Your network contains two Active Directory forestsnamed contoso.comand fabrikam.com.
Each forestcontains a single domain.
A two-way forest trustexists between the forests.
Selective authentication is enabled on the trust.
Contoso.comcontains a groupnamed Group1.
Fabrikam.comcontains a servernamed Server1.
You need to ensure that users in Group1 can access resources on Server1.
What should you modify?

A.
the permissions of the Group1 group

B.
the UPN suffixes of the contoso.com forest

C.
the UPN suffixes of the fabrikam.com forest

D.
the permissions of the Server1 computer account

Explanation:
Group1 must get the ‘Allowed To Authenticate’ permission on Server1, so I’d go for A, as given.
Answer D may sound tempting, but it speaks of permissions ofthe Server1 computer account.
Reference:
MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)
pages 643, 644
After you have selected Selective Authenticationfor the trust, no trusted users will be able to access resources
in the trusting domain, even if those users have been given permissions. The users must also be assigned
the Allowed To Authenticate permission on the computer object in the domain.
1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is
selected on the View menu.
2. Open the properties of the computer to which trusted users should be allowed to authenticate—that is, the
computer that trusted users will log on to or that contains resources to which trusted users have beengiven
permissions.
3. On the Security tab, add the trusted users or a group that contains them and select the Allow check
box for the Allowed To Authenticate permission.