Which two actions should you perform?

Your network contains an Active Directory forest named contoso.com. The forest contains
two domains named contoso.com and childl.contoso.com. The domains contain three
domain controllers. The domain controllers are configured as shown in the following table.

You need to ensure that the KDC support for claims, compound authentication, and kerberos
armoring setting is enforced in both domains.

Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)

Your network contains an Active Directory forest named contoso.com. The forest contains
two domains named contoso.com and childl.contoso.com. The domains contain three
domain controllers. The domain controllers are configured as shown in the following table.

You need to ensure that the KDC support for claims, compound authentication, and kerberos
armoring setting is enforced in both domains.

Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)

A.
Raise the domain functional level of contoso.com.

B.
Raise the domain functional level ofchildl.contoso.com.

C.
Raise the forest functional level of contoso.com.

D.
Upgrade DC11 to Windows Server 2012 R2.

E.
Upgrade DC1 to Windows Server 2012 R2.

Explanation:
The root domain in the forest must be at Windows Server 2012 level. First upgrade DC1 to
this level, then raise the contoso.com domain functional level to Windows Server 2012.



Leave a Reply 64

Your email address will not be published. Required fields are marked *


artis

artis

its must be D and E, question requires in both domains, so after rising domain functional level, child contoso domain will be with 2008r2 domain, so no kerberos armoring here

guym

guym

To enforce Kerberos armoring domain functional level must be 2012. So the answer would be A. and B. (what would imply D. and E. as well). Not sure, though.

artis

artis

to have new 2012 server features you need to have all servers 2012 R2 in all required domains. It does not require to have domain level increased

Skippy

Skippy

Artis,

This is wrong. In order to have these features the DFL must be at least 2012

artis

artis

193 question have almost same wording, but only child domain, not both

Blake

Blake

This was taken from a book I have:

To use claims-based authorization, you need the following:
• Windows Server 2012 must be installed on the file server that hosts the resources that DAC protects.
• At least one Windows Server 2012 domain controller must be accessible by the requesting client.
• If you use claims across a forest, you must have a Windows Server 2012 domain controller in each domain.
• If you use device claims, clients must run Windows 8.

A question in the same book indicates:

Identify the minimum domain function level (2003, 2008, 2008 R2, or 2012) for the specified feature…

KDC support for claims – 2012

So the answer is A and E.

E because you must upgrade the domain controller to 2012 R2 to raise the functional level of the domain to the necessary level, and A because 2012 domain functional level is required for KDC support for claims.

Upgrading dc11.child1.contoso.com is not necessary because there is already a Server 2012 R2 server in the child domain (dc10).

Ebrahim Ali

Ebrahim Ali

Blake,

You mean it should be C and E, because C to raise the forest functional level not A which raise only the domain functional level

Mark

Mark

kill yourself!

bigfly

bigfly

The key to the question here is it must be enforced in both domains. Since it must be enforced you have to upgrade the domain controller of contoso.com

https://technet.microsoft.com/en-us/library/d7d7f393-6ca8-4ade-88a9-802d51717952#BKMK_Sup4ClaimsCAarmoring

Supported

All domain controllers advertise support for claims and compound authentication for Dynamic Access Control and Kerberos armoring
Requires sufficient domain controllers running Windows Server 2012 to handle the authentication requests for devices running Windows 8 in the domain

Always provide claims.

All domain controllers advertise support for claims and compound authentication for Dynamic Access Control and Kerberos armoring
Requires Windows Server 2012 domain functional level.

I saw no where it stated that a forest functional level had tot be raised…. I would imagine that you would have to raise the forest functional level at some point

The new Windows Server 2012 domain functional level enables one new feature: the KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level. For more information, see Support for claims, compound authentication, and Kerberos armoring.

he Windows Server 2012 forest functional level does not provide any new features, but it ensures that any new domain created in the forest will automatically operate at the Windows Server 2012 domain functional level…

GabrielPrest

GabrielPrest

Your explanation is awesome.
“Upgrading dc11.child1.contoso.com is not necessary because there is already a Server 2012 R2 server in the child domain (dc10).”

