Your company has two Active Directory forests named contoso.com and fabrikam.com. Both
forests run only domain controllers that run Windows Server 2008. The domain functional
level of contoso.com is Windows Server 2008. The domain functional level of fabrikam.com
is Windows Server 2003 Native mode.
You configure an external trust between contoso.com and fabrikam.com.
You need to enable the Kerberos AES encryption option.
What should you do?
A.
Raise the forest functional level of fabrikam.com to Windows Server 2008.
B.
Raise the domain functional level of fabrikam.com to Windows Server 2008.
C.
Raise the forest functional level of contoso.com to Windows Server 2008.
D.
Create a new forest trust and enable forest-wide authentication.
Explanation:
Answer) Raise the domain functional level of fabrikam.com to Windows Server 2008.http://technet.microsoft.com/en-us/library/understanding-active-directory-functionallevels%28v=ws.10%29.aspx
Understanding Active Directory Domain Services (AD DS) Functional Levels
Functional levels determine the available Active Directory Domain Services (AD DS) domain
or forest capabilities. They also determine which Windows Server operating systems you
can run on domain controllers in the domain or forest. However, functional levels do not
affect which operating systems you can run on workstations and member servers that are
joined to the domain or forest.
..
Features that are available at domain functional levels
..
Windows Server 2008
All of the default AD DS features, all of the features from the Windows Server 2003 domain
functional level, and the following features are available:
..
* Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol.
In order for
TGTs to be issued using AES, the domain functional level must be Windows Server 2008 or
higher and the domain password needs to be changed.
…
Further information:
http://technet.microsoft.com/en-us/library/cc749438%28WS.10%29.aspx
Kerberos Enhancements
..
Requirements
All Kerberos authentication requests involve three different parties: the client requesting a
connection, the server that will provide the requested data, and the Kerberos KDC that
provides the keys that are used to protect the various messages.
This discussion focuses on how AES can be used to protect these Kerberos authentication
protocol messages and data structures that are exchanged among the three parties.
Typically, when the parties are operating systems running Windows Vista or Windows
Server 2008, the exchange will use AES. However, if one of the parties is an operating
system running Windows 2000 Professional, Windows 2000 Server, Windows XP, or
Windows Server 2003, the exchange will not use AES.