PSOs) by using Active Directory
Administrative Center.
You need to ensure that you can create PSOs from Active Directory Administrative Center.
What should you do?
A.
Modify the membership of the Group Policy Creator Owners group.
B.
Transfer the PDC emulator operations master role to DC1.
C.
Upgrade all of the domain controllers that run Window Server 2008.
D.
Raise the functional level of the domain.
Explanation:
Fine-grained password policies allow you to specify multiple password policies within a single
domain so that you can apply different restrictions for password and account lockout policies to
different sets of users in a domain. To use a fine-grained password policy, your domain functional
level must be at least Windows Server 2008. To enable fine-grained password policies, you first
create a Password Settings Object (PSO). You then configure the same settings that you configure for
the password and account lockout policies. You can create and apply PSOs in the Windows Server
2012 environment by using the Active Directory Administrative Center (ADAC) or Windows
PowerShell.
Step 1: Create a PSO
Applies To: Windows Server 2008, Windows Server 2008 R2httpHYPERLINK “http://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx#_blank”:
//technetHYPERLINK “http://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx#_blank”.
microsoftHYPERLINK “http://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx#_blank”.
com/en-us//library/cc754461%28v=wsHYPERLINK “http://technet.microsoft.com/enus/library/cc754461(v=ws.10).aspx#_blank”. 10%29HYPERLINK “http://technet.microsoft.com/enus/library/cc754461(v=ws.10).aspx#_blank”. aspx
So, we should asume that DFL is WS2003R2 or older? This is not a fair question. Question clearly states that it contains 2008 and 2008R2 servers, so it should be fine. These questions do not test your skills, it tests your ability to question the questions and find the “loophole” in each and every one of them.
I partially agree with you.. it can be annoying sometimes..
However, it also states that you are logged in as a domain admin whereas the DFL is not literally stated…
Tricky question. No mention of the functional level and the first line says that all DCs are running 2008/2008R2. So what I take from that is the information that the functional level is 2008.
But when you start reading the options, they make no sense, except for one:
A – Not related with the problem;
B – Searched TechNet and didn’t find any document that obligates you to perform such task on a PDC;
C – Upgrading the DCs won’t make change to functional level;
D – That’s the only option that makes sense. You are probably running you domain on a 2003 functional level, so raise that!
Agree with answer. PSO changes are only available via powershell or group policy before 2012. Question states that you must configure it so that the ADAC can be used to create/edit PSOs, which can only be done if domain level is 2012 or above.
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements–level-100-
______ Summary of link
What’s new? In Windows Server 2012 , fine-grained password policy management is made easier and more visual by providing a user interface for AD DS administrators to manage them in ADAC. Administrators can now view a given user’s resultant policy, view and sort all password policies within a given domain, and manage individual password policies visually.
Most of what you said is correct. In this case the domain functional level would need to be 2008. You can’t raise it to 2012 if there are domain controllers on an older OS. 2008 DFL is all that is needed, it’s just you can only use ADAC on a 2012 or later server.