Which two actions should you perform?

CORRECTED (Previously BD)Your network contains an Active Directory forest named contoso.com. The forest
contains two domains named contoso.com and childl.contoso.com. The domains contain three domain
controllers.
The domain controllers are configured as shown in the following table.

You need to ensure that the KDC support for claims, compound authentication, and kerberos armoring setting
is enforced in the child1.contoso.com domain.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

CORRECTED (Previously BD)Your network contains an Active Directory forest named contoso.com. The forest
contains two domains named contoso.com and childl.contoso.com. The domains contain three domain
controllers.
The domain controllers are configured as shown in the following table.

You need to ensure that the KDC support for claims, compound authentication, and kerberos armoring setting
is enforced in the child1.contoso.com domain.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A.
Upgrade DC1 to Windows Server 2012 R2.

B.
Upgrade DC11 to Windows Server 2012 R2.

C.
Raise the domain functional level of child1.contoso.com.

D.
Raise the domain functional level of contoso.com.

E.
Raise the forest functional level of contoso.com.

Explanation:
If you want to create access control based on claims and compound authentication, you need to deploy
Dynamic Access Control. This requires that you upgrade to Kerberos clients and use the KDC, which support
these new authorization types. With Windows Server 2012 R2, you do not have to wait until all the domain
controllers and the domain functional level are upgraded to take advantage of new access control options
http://technet.microsoft.com/en-us/library/hh831747.aspx.Identity and Access



Leave a Reply 1

Your email address will not be published. Required fields are marked *


Chris

Chris

Answer B & C as shown.
Reason is we are ENFORCING settings, which requires a 2012 domain level (for the enforcement), and upgrading all DCs in the domain to 2012 to prevent sporadic authentication failures.