Your network contains an Active Directory forest named contoso.com. The forest contains
two domains named contoso.com and childl.contoso.com. The domains contain three
domain controllers.
The domain controllers are configured as shown in the following table.
You need to ensure that the KDC support for claims, compound authentication, and kerberos
armoring setting is enforced in the child1.contoso.com domain.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
Upgrade DC1 to Windows Server 2012 R2.
B.
Upgrade DC11 to Windows Server 2012 R2.
C.
Raise the domain functional level ofchildl.contoso.com.
D.
Raise the domain functional level of contoso.com.
E.
Raise the forest functional level of contoso.com.
Explanation:
If you want to create access control based on claims and compound authentication, you
need to deploy Dynamic Access Control. This requires that you upgrade to Kerberos clients
and use the KDC, which support these new authorization types. With Windows Server 2012
R2, you do not have to wait until all the domain controllers and the domain functional level
are upgraded to take advantage of new access control options
http://technet.microsoft.com/en-us/library/hh831747.aspx.
B. Upgrade DC11 to Windows Server 2012 R2.
C. Raise the domain functional level of child1.contoso.com.
KDC support for claims, compound authentication, and kerberos
armoring are Features that where introduced with Windows Server 2012. Therefor we need to upgrade the 2008 R2 DC in child1.contoso.com and raise the functional Level.
We already have a 2012 DC in child1.contoso.com
The issue is with the root domain. To be able to support KDC claims in both domains we need to upgrate DC1 to Windows Server 2012 and raise the DFL – so.. AD?