Your network contains an Active Directory domain named contoso.com. The functional level
of the domain and the forest is Windows Server 2008 R2.
All domain controllers run Windows Server 2008 R2.
You plan to deploy a new line-of-business application named App1 that uses claims-based
authentication.
You need to recommend changes to the network to ensure that Active Directory can provide
claims for App1.
What should you include in the recommendation? (Each correct answer presents part of the
solution. Choose all that apply.)
A.
From the properties of the computer accounts of the domain controllers, enable Kerberos
constrained delegation.
B.
From the Default Domain Controllers Policy, enable the Support for Dynamic Access
Control and Kerberos armoring setting.
C.
Deploy Active Directory Lightweight Directory Services (AD LDS).
D.
Raise the domain functional level to Windows Server 2012.
E.
Add domain controllers that run Windows Server 2012.
I thought the answer D should be included. I was wrong. Requirements is to use claims-based authentication, it implicates use only user claims. No device claims are needed. For user claims only domain functional level 2008R2 is enough.
Correct answer: B, E
E: You must perform several steps to enable claims in Server 2012 AD. First, you must upgrade the forest schema to Server 2012. You can do so manually through Adprep, but Microsoft strongly recommends that you add the AD DS role to a new Server 2012 server or upgrade an existing DC to Server 2012.
B: Once AD can support claims, you must enable them through Group Policy:
1. From the Start screen on a system with AD admin rights, open Group Policy Management and select the Domain Controllers Organizational Unit (OU) in the domain in which you wish to enable claims.
2. Right-click the Default Domain Controllers Policy and select Edit.
3. In the Editor window, drill down to Computer Configuration, Policies, Administrative Tem- plates, System, and KDC (Key Distribution Center).
4. Open KDC support for claims, compound authentication, and Kerberos armoring.
5. Select the Enabled radio button. Supported will appear under Claims, compound authentic- ation for Dynamic Access Control and Kerberos armoring options
I don´t understand your answer….
You select E due to because “you must perform several steps to enable claims in Server 2012 AD. First, you must upgrade the forest schema to Server 2012….”
But in order to upgrade the forest, first you must upgrade the domain functional level to Windows 2012, so answer D must be selected
Raise the domain functional level to Windows Server 2012 must be selected as well, I reckon.
Claims-based authentication refers to DAC.
They both require 2012 DFL
https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy require Windows Server 2012 domain functional level.
Wojtek is correct. Upgrading the domain functional level is not required:
“With Windows Server 2012, you do not have to wait until all the domain controllers and the domain functional level are upgraded to take advantage of new access control options.”
https://technet.microsoft.com/en-us/library/hh831747.aspx
+1
Raising the Domain Functional Level is not required.