JeanMalot

JeanMalot

It escapes you that if Domain Functional Level is WS2012 (which is a requirement for KDC support for claims, compound authentication, and Kerberos armoring), all DCs in the domain must be WS2012 or above.
So even if one WS2012 DC is enough for DAC, both are actually needed for KDC policy enforcing.
Since we only have two options I would go with D and E.

WhiteNight

WhiteNight

Blake, you are correct!

The answer is A and E

Why? Because after reading https://technet.microsoft.com/en-us/library/d7d7f393-6ca8-4ade-88a9-802d51717952#BKMK_Sup4ClaimsCAarmoring, it says that as long as there
is a 2012 server in that domain KDC support for claims, compound authentication, and kerberos armoring will apply to all servers 2008 and up. child1.comtoso.com has
a 2012 server in that domain. The 2008 server will comply once configured.

DC1.contoso.com only has one server that is 2008 R2. It will require to be upgraded to 2012 R2. To do this, it will also require raising the domain functional level
since the highest functional level for the domain is set to 2008 R2.

https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx

kolambe

kolambe

Thanks Blake, Good point.

Liron

Liron

Yes is correct. Premium version 30.0 Dec 27, 2014
1. Raise the domain functional level of contoso.com.
2. Upgrade DC1 to Windows Server 2012 R2.

BitterSysAdmin

BitterSysAdmin

Hey asshole. I have a Premium dump and do you know how many questions are WRONG and duplicated? So far over 80 questions are wrong/dupe.

Premium means jack shit. Stop being a naive little cunt.

mahmoud

mahmoud

if we agreed that its required to raise the functional level of both domains for them to support required features, then first steps would be to upgrade the domain controllers functional levels so the answer would be D,E . Else if we say that its not necessary to upgrade DC11 due to the existence of another 2012 server in the child domain, then we would agree on E but which domain to raise its level????

Sakile

Sakile

This question is incorrect.

Suzie

Suzie

We have to assume that the contoso.com domain functional level is 2008r2 and the child domain is 2008r2. We have to assume that the forest functional level is 2008 r2.

We cannot raise the domain functional level any higher than the lowest dc level in the domain. So, we cannot raise contoso.com to anything higher than 2008 r2 unless we also raise the dc. Same with child domain.

In this case, I would think that the raising the of the dc in both domains would be the way to go. Kerberos armouring can be set to enforced with a dc with a lower domain functional level than 2012.

I would say to raise the domain controllers….so the answer would be D and E. The thing is… is that it has to be enforced in both domains.

Support for claims, compound authentication, and Kerberos armoring

If you want to create access control based on claims and compound authentication, you need to deploy Dynamic Access Control. This requires that you upgrade to Kerberos clients and use the KDC, which support these new authorization types. With Windows Server 2012, you do not have to wait until all the domain controllers and the domain functional level are upgraded to take advantage of new access control options.

As well, the forest functional level has to be assumed to be 2008r2. It cannot be raised any higher than lowest domain functional level.

To me, i am going with upgrading the dc in both domains.

GabrielPrest

GabrielPrest

“Upgrading dc11.child1.contoso.com is not necessary because there is already a Server 2012 R2 server in the child domain (dc10).” Blake

At least one 2012 is necessary

SirAsksAlot

SirAsksAlot

I agree. The question clearly states that you need to ENSURE that the setting is enforced in BOTH domains.

From the Microsoft Official Course 20412D textbook:
“Windows Server 2012 domain functional level does not implement new features from Windows 2008 R2 functional level, with one exception: If the key distribution center (KDC) support for claims, compound authentication, and Kerberos armoring is configured for Always provide claims or Fail unarmored authentication requests, these functionalities will not be enabled until the domain is also set to Windows Server 2012 level.”

So, since we need to ensure the settings are enforced in both domains, I would think both domains need to be raised to 2012. But the thing is, is A & B the correct answer or is D & E enough? D & E should raise the functional level of the domain automatically.

Steven

Steven

I’m almost positive that you would need to raise the domain functional level of contoso.com. Mainly, because 1.) the forest functional level seems to be set at Windows Server 2008, and 2.) the domain functional level would need to be set at Windows Server 2012 for the features required to work. So, this would involve upgrading DC1 and raising the domain functional level.

Steven

Steven

The forest functional level has no effect on the features that are required, only the domain functional level.

