Home » Microsoft » 70-647 » What should you recommend?
Your company has an Active Directory forest that contains 250 domains.
All domain controllers run Windows Server 2003. The forest functional level is Windows 2000. The domain functional level is Windows 2000 mixed.
You are planning to migrate the domain controllers in only one domain to Windows Server 2008 R2.
You need to ensure that Kerberos can be encrypted with Advanced Encryption Standard (AES) after the migration.
What should you recommend? (More than one answer choice may achieve the goal. Select the BEST answer).
A. Raise the domain functional level to Windows Server 2008.
B. Raise the forest functional level to Windows Server 2003.
C. Raise the forest functional level to Windows Server 2008 R2.
D. Raise the domain functional level to Windows Server 2003.
Correct Answer: A
Explanation/Reference:
domain + 2008
Kerberos with AES is an enhancement of Server 2008. see:
http://technet.microsoft.com/en-us/library/cc749438(v=ws.10).aspx
This Windows Vista and Windows Server 2008 security enhancement enables the use of AES 128 and AES 256 encryption with the Kerberos authentication protocol. This enhancement includes the following changes from Windows XP:
AES support for the base Kerberos authentication protocol. The base Kerberos protocol in Windows Vista supports AES for encryption of ticket- granting tickets (TGTs), service tickets, and session keys.
AES support for the Generic Security Service (GSS)-Kerberos mechanism. In addition to enabling AES for the base protocol, GSS messages (which conduct client/server communications in Windows Vista) are protected with AES.
Domain functional level
Windows Server 2008
All default Active Directory features, all features from the Windows Server 2003 domain functional level, plus the following features:
Distributed File System Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents.
Advanced Encryption Services (AES 128 and 256) support for the Kerberos authentication protocol.
Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.
Fine-grained password policies, which make it possible for password policies and account lockout policies to be specified for users and global security groups in a domain.