HOTSPOT
Your network contains three Active Directory forests. The forests are configured as shown in the
following table.
A two-way forest trust exists between contoso.com and divisionl.contoso.com. A two-way forest
trust also exists between contoso.com and division2.contoso.com.
You plan to create a one-way forest trust from divisionl.contoso.com to division2.contoso.com.
You need to ensure that any cross-forest authentication requests are sent to the domain controllers
in the appropriate forest after the trust is created.
How should you configure the existing forest trust settings?
In the table below, identify which configuration must be performed in each forest. Make only one
selection in each column. Each correct selection is worth one point.
Answer: 
Explanation:
There will be a one-way forest trust from division1.contoso.com to division2.contoso.com
Division1 trusts Division2. Division2 must be able to access resources in Division1.Division1 should not be able to access resources in Division2.
wrong. Correct answer is
Division1.contoso.com
“Add division2.contoso.com as an exclusion to the name suffix rounting entry of contoso.com”
Division2.contoso.com
“Add division1.contoso.com as an exclusion to the name suffix rounting entry of contoso.com”
0
1
Why do you think that the answer should be that Jean Malot?
I’m not following your thought.
If you have a one-way forest trust from divisionl.contoso.com to division2.contoso.com, the only way na account from division2 will be able to access resources in division1 is through the name suffix routing, otherwise it won’t be able.
What am i missing here? Please explain.
0
0
I think i can answer my own question.
We have 3 separate forests here, and that’s the problem here. If we were talking about different domains in the same forest then we wouldn’t have this problem.
We already have trusts between both divisions forests and contoso forest. Now we just need to create a one way forest trust between div1 and div2.
Based on this:
“When a Forest Trust is created a Name Suffix Route is dynamically added to both sides of the Forest Trust Properties. The Name Suffix Route is comprised of the DNS name suffix of the trusted forest root and a wildcard (*) precedes the DNS name suffix to allow for child domains to be trusted implicitly.”
Which means that we don’t need to creat a name suffix when create the one way trust, it will be automatically created. If we do create one, that will cause problems in authentication traffic.
So and also based on the statement below, we have to create exclusions in both divisions, despite the trust is only one way:
“When more than two Forest reside in the same DNS namespace, and the root of that DNS tree is also an Active Directory forest, logic must be added to the Name Suffix Route to ensure authentication traffic is routed to the correct forest root. This can be accomplished by adding Exclusions to the Name Suffix Routes.”
Correct answer should then be:
From division1.contoso.com: Add division2.contoso.com as an exclusion to the name suffix rounting entry of contoso.com
From division2.contoso.com: Add division1.contoso.com as an exclusion to the name suffix rounting entry of contoso.com
https://blogs.technet.microsoft.com/askds/2009/04/10/name-suffix-routing/
0
0
Provided answer is correct!
https://span.eu/en/2016/09/kerberos-conflicting-upns/
Read that website’s scenario. Explains perfectly why routing of division2.contoso.com would have issues unless routing exclusion input.
0
0