Suzie

Suzie

I see what is being said here. Remember, we are not needing to “fail unarmored requests, which would require the upgrade in the domain level. We are only looking for “supported”

Suzie

Suzie

Which does not require the domain functional level to be 2012.

Akoachi

Akoachi

Hum: “You need to ensure that the KDC support for claims, compound authentication, and kerberos armoring setting is enforced in both domains.”

GabeS

GabeS

Same question #8

Ensure KDC support for claims, compound authentication, and Kerberos armoring setting is enforced in child1.contoso.com domain

Answer on question #8:
B. Upgrade DC11 to Windows Server 2012r2
C. Raise domain functional level of child1.contoso.com

Joe

Joe

But this only enforces it in the child domain, both domains need upgrading.

Peter Korterink

Peter Korterink

It’s A and C. See

Peter Korterink

Peter Korterink

-https://technet.microsoft.com/en-us/library/hh831747.aspx-

sysadmin

sysadmin

If you want to create access control based on claims and compound authentication, you need to deploy Dynamic Access Control. This requires that you upgrade to Kerberos clients and use the KDC, which support these new authorization types. With Windows Server 2012, you do not have to wait until all the domain controllers and the domain functional level are upgraded to take advantage of new access control options.

https://technet.microsoft.com/en-us/library/hh831747.aspx

The answer is correct.

lpj

lpj

so wat is the answer?

Samer Mustafa

Samer Mustafa

Folks,
i think it should D&E please refer to the following link:
https://technet.microsoft.com/en-us/library/d7d7f393-6ca8-4ade-88a9-802d51717952#BKMK_Sup4ClaimsCAarmoring

Always provide claims:

All domain controllers advertise support for claims and compound authentication for Dynamic Access Control and Kerberos armoring
Requires Windows Server 2012 domain functional level

Claims always provided
Compound authentication provided on request when resource supports it
Kerberos armoring supported and Flexible Authentication via Secure Tunneling (RFC FAST) behavior supported

since it is required to have windows 2012 R2 DFL then u need to upgrade all domain controllers to have windows 2012 R2

Thiago Fernandes A. Costa

Thiago Fernandes A. Costa

I think the answer is A & E cause the question says that “…setting is enforced in both domains”.

Assuming the DC10 is already a WS 2012 R2 DC anda PDC emulator in Child1.Contoso.com domain, so you only need to upgrade DC1 (for Contoso.com support) and raise the root Contoso.com functional level cause it’s a necessary configuration.

“Always provide claims – Use this setting if all domain controllers are running the supported versions of Windows Server. In addition, set the domain functional level to Windows Server 2012 or higher.” – https://technet.microsoft.com/en-us/library/dn408191.aspx

andrius

andrius

Windows Server 2012
The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level. For more information, see What’s New in Kerberos Authentication.
supported OS Windows Server 2012 R2 Windows Server 2012
as question say for both domains mean all machines in both domains has to be upgraded to min server 2012 to be able to raise functional level

answer should be D, E

Pirulo

Pirulo

If you have A then you forcefully need E that’s it.

noname

noname

the question is bull****. for armouring to be enforced (always provide claims) ‘All domain controllers advertise support for claims and compound authentication for Dynamic Access Control and Kerberos armoring. Requires Windows Server 2012 domain functional level’ AND

Always provide claims and Fail unarmored authentication requests options cause intermittent authentication or access control failures if there are any domain controllers not running -Windows Server 2012 in the domain. So neither of these options will take effect until the domain is set at the Windows Server 2012 functional level. Until then, domain controllers running Windows Server 2012 will behave as if the Supported option is configured.

so all domains need to be 2012. so you would have to upgrade dc1 and dc11 and upgrade both domains.

so the answer is D, E, A, B.

https://technet.microsoft.com/en-us/library/hh831747.aspx

Joe

Joe

I agree, a load of bull****

I don’t understand how you can be expected to pass these exams with stupid questions like this.

For this setting to be SUPPORTED you need at least 1 2012 DC in the domain.
For it to be ENFORCED DFL must be 2012 or higher.
To be able to raise the DFL to 2012 all DC’s must be at least 2012.
So the steps you need to take are D & E (upgrade DC) and then A & B (raise DFL)

If it said what should you do first it would most like be D & E, but what should you do is a really unfair thing to ask because you would do all 4 in reality! Maybe they are wanting us to know that both DFL’s need to be 2012 so they want A & B?

Question 8 is similar but only wants the child domain to enforce it, so in that case you are able to select upgrade the DC and then raise DFL.

Impossible to know the correct answer on this one, fingers crossed it doesn’t come up in the exam!

Joe

Joe

The only reason I would probably go with A and E are that in the explanation for this question it says:
“The root domain in the forest must be at Windows Server 2012 level. First upgrade DC1 to
this level, then raise the contoso.com domain functional level to Windows Server 2012.”
Although I think this is wrong it is the only reason I can find for only selecting 2 options.

joe

joe

Passed this exam on Tuesday with 723… As I thought this question came up! Still no idea if I got it right or not

VCEplayer

VCEplayer

I’m getting a feeling that the question is wrong. To me, it should probably say “What should you do ‘first’ ”
I’ll go with the same answers as Joe, A and E as this is what the explanation says too.

lucasdrums

lucasdrums

The answer provided is wrong. This is from the official MS book:
“The Windows Server 2012 domain functional levels support only domain controllers running
Windows Server 2012. It includes all of the features of Windows Server 2008 R2 domain
functional mode, and includes Key Distribution Center (KDC) support for claims, compound
authentication, and Kerberos armoring. By using a KDC administrative template policy setting,
you can configure domain controllers to support claims and compound authentication
for Dynamic Access Control and Kerberos armoring by using Kerberos authentication.”

So before raising the functional level of each domain to Windows 2012 (you need at least one Windows 2012 DC in each domain for KDC support, etc) you need to upgrade the DC from 2008 to 2012. So answer is D and E. No more arguing

snfonseka

snfonseka

We cannot just raise one domain and ignore the other. If there is a requirement to raise the domains, A and E only raise only contoso.com domain. So answer must be D and E.

Niko

Niko

Looking at the question and the answers you can pretty straight forward say that there is either something missing or something is incorrect. If you need to ENFORCE them in both domains you will need to upgrade both domains to 2012 R2 which leads to A,B,D,E ( C is just wrong no need to explain) which leads to:
1 – You must select 4 options
2 – The question is incomplete / incorrect.
If you go through all possible dumps you can see how the questions evolve, such as:
http://www.aiotestking.com/microsoft/which-two-actions-should-you-perform-770/
which has the (what we can assume) the correct definition ” enforced in the child1.contoso.com domain.” which would lead to B & D as the correct answer.
Be careful how is that phrased on the exam.

David

David

I guess if the question is:
-what should you perform first –> then choose D,E
-what two actions should you perform –> then choose A,B
as question states ” settings enforced in both domains” so our goal is to raise the functional levels in both domains which is A,B but to achieve A,B we first need to do D,E

randy

randy

The answer is A&E
Requirements for claims enforced (MS translation – Always Provide claims)
1 – all DCs must be 2012
2 – domain functional level must be 2012
Note the question states the 2 answers are part of the solution (bad wording and can be interpreted in different ways)

The reason the answer is A&E is because the root domain of a forest has to be upgraded first before you can upgrade a child domain.
Note- I know that the complete answer is Step E, A then Step D, B, but they only want the first 2 steps in the solution

Skippy

Skippy

This is a complete BS question. It’s totally vague. The question should state… “What two actions should you do first”. Either that or make it a hotspot question where you need to drag the answers in order.

My opinion is this. In order to raise the DFL you must upgrade the DC’s first to support it. So I would say upgrade the DC’s first, then raise the DFL of the FRD and the raise the DFL of the child domain.

Based on what the question states I’m upgrading the DC’s first. You can’t do any DFL raising until the DC’s are upgraded…period

imfusio

imfusio

Good point. That really removes a few of the possible answers.

So KDC support requires 2012 Domain Functional level…
And you can’t increase the Domain Functional Level to 2012 while there are 2008 R2 DCs.

