HOTSPOT
Your network contains an Active Directory domain named contoso.com. The relevant
servers in the domain are configured as shown in the following table.
You plan to create a shared folder on Server1 named Share1. Share1 must only be
accessed by users who are using computers that are joined to the domain.
You need to identify which servers must be upgraded to support the requirements of Share1.
In the table below, identify which computers require an upgrade and which computers do not
require an upgrade. Make only one selection in each row. Each correct selection is worth one point.
Answer: 
Explanation:
Why must Server1 be upgraded?
Because Server1 is the file server, and it needs to be 2012(R2) to support conditional expressions.
Thanks Raoul,.
Ok, Thanks! Didn’t see this one is a DAC Question.
Thanks guys..
I still don’t see it is a DAC question. Please enlighten me 😀
The question states Share1 must only be accessed by users on computers that are connected to the domain. With standard NTFS permissions, a user would still be able to access the folder by authenticating their account at folder access from a non-domain computer. You need DAC to specify domain computers only.
But it doesn’t state in the question that Server1 is a non-domian server so I don’t get why Server1 would be upgraded over DC3 ?
It IS a domain server,learn to read or find someone who can read for you.
JD – For the ability to apply domain user permissions to a share created on Server1 it would need to be Domain joined. So there is no need to make a statement regarding its configuration in that respect.
The scenario is that you create a new file share on Server1 and you want to apply conditional logic to the permissions to allow only domain joined PCs to access the share.
To apply conditional logic we must configure Dynamic Access Control
To use Dynamic Access Control, the forest functional level must be Windows Server 2003, and there must be at least one Windows Server 2012 domain controller per domain.
We can assume from the information provided that we meet the FFL requirement and we know we have at least 1 Win Server 2012 DC
One of the new features in DAC is the conditional security permissions that add Boolean conditions to security principal permissions. While the options in Windows Server 2008 and Windows Server 2012 are the same — Folder/Share Properties | Security Tab | Advanced | Add (to add a user or group) | Edit (to edit permissions on a user or group) — the last screen on Windows Server 2012 is different. The big difference is the conditional statement at the bottom in Windows Server 2012
By setting a Device permission you can restrict a user to access a share only when logged in to computers that are domain joined. Note carefully though, as far as I know Win 7 PCs can participate in DAC but only Win 8 supports device claims
It’s important to note that these new permission features can only be set on shares, folders and files on Windows Server 2012, though the permissions will apply to all users.
As we can see Server 1 is running Windows Server 2K8 R2 so we cannot apply conditional logic on the shared folder permissions hence the reason for the upgrade.
DC3 plays no part in this scenario it is just a DC running in the domain
I hope that helps and my research is correct. Any comments please feel free
After reading up it makes sense.
FFL at least 2003
You need at least 1 DC running server 2012 or later
The file server you want to apply this to must be running server 2012 or later
You already have a DC at 2012 so no need to upgrade any of the DC’s, you just need to upgrade the file server
https://channel9.msdn.com/posts/Dynamic-Access-Control-Demo-and-Interview
This is fine, but no where does it say, that server1 is not domain joined or that its a new server, just the share1 is new.
But i guess the answer is correct
It is not about whether it is domain joined or a new server, all you need to know is the operating system of the server and that it needs to be upgraded.
Answer is correct.
https://technet.microsoft.com/en-us/library/dn408191.aspx
“Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. When Dynamic Access Control is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes.”
u r all wrong. dfl must be 2012. so DC3 has to be upgraded too.
Doesn’t appear to be required based on how I interpret this:
Always provide claims – Use this setting if all domain controllers are running the supported versions of Windows Server. In addition, set the domain functional level to Windows Server 2012 or higher.
Supported – When you use this setting, monitor domain controllers to ensure that the number of domain controllers running the supported versions of Windows Server is sufficient for the number of client computers that need to access resources protected by Dynamic Access Control.
https://technet.microsoft.com/en-us/library/dn408191.aspx
Nope, you should review the technology requirements. You need to upgrade the dcs to 2012+ if you want to issue claims to users and central access policies based on claims. Here is just a conditional expression needed, so upgrading the Fileserver is sufficient.
The requirements for DAC are:
1) For Central Access Policies based on groups – upgrade your file server to Windows 2012+
2) Issue claims to users and central access policies based on claims – upgrade your file servers and domain controllers to 2012+
3) Issue device claims – Upgrade your clients to Windows 8+, upgrade your file servers and domain controllers to 2012+
(taken from http://social.technet.microsoft.com/wiki/contents/articles/22703.implementing-dynamic-access-control-in-windows-2012-r2.aspx)