Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows
Server 2012.
All servers run Windows Server 2016.
You create a new bastion forest named admin.contoso.com.
The forest functional level of admin.contoso.com is Windows Server 2012 R2.
You need to implement a Privileged Access Management (PAM) solution.
Which two actions should you perform? Each correct answer presents part of the solution.
A.
Raise the forest functional level of contoso.com.
B.
Deploy Microsoft Identity Management (MIM) 2016 to contoso.com.
C.
Configure contoso.com to trust admin.contoso.com.
D.
Deploy Microsoft Identify Management (MIM) 2016 to admin.contoso.com.
E.
Raise the forest functional level of admin.contoso.com.
F.
Configure admin.contoso.com to trust contoso.com.
Explanation:
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/deploy-pam-with-windows-server-2016
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/windows-server-2016-functional-levels
For the bastion forest which deploys MIM, you should raise the Forest Functional Level to “Windows Server
2016″, E is correct.
OK. What about this article?
https://docs.microsoft.com/en-us/windows-server/identity/whats-new-active-directory-domain-services#a-namebkmkpamaprivileged-access-management
Privileged access management
Privileged access management (PAM) helps mitigate security concerns for Active Directory environments that are caused by credential theft techniques such pass-the-hash, spear phishing, and similar types of attacks. It provides a new administrative access solution that is configured by using Microsoft Identity Manager (MIM). PAM introduces:
•A new bastion Active Directory forest, which is provisioned by MIM. The bastion forest has a special PAM trust with an existing forest. It provides a new Active Directory environment that is known to be free of any malicious activity, and isolation from an existing forest for the use of privileged accounts.
…bla-bla-bla…
Requirements
•Microsoft Identity Manager
•Active Directory forest functional level of Windows Server 2012 R2 or higher.
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/high-availability-disaster-recovery-considerations-bastion-environment
If the bastion environment forest functional level is Windows Server 2012 R2, ensure that the MIM PAM component service is also running on that server, using the command net start “PAM Component service”.