Your network contains two Active Directory forests named contoso.com and adatum.com. Each
forest contains one domain. Contoso.com has a two-way forest trust to adatum.com. Selective
authentication is enabled on the forest trust.
Contoso contains 10 servers that have the File Server role service installed. Users successfully access
shared folders on the file servers by using permissions granted to the Authenticated Users group.
You migrate the file servers to adatum.com.
Contoso users report that after the migration, they are unable to access shared folders on the file
servers.
You need to ensure that the Contoso users can access the shared folders on the file servers.
What should you do?
A.
Disable selective authentication on the existing forest trust.
B.
Disable SID filtering on the existing forest trust.
C.
Run netdom and specify the /quarantine attribute.
D.
Replace the existing forest trust with an external trust.
Explanation:
Although it is not recommended, you can use this procedure to disable security identifier (SID) filter
quarantining for an external trust with the Netdom.exe tool. You should consider disabling SID filter
quarantining only in the following situations:
* Users have been migrated to the trusted domain with their SID histories preserved, and you want
to grant those users access to resources in the trusting domain (the former domain of the migrated
users) based on the sIDHistory attribute.
Etc.Disabling SID filter quarantining
http://technet.microsoft.com/en-us/library/cc794713(v=ws.10).aspx
Should be A.
user –> Disable SID filtering on the existing forest trust.
file –> Disable selective authentication on the existing forest trust.
1
0
No.
A user here in the link below called James L, explain in details the trick.
http://www.aiotestking.com/microsoft/you-need-to-ensure-that-the-contoso-users-can-access-the-shared-folders-on-the-file-servers/
I go with B
0
0
yeah…long comment.. But I still go with A
There is also the other guys commented with more explanations… A is make sense to me
0
0
FAIL.
Ironically, James L’s latest comments in the link you posted, said that he’ll go with A.
“James L says:
May 23, 2015 at 7:49 pm
Sorry peeps. The more I research this and think about it the more I confuse even myself but after reading the following (see below) I think that Andy may have been right from the start. So maybe A is the correct answer after all.”
0
0
Agree with your answer and explanation.
0
0
I was talking about boni’s comment.
0
0
Answer is correct.
More info: https://technet.microsoft.com/en-us/library/cc974396(v=ws.10).aspx
0
0
https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx
0
0
https://technet.microsoft.com/en-us/library/cc755321(v=ws.10)
“Disabling SID Filter Quarantining on External Trusts
[…]
Users have been migrated to the trusted domain with their SID histories preserved, and you want to grant them access to resources in the trusting domain based on the SID history attribute.”
Yep, B is correct due to the cause being a cross-domain movement.
0
0
The users weren’t migrated, only the file servers. That’s why A makes more sense.
0
0
B is Correct as we are working with Forest Trusts.
you would use the NetDom command to disable SID filtering for both Trusted Domain and Trusted Forest Domains. this different being that the /quarantine attribute is only available for trusted domains, and we are working with trusted forests domain.
To disable SID filter quarantining for the trusting domain
1. Open a Command Prompt.
2. At the command prompt, type the following command, and then press ENTER:
Netdom trust /domain: /quarantine:No /userD: /passwordD:
netdom trust DomainA /D:DomainB /UD:DomainBAdministrator /PD:* /UO:DomainAAdministrator /PO:* /Quarantine:No
To disable SID filter quarantining for the trusting forest
1. Open a Command Prompt.
2. At the command prompt, type the following command, and then press ENTER:
Netdom trust /domain: /enablesidhistory:Yes /userD: /passwordD:
netdom trust DomainA /D:DomainB /UD:DomainBAdministrator /PD:* /UO:DomainAAdministrator /PO:* /enablesidhistory:Yes
0
0
We didn’t migrate users, so SID are same; I go with A
0
0