Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows
Server 2012.
The forest contains 20 member servers that are configured as file servers. All domain controllers run Windows
Server 2016.
You create a new forest named contosoadmin.com.
You need to use the Enhanced Security Administrative Environment (ESAE) approach for the administration of
the resources in contoso.com.
Which two actions should you perform? Each correct answer presents part of the solution.

A.
From the properties of the trust, enable selective authentication.

B.
Configure contosoadmin.com to trust contoso.com.

C.
Configure contoso.com to trust contosoadmin.com.

D.
From the properties of the trust, enable forest-wide authentication.

E.
Configure a two-way trust between both forests.

Explanation:
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privilegedaccess-reference-material#ESAE_BM
Trust configurations – Configure trust from managed forests(s) or domain(s) to the administrative forest
A one-way trust is required from production environment to the admin forest. This can be a domain trust or a
forest trust.
The admin forest/domain (contosoadmin.com) does not need to trust the managed domains/forests
(contoso.com) to manage Active Directory, though additional
applications may require a two-way trust relationship, security validation, and testing.
Selective authentication should be used to restrict accounts in the admin forest to only logging on to the
appropriate production hosts.