What should you include in the recommendation?

Your network contains an Active Directory domain named contoso.com. The functional level of the domain and the forest is Windows Server 2008 R2.
All domain controllers run Windows Server 2008 R2.
You plan to deploy a new line-of-business application named App1 that uses claims-based authentication.
You need to recommend changes to the network to ensure that Active Directory can provide claims for App1.
What should you include in the recommendation? (Each correct answer presents part of the solution. Choose all that apply.)

Your network contains an Active Directory domain named contoso.com. The functional level of the domain and the forest is Windows Server 2008 R2.
All domain controllers run Windows Server 2008 R2.
You plan to deploy a new line-of-business application named App1 that uses claims-based authentication.
You need to recommend changes to the network to ensure that Active Directory can provide claims for App1.
What should you include in the recommendation? (Each correct answer presents part of the solution. Choose all that apply.)

A.
From the properties of the computer accounts of the domain controllers, enable Kerberos constrained delegation.

B.
From the Default Domain Controllers Policy, enable the Support for Dynamic Access Control and Kerberos armoring setting.

C.
Deploy Active Directory Lightweight Directory Services (AD LDS).

D.
Raise the domain functional level to Windows Server 2012.

E.
Add domain controllers that run Windows Server 2012.

Explanation:
E: You must perform several steps to enable claims in Server 2012 AD. First, you must upgrade the forest schema to Server 2012. You can do so manually through
Adprep, but Microsoft strongly recommends that you add the AD DS role to a new Server 2012 server or upgrade an existing DC to Server 2012.
B: Once AD can support claims, you must enable them through Group Policy:
1. From the Start screen on a system with AD admin rights, open Group Policy Manage- ment and select the Domain Controllers Organizational Unit (OU) in the
domain in which you wish to enable claims.
2. Right-click the Default Domain Controllers Policy and select Edit.
3. In the Editor window, drill down to Computer Configuration, Policies, Administrative Templates, System, and KDC (Key Distribution Center).
4. Open KDC support for claims, compound authentication, and Kerberos armoring.
5. Select the Enabled radio button. Supported will appear under Claims, compound authen- tication for Dynamic Access Control and Kerberos armoring options

Enable Claims Support in Windows Server 2012 Active Directory

Show Hint

Leave a Reply 1

Your email address will not be published. Required fields are marked *

eraser

eraser

As others previously suggested, correct:

“Support for claims, compound authentication, and Kerberos armoring
If you want to create access control based on claims and compound authentication, you need to deploy Dynamic Access Control. This requires that you upgrade to Kerberos clients and use the KDC, which support these new authorization types. With Windows Server 2012, you DO NOT HAVE TO WAIT until all the domain controllers and the DOMAIN functional LEVEL are UPGRADED to take advantage of new access control options.”

https://technet.microsoft.com/en-us/library/hh831747.aspx

Reply