Your network contains an Active Directory domain named contoso.com. The functional level of the domainand
the forest is Windows Server 2008 R2.
All domain controllers run Windows Server 2008 R2.
You plan to deploy a new line-of-business application named App1 that uses claims-based authentication.
You need to recommend changes to the network to ensure that Active Directory can provide claims for Appl.
What should you include in the recommendation? (Each correct answer presents part of the solution. Choose
all that apply.)
A.
Deploy Active Directory Lightweight Directory Services (AD LDS).
B.
From the Default Domain Controllers Policy, enable the Support for Dynamic Access Control and Kerberos
armoring setting.
C.
From the properties of the computer accounts of the domain controllers, enable Kerberos constrained
delegation.
D.
Raise the domain functional level to Windows Server 2012.
E.
Add domain controllers that run Windows Server 2012.
Explanation:
Dyamic Access Control
http://blogs.technet.com/b/windowsserver/archive/2012/05/22/introduction-to-windows-server- 2012-dynamicaccess-control.aspx
kerberos armoring setting
http://technet.microsoft.com/en-us/library/hh831747.aspx
B and E in my opinion
An organization doesn’t need to upgrade all of its file servers to Windows Server 2012 in order to implement DAC. As long as there’s one new file server running a Windows Server 2012 domain controller, the organization can implement DAC.
https://redmondmag.com/articles/2013/01/01/group-control.aspx
http://kpytko.pl/active-directory-domain-services/adding-first-windows-server-2012-domain-controller-within-windows-200320082008r2-network/