Since there are 2008 R2 DCs in both domains, this leaves us with only 2 answers:
D. Upgrade DC11 to Windows Server 2012 R2. (allows functional level to increase to 2012)
E. Upgrade DC1 to Windows Server 2012 R2. (requires at least 1 2012 DC, and allows functional level to increase to 2012)

Ts_0208

Ts_0208

“Upgrade Domain Controllers to Windows Server 2012”
http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_FunctionalLevels
The new Windows Server 2012 domain functional level enables one new feature: the KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level. For more information, see Support for claims, compound authentication, and Kerberos armoring.
B) “What’s New in Kerberos Authentication”
http://technet.microsoft.com/en-us/library/d7d7f393-6ca8-4ade-88a9-802d51717952#BKMK_Sup4ClaimsCAarmoring
Support for claims, compound authentication, and Kerberos armoring
If you want to create access control based on claims and compound authentication, you need to deploy Dynamic Access Control. This requires that you upgrade to Kerberos clients and use the KDC, which support these new authorization types. With Windows Server 2012, you do not have to wait until all the domain controllers and the domain functional level are upgraded to take advantage of new access control options.

Ts_0208

Ts_0208

i think answer is correct because as mentioned in answer : The root domain in the forest must be at Windows Server 2012 level. First upgrade DC1 to
this level, then raise the contoso.com domain functional level to Windows Server 2012.
and as the child1.contoso.com already have a dc running WS2012R2 we and that we dont need all dc’s to run WS2012R2 to use KDC i think A&E is correct.

Hermann Davila

Hermann Davila

I had a similar question. This is the correct answer.

You want to use the new features of Key Distribution Center (KDC) support for claims, compound authentication, and Kerberos armoring in your domain. What must you do first? (Choose two answers)

A. Raise the domain functional level to Windows Server 2012 and install at least one Windows Server 2012 domain controller

Alexandre Ferreira

Alexandre Ferreira

Correct Answer: AE
To use claims-based authorization, you need the following:
· Windows Server 2012 must be installed on the file server that hosts the resources that DAC protects.
· At least one Windows Server 2012 domain controller must be accessible by the requesting client.
· If you use claims across a forest, you must have a Windows Server 2012 domain controller in each domain.
· If you use device claims, clients must run Windows 8.
A question in the same book indicates:
Identify the minimum domain function level (2003, 2008, 2008 R2, or 2012) for the specified feature…
KDC support for claims – 2012
So the answer is A and E.
E because you must upgrade the domain controller to 2012 R2 to raise the functional level of the domain to the necessary level, and A because 2012
domain functional level is required for KDC support for claims.
Upgrading dc11.child1.contoso.com is not necessary because there is already a Server 2012 R2 server in the child domain (dc10).

kurt

kurt

where is hassan ?

Marshal Bullymore

Marshal Bullymore

lol

Progenitor

Progenitor

There are a way of possible solutions, depending on the interpretation of the question itself. Never make the mistake to expect MS to ask for the “technical correct” answer, but the best possible answer (mostly by regarding the new feature). Given only 2 selections and having that in mind, I’m sticking hard to the text, so – for me – the best possible solution to ensure that the KDC support for claims, compound authentication, and kerberos armoring setting is ENFORCED (and not just “supported”) in both domains is raising the DFL in root and child domain.

A.
Raise the domain functional level of contoso.com.

B.
Raise the domain functional level of childl.contoso.com.

I’m aware, that raising the domain level cannot be done as long as the domain runs DCs with 2008 R2, but I imply that raising the DFL includes upgrading the DCs. Furthermore, as this feature is only available in 2012 DFL, raising the DFLs are the most logical choice.

WhiteNight

WhiteNight

Q93: You need to ensure that the KDC support for claims, compound authentication, and kerberos armoring setting is enforced in both domains.

The answer is:
A. Raise the domain functional level of contoso.com.
E. Upgrade DC1 to Windows Server 2012 R2.

Why? Because after reading https://technet.microsoft.com/en-us/library/d7d7f393-6ca8-4ade-88a9-802d51717952#BKMK_Sup4ClaimsCAarmoring, it says that as long as there is a 2012 server in that domain KDC support for claims, compound authentication, and Kerberos armoring will apply to all servers 2008 and up. child1.comtoso.com has a 2012 server in that domain. The 2008 server will comply once configured.

DC1.contoso.com only has one server that is 2008 R2. It will require to be upgraded to 2012 R2. To do this, it will also require raising the domain functional level since the highest functional level for the domain is set to 2008 R2.

