3 Comments on “Which type of trust policy should you create?”

1. bob says:

   June 2, 2017 at 10:16 pm

   The biggest problem I see with this question is it does not state that adatum.com or litwareinc.com employs AD FS. Without AD FS, there cannot be a federated trust.

   I actually think the answer for this question is D. Unless the question is missing something, it does not say anything about either company using AD FS so a federated trust cannot be implemented. A Windows Live ID trust can be implemented, but would require a trusted user domain setup with microsoft’s RMS service to accept credentials.

   In conclusion, I think this question is incomplete.

   
   
   
   0

   
   
   
   0
   1. John says:

      June 21, 2017 at 8:03 am

      Had to look this up, but from the TechNet article AD RMS Prerequisites https://technet.microsoft.com/en-us/library/dd772659(v=ws.10).aspx

      Microsoft Active Directory Federated Services is not required to install or use AD RMS. Using AD RMS with AD FS can provide the following benefits:

      Provides AD RMS services integration to be used on Business-to-Business scenarios or multiple forest scenarios

      that being said I also found this on the TechNet article for AD RMS and Server Design
      https://technet.microsoft.com/en-us/library/ee221071(v=ws.10).aspx

      Cross-Boundary Collaboration Considerations

      AD RMS can extend its services to other organizations or forests. AD RMS manages multi-forest scenarios using trust policies settings. You can add trust policies so that AD RMS can process licensing requests for content that was rights-protected by a different AD RMS cluster. You can define the following trust policies:

      Windows Live ID:
      Allows an AD RMS user to send rights-protected content to a user with a Windows Live ID. The Windows Live ID user will be able to consume rights-protected content from the AD RMS cluster that has trusted Windows Live ID, but the Windows Live ID user will not be able to create content that is rights-protected by the AD RMS cluster.

      Trusted user domains (TUD):
      Allows the AD RMS certification cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS certification cluster.

      Trusted publishing domains (TPD):
      Allows one AD RMS cluster to issue use licenses against publishing licenses that were issued by a different AD RMS cluster.

      Active Directory Rights Management Services with ADFS:
      This can be useful if one forest does not have AD RMS installed, but its users need to consume rights-protected content from another forest. This is the recommended connection method between two partners running Windows Server 2008 or later.

      there is that last line saying it is the recommended option, also considering the Windows Live ID is by individual and not necessarily by forest it would lead me to believe the federated trust answer would be correct assuming they wanted to set up a trust between the forests otherwise it would be the live ID. That being said, this is literally the only time I have seen live ID pop up for anything while talking about implementing and administering a server environment so I wouldn’t trust it as a viable answer.

      
      
      
      0

      
      
      
      0
      1. John says:

         June 21, 2017 at 8:08 am

         Further on in the second article it states
         Using Windows Live ID: This option is not recommended for business-to-business scenarios, but is useful for business-to-consumer scenarios.

         Question states “A partner company” so I’m willing to bet that MS wants you to say federated trust

         
         
         
         1

         
         
         
         0