In this section, you’ll see one or more sets of questions with the same scenario and problem.
Each question presents a unique solution to the problem, and you must determine whether
the solution meets the stated goals Any of the solutions might solve the problem. It is also
possible that none of the solutions solve the problem. Once you answer a question in this
section, you will NOT be able to return to it. As a result. These questions will not appear in
the review screen. Note: This question is part of a series of questions that present the same
scenario. Each question in the series contains a unique solution Determine whether the
solution meets the stated goals.
Your network contains an Active Directory forest named contoso.com. The forest contains a
member server named Server1 that runs Windows Server 2016. All domain controllers run
Windows Server 2012 R2. Contoso com has the following configuration.
You plan to deploy an Active Directory Federation Services (AD FS) farm on Server1 and to
configure device registration. You need to configure Active Directory to support the planned
deployment.
Solution: You run adprep.exe from the Windows Server 2016 installation media.
Does this meet the goal?
A.
Yes
B.
No
Explanation:
Adprep just prepares the domain for Window Server 2016, it does not actually raise the domain
functional level to Windows Server 2016, which is required for Device Registration.
Note:
Adprep.exe is a command-line tool that is included on the installation disk of each version of
Windows Server. Adprep.exe performs operations that must be completed on the domain
controllers that run in an existing Active Directory environment before you can add a domain
controller that runs that version of Windows Server. Adprep.exe commands run automatically as
needed as part of the AD DS installation process on servers that run Windows Server 2012 or later.
The commands need to run in the following cases:
* Before you add the first domain controller that runs a version of Windows Server that is later than
the latest version that is running in your existing domain.
* Before you upgrade an existing domain controller to a later version of Windows Server, if that
domain controller will be the first domain controller in the domain or forest to run that version of
Windows Server.
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/configuredevice-based-conditional-access-on-premises
Correct. It still requires a 2016 DC.
Wrong, A is the correct answer. All that is needed is 2016 schema, which is satisfied by running adprep.
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements#BKMK_4
Domain controller requirements
AD FS requires Domain controllers running Windows Server 2008 or later.
At least one Windows Server 2016 domain controller is required for Microsoft Passport for Work.
Note
All support for environments with Windows Server 2003 domain controllers has ended. Visit this page for additional information on the Microsoft Support Lifecycle.
Domain functional-level requirements
All user account domains and the domain to which the AD FS servers are joined must be operating at the domain functional level of Windows Server 2003 or higher.
A Windows Server 2008 domain functional level or higher is required for client certificate authentication if the certificate is explicitly mapped to a user’s account in AD DS.
Schema requirements
New installations of AD FS 2016 require the Active Directory 2016 schema (minimum version 85).
Raising the AD FS farm behavior level (FBL) to the 2016 level requires the Active Directory 2016 schema (minimum version 85).