Understanding domain functional levels:
https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx

Avraam

Avraam

Tricky one..
The question exists in two (2) instances and states that the “The Kerberos client support for claims, compound authentication and Kerberos armoring” (quite a mouthfull, from now “The Setting”) must be ENFORCED (1) in Child1 domain and (2) in BOTH.

Checking this post:
https://technet.microsoft.com/en-us/library/hh831747(v=ws.11).aspx

The Setting has three (3) configurations (not counting UNSUPPORTED): (1) SUPPORTED, (2) ALWAYS PROVIDE CLAIMS & (3) FAIL UNARMORED AUTHENTICATION REQUESTS.

To USE The Setting you have to select

(1) SUPPORTED
Requires AT LEAST ONE WS2012 DC present in the domain.
DC Behavior:
-Claims provided on request
-Compound authentication provided on request when resource supports it
-Kerberos armoring supported

(2) ALWAYS PROVIDE CLAIMS
Requires Windows Server 2012 domain functional level
DC Behavior:
-Claims always provided
-Compound authentication provided on request when resource supports it
-Kerberos armoring supported and Flexible Authentication via Secure Tunneling (RFC FAST) behavior supported

(3) FAIL UNARMORED AYTHENTICATION REQUESTS
Requires Windows Server 2012 domain functional level
DC Behavior:
-Claims always provided
-Compound authentication provided on request when resource supports it
-Rejects unarmored Kerberos messages and supports the Flexible Authentication via Secure Tunneling (RFC FAST) behavior

To “ENFORCE” The Setting you need to choose (1) or (2) or (3) ?????.

To do so, raising the domain functional level (DFL) is required, in the domain that uses The Setting.

Thus the one instance of this question (enforce to child.contoso) needs only the child domain to be raised to 2012 DFL resulting in two actions:

-Upgrade DC11.child.contoso.com to WS2012
-Raise the child.contoso.com DFL (which could be done in the previous step)

In the other instance of this question, the one that is here (enforce in both domains), leads to a “dead end” because we need both DFLs at 2012 and, as a prerequisite, BOTH DC1 & DC11 upgraded. But IMO there’s an implied solution.

-Upgrade DC11.child.contoso.com to WS2012.
-Upgrade DC1.contoso.com to WS2012.

What about the DFLs?
You can raise them after the DCs upgrade process.

What do you think?

Joebotics

Joebotics

Stupidly tricky question… what do they mean with “enforcing” KDC support in both domains?..

Look at the GPO configuration
(Computer configuration – Policies – Administrative Templates -System – KDC
KDC support for claims, compound authentication and Kerberos Armoring)

Options
Supported -> does not require Windows 2012 Domain Functional Level
Always Provide Claims -> REQUIRE Windows 2012 Domain Functional Level
Fail unarmored authentication requests -> REQUIRE Windows 2012 Domain Functional Level

so, does “enforcing” men selecting “Supported” in the GPO ??
or is it “Always Provide Claims” “Fail unarmored authentication requests” ????

If the question is limited to just “Supported” then all we need is at least “one” Windows 2012 DC on each domain… that means you only have to upgrade DC1.contoso.com in order to at least have one DC running W2012 in contoso.com… child1.contoso.com already has a W2012 DC… but that means selecting just one “action”:

E. Upgrade DC1 to Windows Server 2012

BUT!!!.. the question is asking for two actions.. so I have to assume that the question is asking how to actually ENFORCE.. that means BOTH domains MUST be at Windows 2012 Domain Functional Level.. which means ALL Domain Controllers must be Windows 2012.. therefore you have to upgrade DC1.contoso.com and dc11.contoso.com (and then upgrade domain functional level:

D. Upgrade DC11 to Windows Server 2012 R2.
E. Upgrade DC1 to Windows Server 2012 R2.

The reality is that if they are asking to ENFORCE.. the complete answer would be:

D. Upgrade DC11 to Windows Server 2012 R2.
E. Upgrade DC1 to Windows Server 2012 R2.
A. Raise the domain functional level of contoso.com.
B. Raise the domain functional level ofchildl.contoso.com.

all these actions can be executed in certain sequences.. to add to the confusion…

After all this analysis.. I still don’t know what the correct answer is.. LOL

B

B

Testing this out on a Hyper V server now. I’m going to guess the answer is correct – as *I think* – KDC wont need everything to be of W2012r2 functional level.

