PrepAway - Latest Free Exam Questions & Answers

You need to prevent users from impersonating contoso.com users

Your network contains two Active Directory forests named contoso.com and adatum.com.
Active Directory Rights Management Services (AD RMS) is deployed in contoso.com. An AD
RMS trusted user domain (TUD) exists between contoso.com and adatum.com.
From the AD RMS logs, you discover that some clients that have IP addresses in the
adatum.com forest are authenticating as users from contoso.com.
You need to prevent users from impersonating contoso.com users.
What should you do?

PrepAway - Latest Free Exam Questions & Answers

A.
Configure trusted e-mail domains.

B.
Enable lockbox exclusion in AD RMS.

C.
Create a forest trust between adatum.com and contoso.com.

D.
Add a certificate from a third-party trusted certification authority (CA).

Explanation:
http://technet.microsoft.com/en-us/library/cc753930.aspx
Add a Trusted User Domain
By default, Active Directory Rights Management Services (AD RMS) does not service
requests from users whose rights account certificate (RAC) was issued by a different AD
RMS installation. However, you can add user domains to the list of trusted user domains
(TUDs), which allows AD RMS to process such requests.
For each trusted user domain (TUD), you can also add and remove specific users or groups
of users. In addition, you can remove a TUD; however, you cannot remove the root cluster
for this Active Directory forest from the list of TUDs. Every AD RMS server trusts the root
cluster in its own forest.
You can add TUDs as follows:
To support external users in general, you can trust Windows Live ID. This allows an AD
RMS cluster that is in your company to process licensing requests that include a RAC that
was issued by Microsoft’s online RMS service. For more information about trusting Windows
Live ID in your organization, see Use Windows Live ID to Establish RACs for Users.
To trust external users from another organization’s AD RMS installation, you can add the
organization to the list of TUDs. This allows an AD RMS cluster to process a licensing
request that includes a RAC that was issued by an AD RMS server that is in the other
organization.
In the same manner, to process licensing requests from users within your own organization
who reside in a different Active Directory forest, you can add the AD RMS installation in that
forest to the list of TUDs. This allows an AD RMS cluster in the current forest to process a
licensing request that includes a RAC that was issued by an AD RMS cluster in the other
forest.
For each TUD, you can specify which e-mail domains are trusted. For trusted Windows Live
ID sites and services, you can specify which e-mail users or domains are not trusted.


Leave a Reply