You need to enable the Kerberos AES encryption option

Your company has two Active Directory forestsnamed contoso.comand fabrikam.com.
Both forestsrun only domain controllersthat run Windows Server 2008.
The domain functional levelof contoso.comis Windows Server 2008.
The domain functional levelof fabrikam.comis Windows Server 2003 Native mode.
You configure an external trust between contoso.com andfabrikam.com.
You need to enable the Kerberos AES encryption option.
What should you do?

Your company has two Active Directory forestsnamed contoso.comand fabrikam.com.
Both forestsrun only domain controllersthat run Windows Server 2008.
The domain functional levelof contoso.comis Windows Server 2008.
The domain functional levelof fabrikam.comis Windows Server 2003 Native mode.
You configure an external trust between contoso.com andfabrikam.com.
You need to enable the Kerberos AES encryption option.
What should you do?

A.
Raise the forest functional level of fabrikam.comto Windows Server 2008.

B.
Raise the domain functional level of fabrikam.comto Windows Server 2008.

C.
Raise the forest functional level of contoso.com to Windows Server 2008.

D.
Create a new forest trust and enable forest-wide authentication.

Explanation:
Answer.Raise the domain functional level of fabrikam.comto Windows Server 2008.
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.
aspx
Understanding Active Directory Domain Services (AD DS) Functional Levels
Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest
capabilities. They also determine which Windows Server operating systems you can run on domain controllers
in the domain or forest. However, functional levelsdo not affect which operating systems you can run on
workstations and member servers that are joined to the domain or forest.
..
Features that are available at domain functional levels
..
Windows Server 2008
All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level,
and the following features are available:
..
* Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol. In order for
TGTs to be issued using AES, the domain functional level must be Windows Server 2008 or higher and the
domain password needs to be changed.

Further information:
http://technet.microsoft.com/en-us/library/cc749438%28WS.10%29.aspx
Kerberos Enhancements
..
Requirements
All Kerberos authentication requests involve three different parties: the client requesting a connection, the
server that will provide the requested data, and the Kerberos KDC that provides the keys that are usedto
protect the various messages.
This discussion focuses on how AES can be used to protect these Kerberos authentication protocol messages
and data structures that are exchanged among the three parties. Typically, when the parties are operating
systems running Windows Vista or Windows Server 2008, the exchange will use AES. However, if one of the
parties is an operating system runningWindows 2000 Professional, Windows 2000 Server, Windows XP,
or Windows Server 2003, the exchange will not use AES.



Leave a Reply 0

Your email address will not be published. Required fields are marked *