What I have done:

1) Created 3 VMS “TEST-DC-01”, “CH-TEST-DC-01” & “CH-TEST-DC-02” (to recreate the example)
2) TEST-DC-01 was setup first, with 2008R2.
3) CH-TEST-DC-01 was setup secondly, W2012R2, and joined to the domain, installed AD Services, promoted to a DC where I thereby added a domain to an existing forest (child.test.com)
4) I inserted the W2012R2 evaluation disk into TEST-DC-01, copied the F:\Sources\ADPrep folder to the Desktop of the DC so I could run the following:
5) (CMD as Admin…I changed directory to the folder I copied onto the Desktop) “.\adprep.exe /domainprep \test.com” (the user I was running CMD as was Domain Admin, Schema Admin & Enterprise Admin)
6) That’s as far as I got…but what I’m going to do now is add the third VM (Child-DC-02…which is 2008R2 to the child.test.com domain)
7) Going to enable KDC on TEST-DC-01 via Default Domain Policy
8) Then going to create a DAC claim of “Department” with a value of “Information Technology” and apply to my Admin User
9) Restart the DC (maybe overkill…but i dont know so much about “klist purge” etc.
10) log back on to the TEST-DC-01 and run from CMD “whoami /claims” and see if claim value of department/information technology is shown. If yes…
11) log onto the other DC’s, both Child-dc-01 (w2012) and ensure i shows there…
12) log onto child-dc-02 and see if it shows there.

Conclusion – if goes according to plan…then! the given answer is correct

Will post my results

B

B

Right so I come across an issue at step 6

I cannot add VM3 (child-test-dc-02) to the child.test.com domain…the PDC is 2012, and so is the functional level…so I cannot add a W2008R2 DC to this domain.

Microsoft went out of their way with this setup.

What Im going to do now is decommission chid-test-dc-01…recreate as a W2008R2 VM…so that the child-test-com domain becomes hosted by 2x W2008R2 DC’s…I will then run ADprep on CHILD-TEST-DC-01, upgrade to 2012.

I have noticed already that performing an upgrade 2008>2012 does not guarantee 2012 domain functional level. That is an additional step. Given the fact that I cannot install 2008 into a 2012 domain, and whilst it is possible to setup 2008 DC, add a 2012 DC to that domain…THEN transfer the FSMO role of PDC…the functional level is still 2008!

Given the fact that KDC requires domain functional level of 2012…and that essentially test.com and child.test.com are two separate logical entities…THIS IS SURPRISINGLY SIMPLE…

Surely the answer is D & E… since both domains will require the DC’s to be upgraded…to then be able to upgrade the domain functional level…which is in turn required for KDC

B

B

Right im rambling… but hopefully you guys will follow the story im painting (no doubt thinking what an idiot!)

looking at this website…https://technet.microsoft.com/en-us/library/hh831747(v=ws.11).aspx

Specifically, the section under “What works differently”

It says “Sufficient Windows Server 2012 domain controllers to handle all the Windows 8 device authentication requests” (bear with me…im thinking this will apply to CHILD.TEST.COM)

Then it says (applies to TEST.COM)

o support access control across forests, the forest root domains need the following:
All Windows Server 2012 domain controllers. This helps ensure that claims are not lost from trusted forests.
If users across forests sign in to devices in child domains, you must apply the QFE NetBIOS domain name\username format cannot be used with the Kerberos referral mechanism to log on to a computer in an across forest environment to down-level global catalogs.

So now…I have demoted the W2012R2 controller I had in the CHILD.TEST.COM domain, I am redeploying both as W2008 and then performing ADPREP/upgrade to DC01…so then theoretically…we have “enough W2012 DC’s to handle the claims” from the root domain.

If this is the case…which I will test steps (7)-(12)…then the provided answer is correct once again!

B

B

https://ibb.co/ffJ7ua

A + E is correct answer

As you can see…when I log into the 2008 domain functional level child domain…on the 2012 DC…claims from the root domain, 2012 domain functional level…supported.

The 2008 DC didnt recognise the whoami /claims command. The PDC for the child domain however, is the 2012 R2; therefore, claims would be processed via…

It took many hours to get there…no doubt it could have been done much faster.

For those who actually read this story – i hope this puts the doubts to bed.