Your network contains an Active Directory forest named contoso.com. The forest contains
two domains named contoso.com and childl.contoso.com. The domains contain three
domain controllers.
The domain controllers are configured as shown in the following table.
You need to ensure that the KDC support for claims, compound authentication, and kerberos
armoring setting is enforced in the child1.contoso.com domain.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
Upgrade DC1 to Windows Server 2012 R2.
B.
Upgrade DC11 to Windows Server 2012 R2.
C.
Raise the domain functional level ofchildl.contoso.com.
D.
Raise the domain functional level of contoso.com.
E.
Raise the forest functional level of contoso.com.
Explanation:
If you want to create access control based on claims and compound authentication, you
need to deploy Dynamic Access Control. This requires that you upgrade to Kerberos clients
and use the KDC, which support these new authorization types. With Windows Server 2012
R2, you do not have to wait until all the domain controllers and the domain functional level
are upgraded to take advantage of new access control options
http://technet.microsoft.com/en-us/library/hh831747.aspx.
The domain has to be at 2012 domain functional level. For this to occur, dc11.child1.contoso.com must first be upgraded to 2012 R2.
blake, B is part of the answers, how about the other one? C or D? I am really confused
Answer is correct, as it is hosted on child domain. Question 95 is similar but does not include that part of the question, so be sure to study both to recognize the difference.
The other question asks for KDC to be supported in both domains so you would definitely have to upgrade DC1 then I think you would have to raise the domain functional level of contoso.com, you’re presuming that child1.contoso.com already has the domain functional level at Win2012 or that would be the next step and the forest functional level is irrelevant as it adds nothing.
So for the other question (I can’t find it on aiotestking) the answers A & E, the premium file also has this as the answer though I know not all are correct.
How do you copy & paste on here ?
JD,
Check this sentence in explanation:
“With Windows Server 2012, you do not have to wait until all the domain controllers and the domain functional level are upgraded to take advantage of new access control options.” – It seems you don’t need to raise domain/forest functional levels.
So, in this “both domains” question, you only need to upgrade DC1 and DC11 to Windows Server 2012 R2.
Official microsoft book says “The new features available at the windows server 2012 and 2012R2 domain functional levels are:
KDC support for claims, compound authentication and kerberos armouring”
JD, you are correct. You would assume that the child1.contoso.com is at the highest functional level since it has 2012. If not, you would have raise it to support KDC support for claims, compound authentication, and Kerberos armoring.
https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
The answer is:
A. Raise the domain functional level of contoso.com.
E. Upgrade DC1 to Windows Server 2012 R2.
Why? Because after reading https://technet.microsoft.com/en-us/library/d7d7f393-6ca8-4ade-88a9-802d51717952#BKMK_Sup4ClaimsCAarmoring, it says that as long as there is a 2012 server in that domain KDC support for claims, compound authentication, and Kerberos armoring will apply to all servers 2008 and up. child1.comtoso.com has a 2012 server in that domain. The 2008 server will comply once configured.
DC1.contoso.com only has one server that is 2008 R2. It will require to be upgraded to 2012 R2. To do this, it will also require raising the domain functional level since the highest functional level for the domain is set to 2008 R2. Also required to support KDC support for claims, compound authentication, and Kerberos armoring
https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
Understanding domain functional levels:
https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
B and C
You need to raise the domain fnctional level of child1.contoso.com to 2012
DAC is not supported on Windows Server 2008 R2 and earlier.
Answer is A and D.
Because the root domain in the forest must be at windows server 2012 level.
Even if you would upgrade DC1 to 2012 and raise the contoso.com functional level to 2012. KDC would still NOT work for child1 domain, or work intermittently when DC10 authenticates a user. But what if a user is authenticated by DC11 that is still Windows 2008 and does not support KDC?
From: https://technet.microsoft.com/en-us/library/hh831747.aspx
“Always provide claims and Fail unarmored authentication requests options cause intermittent authentication or access control failures if there are any domain controllers not running -Windows Server 2012 in the domain. So neither of these options will take effect until the domain is set at the Windows Server 2012 functional level”
As the question states that Kerberos armouring settings must be enforced (in other words, Always Provide Claims) in child1.contoso.com domain the answer is B & C
For domains that support user claims, every domain controller running the supported versions of Windows server must be configured with the appropriate setting to support claims and compound authentication, and to provide Kerberos armoring. Configure settings in the KDC Administrative Template policy as follows:
•Always provide claims Use this setting if all domain controllers are running the supported versions of Windows Server. In addition, set the domain functional level to Windows Server 2012 or higher.
see the software requirements section of this article to understand
https://technet.microsoft.com/en-gb/library/dn408191.aspx
… enforced = Always provide claims (Use this setting if all domain controllers are running the supported versions of Windows Server. In addition, set the domain functional level to Windows Server 2012 or higher), so answer is B+C
P.S. and about forest root domain – If the user domain and file server domain are in different forests, all domain controllers in the file server’s forest root must be set at the Windows Server 2012 or higher functional level.
seems right to me, agree with what people are saying…
KDC is supported currently but you want it to be enforced, which means upgrading the domain (child domain) so you would need to upgrade DC11 to allow the DFL to be upgraded to 2012