Your company has two Active Directory forestsas shown in the following table.
The forests are connectedby using a two-way forest trust.
Eachtrust directionis configured with forest-wide authentication.
The new security policyof the company prohibits users fromthe eng.fabrikam.comdomain to access
resources inthe contoso.comdomain.
You need to configure the forest trust to meet the new security policy requirement.
What should you do?
A.
Delete the outgoing forest trust in the contoso.com domain.
B.
Delete the incoming forest trust in the contoso.com domain.
C.
Change the properties of the existing incoming forest trust in the contoso.com domain from Forest-wide
authentication to Selective authentication.
D.
Change the properties of the existing outgoing forest trust in the contoso.com domain to exclude *.eng.
fabrikam.com from the Name Suffix Routing trust properties.
Explanation:
http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx
How Domain and Forest Trusts Work
Active Directory provides security across multiple domains or forests through domain and forest trust
relationships. Before authentication can occur across trusts, Windows must first determine whether thedomain
being requested by a user, computer or service has a trust relationship with the logon domain of the requesting
account. To make this determination, the Windows security system computes a trust path between the domain
controller for the server that receives the requestand a domain controller in the domain of the requesting
account.
..
Trust Flow
The flow of secured communications over trusts determines the elasticity of a trust: how you create orconfigure
a trust determines how far the communication extends within a forest or across forests. The flow of
communication over trusts is determined by the direction of the trust (one-way or two-way) and the transitivity of
the trust (transitive or nontransitive).
One-Way and Two-Way Trusts
Trust relationships that are established to enable access to resources can be either one-way or two-way. A
one-way trust is a unidirectional authentication path created between two domains. In a one-way trust between
Domain A and Domain B, users in Domain A can accessresources in Domain B. However, users in Domain B
cannot access resources in Domain A. Some one-way trusts can be either nontransitive or transitive depending
on the type of trust being created.
All domain trusts in an Active Directory forest aretwo-way, transitive trusts. When a new child domain is
created, a two-way, transitive trust is automatically created between the new child domain and the parent
domain. In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A. This means that
authentication requests can be passed between the two domains in both directions. Some two-way
relationships can be nontransitive or transitive depending on the type of trust being created. An Active Directory
domain can establish a one-way or two-way trust with:
Windows Server 2003 domains in the same forest.
Windows Server 2003 domains in a different forest.
Windows NT 4.0 domains.
Kerberos V5 realms.
Transitive and Nontransitive Trusts
Transitivity determines whether a trust can be extended outside of the two domains with which it was formed. A
transitive trust can be used to extend trust relationships with other domains; a nontransitive trust can be used to
deny trust relationships with other domains.
Each time you create a new domain in a forest, a two-way, transitive trust relationship is automatically created
between the new domain and its parent domain. If child domains are added to the new domain, the trust path
flows upward through the domain hierarchy extendingthe initial trust path created between the new domain and
its parent domain. Transitive trust relationships flow upward through a domain tree as it is formed, creating
transitive trusts between all domains in the domaintree.
Authentication requests follow these trust paths, so accounts from any domain in the forest can be
authenticated by any other domain in the forest. With a single logon process, accounts with the proper
permissions can access resources in any domain in the forest. The following figure shows that all domains in
Tree 1 and Tree 2 have transitive trust relationships by default. As a result, users in Tree 1 can access
resources in domains in Tree 2 and users in Tree 1 can access resources in Tree 2, when the proper
permissions are assigned at the resource.
Default Transitive Trust Relationships
In addition to the default transitive trusts established in a Windows Server 2003 forest, by using theNew Trust
Wizard you can manually create the following transitive trusts.
Shortcut trust. A transitive trust between domains in the same domain tree or forest that is used to
shorten the trust path in a large and complex domain tree or forest.
Forest trust. A transitive trust between one forest root domainand another forest root domain.
Realm trust. A transitive trust between an Active Directory domain and a Kerberos V5 realm.
A nontransitive trust is restricted to the two domains in the trust relationship and does not flow to any other
domains in the forest. A nontransitive trust can bea two-way trust or a one-way trust.
Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating two
one-way trusts. Nontransitive domain trusts are theonly form of trust relationship possible between:
A Windows Server 2003 domain and a Windows NT domain
A Windows Server 2003 domain in one forest and a domain in another forest (when not joined by a forest
trust)
By using the New Trust Wizard, you can manually create the following nontransitive trusts:
External trust. A nontransitive trust created between a Windows Server 2003 domain and a Windows
NT, Windows 2000, or Windows Server 2003 domain in another forest. When you upgrade a Windows NT
domain to a Windows Server 2003 domain, all existing Windows NT trusts are preserved intact. All trust
relationships between Windows Server 2003 domains and Windows NT domains are nontransitive.
Realm trust. A nontransitive trust between an Active Directorydomain and a Kerberos V5 realm.
…
