Your network contains an Active Directory forest named contoso.com. The forest contains two
domains named contoso.com and childl.contoso.com. The domains contain three domain
controllers.
The domain controllers are configured as shown in the following table.
You need to ensure that the KDC support for claims, compound authentication, and kerberos
armoring setting is enforced in the child1.contoso.com domain.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose
two.)
A.
Upgrade DC1 to Windows Server 2012 R2.
B.
Upgrade DC11 to Windows Server 2012 R2.
C.
Raise the domain functional level of childl.contoso.com.
D.
Raise the domain functional level of contoso.com.
E.
Raise the forest functional level of contoso.com.
Explanation:
The root domain in the forest must be at Windows Server 2012 level. First upgrade DC1 to this level
(A), then raise the contoso.com domain functional level to Windows Server 2012 (D).
* (A) To support resources that use claims-based access control, the principal’s domains will need to
be running one of the following:
/ All Windows Server 2012 domain controllers
/ Sufficient Windows Server 2012 domain controllers to handle all the Windows 8 device
authentication requests
/ Sufficient Windows Server 2012 domain controllers to handle all the Windows Server 2012
resource protocol transition requests to support non-Windows 8 devices.What’s New in Kerberos Authentication
http://tecHYPERLINK “http://technet.microsoft.com/enus/library/hh831747.aspx#_blank”hnet.microsoft.com/en-us/library/hh831747.aspx.
If KDC support for claims, compound authentication, and kerberos
armoring setting has just to be enforced in the child1.contoso.com Domain, then the solution could be B and C.
What do you think?
According to Article https://technet.microsoft.com/en-us/library/hh831747.aspx the Domain functional Level has to be rised in the Domain child1.contoso.com
The root domain must be at 2012 for the child domains to support this
skippy this doesnt seem correct. even if what you assert is true the domains would not be at 2012 functional level if u did A and D. Contoso would be at the 2012 domain functional level but child1.contoso would not.
further i havent read that hte root domain must be at 2012 for the child domains to support this. it is non sensical.
it cant be A and D. it is B C.
Thanks Skippy, your right.
You must perform several steps to enable claims in Server 2012 AD. First, you must upgrade the forest schema to Server 2012.
from
I would go with: B, E
The schema is different than the functional level. The schema must be upgraded to allow the installation of 2012 R2 domain controllers. So we can assume this is already done. I believe the answer is to update the other domain controller in the child domain and then raise the functional level of the child domain.
Sorry, here the link: http://windowsitpro.com/windows-server-2012/enable-claims-support-windows-server-2012-active-directory
You cant raise the forest level until the domain level is first raised. In order to do that you have to have a 2012 R2 DC. Therefore it’s A and D.
skippy is wrong. it mentions nothing about this.
”
You can raise the functional level of a domain only if all domain controllers in the domain run the version or versions of Windows Server that the new functional level supports.”
https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10)
yes skippy has confused forest functional levels with domain functional levels. its B and C
B C
https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
Isa,
Now that I look at it I would tend to agree. We must assume the DFL of the child domain is 2008R2. In order for this to be enforced on the child domain we have to upgrade dc11 to at least 2012. From there we raise the DFL to 2012.
That makes sense
You cannot set the domain functional level to a value that is lower than the forest functional level, but you can set it to a value that is equal to or higher than the forest functional level.
I’d go with Clever4ever, B and C.
As per https://technet.microsoft.com/en-us/library/hh831747.aspx …
Configuration- Always provide claims
Results -All domain controllers advertise support for claims and compound authentication for Dynamic Access Control and Kerberos armoring
Requires Windows Server 2012 domain functional level
Dc behavior in Windows Server 2012 –
Claims always provided
Compound authentication provided on request when resource supports it
Kerberos armoring supported and Flexible Authentication via Secure Tunneling (RFC FAST) behavior supported
answer is B C. u can raise the domain functional level of a child domain to a value thats equal to or hire than the parent. and child domain needs server 2012
https://social.technet.microsoft.com/Forums/windowsserver/en-US/c82f85be-e279-4731-a1cd-ae7b02d01c14/domain-and-forest-functional-level-upgrade?forum=winserverDS
I chose B&C off the bat and was surprised to see the answer (It’s wrong).
If you have a forest with multiple domain partitions each partition can run at a higher level than the forest. Just not lower.
This is due to the Schema Database being forest wide.
I think it is B & C as well. I’ve seen another similar question that asks about implementing KDC in the contoso domain, and I think the answers supplied here would be correct for that question.
I can’t find anything that says the root domain has to be 2012 to support it.
Configuration 3: Device-based access control needed, but cannot wait until all domain controllers can be upgraded
This configuration will be unique to your environment and can be difficult to support when Windows 8 devices have different configurations.
General requirements for all environments:
If across-forest trusts exist, then root domain must have all Windows Server 2012domain controllers (a cross-forest trust exists in this scenario)
For each domain which provides claims and compound authentication on request, there cannot be Windows Server 2003 domain controllers
For resources using device-based access control, receiving compound authentication must be enabled unless a central access policy is being used.
https://technet.microsoft.com/en-us/library/hh831366(v=ws.11).aspx
Domain Functional Level: Windows Server 2012
Available features:
The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that [b]require Windows Server 2012 domain functional level[/b].
DC OS versions supported on DFL Server 2012:
Windows Server 2012 R2
Windows Server 2012