ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam 70-412 All Questions

View all questions & answers for the 70-412 exam
Go to Exam

Exam 70-412 topic 1 question 8 discussion

Actual exam question from Microsoft's 70-412
Question #: 8
Topic #: 1
[All 70-412 Questions]

Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and childl.contoso.com. The domains contain three domain controllers.
The domain controllers are configured as shown in the following table.

You need to ensure that the KDC support for claims, compound authentication, and kerberos armoring setting is enforced in the child1.contoso.com domain.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

  • A. Upgrade DC1 to Windows Server 2012 R2.
  • B. Upgrade DC11 to Windows Server 2012 R2.
  • C. Raise the domain functional level of childl.contoso.com.
  • D. Raise the domain functional level of contoso.com.
  • E. Raise the forest functional level of contoso.com.
Show Suggested Answer Hide Answer
Suggested Answer: AD 🗳️
The root domain in the forest must be at Windows Server 2012level. First upgrade DC1 to this level (A), then raise the contoso.com domain functional level to
Windows Server 2012 (D).
(A) To support resources that use claims-based access control, the principals domains will need to be running one of the following:
✑ All Windows Server 2012 domain controllers
✑ Sufficient Windows Server 2012domain controllers to handle all the Windows 8 device authentication requests
✑ Sufficient Windows Server 2012 domain controllers to handle all the Windows Server 2012 resource protocol transition requests to support non-Windows 8 devices.
References: What's New in Kerberos Authentication
https://technet.microsoft.com/en-us/library/hh831747.aspx.
by demetris at June 25, 2019, 8:58 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ralbertomx
4 years, 5 months ago
It should be B and C, In order to enforce Kerberos armoring and Claims requires Windows Server 2012 domain functional level on the Domain. IN ths case child1.. so need to upgrade the DC to Win 2012 and raise functional level.
upvoted 1 times
...
Ben14
4 years, 9 months ago
I'll go with just A There's no requirements for Functional level, Domain or forest, unless you're using claims across a forest trust. There cant be any servers running 2003, and there must be one 2012 DC in each domain https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831747(v=ws.11)
upvoted 1 times
...
DanStafford
4 years, 12 months ago
Additionally the child domain functional level CAN be higher than the forest functional level: https://social.technet.microsoft.com/Forums/office/en-US/0c54189b-329e-46c4-9d5a-c2e257baf02f/domain-functional-level-for-child-domain?forum=winserverDS
upvoted 2 times
...
DanStafford
5 years, 5 months ago
You would HAVE to upgrade the domain controllers and raise the domain functional level in the CHILD domain in order to ENFORCE the KDC within that domain. Denying claims that do not use it require Win SVR 2012 R2: https://social.technet.microsoft.com/Forums/windowsserver/en-US/1ab3eca9-6d8a-4117-a289-00af159186c3/quotkdc-support-for-claims-compound-authentication-and-kerberos-armoringquot-is-ws-2012?forum=winserver8gen
upvoted 2 times
...
flowbro
5 years, 6 months ago
I think this is poorly worded. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11)?redirectedfrom=MSDN "Devices running Windows 8 that do not support claims, compound authentication, and Kerberos armoring should not be configured with claims-based access controls for startup or sign-on services or with claims-based access controls for local files. Access will be denied, and claims will not be available until the domain is configured to the Windows Server 2012 domain functional level and configured to always provide claims."
upvoted 1 times
...
demetris
6 years ago
i think provided answer is wrong. it says about child domain, not root. so correct answer should be B and C. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754918(v=ws.10)
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel