Your network contains an Active Directory forest. The forest contains two domains named
contoso.com and fabrikam.com. The functional level of the forest is Windows Server 2003.
You have a domain outside the forest named litwareinc.com.
You need to configure an access solution to meet the following requirements:
– Users in litwareinc.com must be able to access resources on a server
named Server1 in contoso.com.
– Users in the contoso.com forest must be prevented from accessing any
resources in litwareinc.com.
– Users in litwareinc.com must be prevented from accessing any other
resources in the contoso.com forest.
Which three actions should you perform? (Each correct answer presents part of the solution.
Choose three.)
A.
Configure SID filtering on the trust.
B.
Configure forest-wide authentication on the trust.
C.
Create a one-way forest trust.
D.
Create a one-way external trust
E.
Modify the permission on the Server1 object.
F.
Configure selective authentication on the trust.
Explanation:
D (not C): litwareinc.com is outside the forest so we need an external trust (not a forest trust).
E: Must grant the required permissions on Server1.
F(not B): For external trust we must either select Domain-Wide or Selective Authentication (forstwide authentication is not an option)
BCE
Note:
* You can create an external trust to form a one-way or two-way, nontransitive trust with domains
that are outside your forest. External trusts are sometimes necessary when users need access to
resources in a Windows NT 4.0 domain or in a domain that is located in a separate forest that is
not joined by a forest trust.
/ To select the scope of authentication for users that are authenticating through a forest trust, click
the forest trust that you want to administer, and then click Properties .
On the Authentication tab, click either Forest-wide authentication or Selective authentication .
/ To select the scope of authentication for users that are authenticating through an external trust,
click the external trust that you want to administer, and then click Properties .
On the Authentication tab, click either Domain-wide authentication or Selective authentication .
* The forest-wide authentication setting permits unrestricted access by any users in the trusted
forest to all available shared resources in any of the domains in the trusting forest.
* Forest-wide authentication is generally recommended for users within the same organization.Select the Scope of Authentication for Users
http://technet.microsoft.com/en-us/library/cc776245(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc755844(v=ws.10).aspx
“litwareinc.com is outside the forest so we need an external trust (not a forest trust).”
What???? Forest trust can only be established between 2 forest root domains. Therefore it is obviously gonna be “outside” its partner’s forest also. Both External and Forest trust would acomplish this task. The difference is: external trust would be more restrictive, because you wouldn’t be able to extend the trust to future child domains.
https://technet.microsoft.com/en-us/library/dd560679(v=ws.10).aspx
It’s really hard to figure out which one is Microsoft’s preferred flavor on this one, cos you have more than one valid solution. I would go with forest trust, since selective authentication is present.
0
0
Or maybe it could be an external trust, the reason being that it’s not stated whether litwareinc’s forest functional level is 2000 or 2003+…
0
0
Seeing as how MS likes us to be as restrictive as possible and an external trust suffices for this specific case, I’d go for external trust.
0
0
I first thought the same thing, but got it in the end. In the question it says “You have a domain outside the forest named litwareinc.com”. Which means if you do a forest trust then you could be trusting other domains in that forest. External is nontransitive as mist74 mentions. Thus restriction it to only that domain. So the provided answer is correct. MS is very cheeky, but understand why they did it that way.
0
0
External trust: “An external trust is a one-way or two-way nontransitive trust between domains that are not in the same forest, and that are not already included in a forest trust. External trusts connect two domains in separate forests to allow users in the trusted domain the capability to authenticate and/or access resources in the trusting domain. Because external trusts are nontransitive, any existing trusts already in place with the trusting domain cannot be traversed by members of the external trust’s trusted domain users.”
Forest trust: “A forest trust is a one-way or two-way transitive trust between two forest root domains.”
Both definitions taken from official MS materials for course preparing to 412.
External is better in this case, is not transitive. But as qwe picked up, both would do.
0
0
Correct Answer: DEF
D (not C): litwareinc.com is outside the forest so we need an external trust (not a forest trust).
E: Must grant the required permissions on Server1.
F(not B): For external trust we must either select Domain-Wide or Selective Authentication (forst- wide authentication is not an option) BCE
http://www.vceplus.com – Download A+ VCE (latest) free Open VCE Exams – VCE to PDF Converter – VCE Exam Simulator – VCE Online – IT Certifications
Note:
* You can create an external trust to form a one-way or two-way, nontransitive trust with domains that are outside your forest. External trusts are
sometimes necessary when users need access to resources in a Windows NT 4.0 domain or in a domain that is located in a separate forest that is not
joined by a forest trust.
/ To select the scope of authentication for users that are authenticating through a forest trust, click the forest trust that you want to administer, and then
click Properties . On the Authentication tab, click either Forest-wide authentication or Selective authentication . / To select the scope of authentication for
users that are authenticating through an external trust, click the external trust that you want to administer, and then click Properties . On the
Authentication tab, click either Domain-wide authentication or Selective authentication .
* The forest-wide authentication setting permits unrestricted access by any users in the trusted forest to all available shared resources in any of the
domains in the trusting forest.
* Forest-wide authentication is generally recommended for users within the same organization.
Reference: Select the Scope of Authentication for Users
http://technet.microsoft.com/en-us/library/cc776245(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc755844(v=ws.10).aspx
1
0