Your network contains one Active Directory forest named contoso.com. the forest contains two child domains and six domain controllers. The domain controllers are configured as shown in the following table.
Name Domain Site
DC1 Contoso.com Main Office
DC2 Contoso.com Main Office
DC3 Contoso.com Europe Office
DC4 Contoso.com Asia Office
DC5 Sales.contoso.com Main Office
DC6 Manufacturiung.contoso.com Main Office
You create a trust between contoso.com and a domain in another forest at a partner company.
You need to prevent the sales.contoso.com and the manufacturing.contoso.com names from being used in authentication requests across the forest trust.
What should you use?
A.
Set-ADSite
B.
Set-ADReplicationSite
C.
Set-ADDomain
D.
Set-ADReplicationSiteLink
E.
Set-ADGroup
F.
Set-ADForest
G.
Netdom
G. Netdom
Agree the answer is G. The question is related to Selective Authentication in a Forest Trust which can be set to using netdom or from Active Directory Domains and Trusts.
Netdom trust TrustingDomainName /domain: TrustedDomainName /SelectiveAuth:Yes /usero: domainadministratorAcct /passwordo: domainadminpwd
According to this technet
https://technet.microsoft.com/en-us/library/cc755321%28v=ws.10%29.aspx#w2k3tr_trust_security_zyzk
“You can enable or disable selective authentication only from the trusting side of a trust. If the trust is a two-way trust, you can also enable or disable selective authentication in the trusted domain by using the credentials of the domain administrator for the trusted domain and reversing the values of TrustingDomainName and TrustedDomainName in the command.”
“You create a trust between contoso.com and a domain in ANOTHER Forest at a partner company.”
Netdom cannot be used to create a forest trust between two AD DS forests. To create an across-forest trust between two AD DS forests, you can either use a scripting solution or the Active Directory Domains and Trusts snap-in.
So I think the answer is:
Set-ADForest -UPNSuffixes @{Remove=”manufacturing.contoso.com,sales.contoso.com”}
You aren’t creating anything. That’s already been done in ADDT.
You are tasked with filtering out sale. and manufacturing.
These are on YOUR side of the trust.
from: https://technet.microsoft.com/en-us/library/ee617212.aspx
Set-ADDomain
AllowedDNSSuffixes
Modifies the list of domain name server (DNS) suffixes that are allowed in a domain. This parameter sets the value of the msDS-AllowedDNSSuffixes attribute of the domainDNS object. This parameter uses the following syntax to add, remove, replace, or clear DNS suffix values.
….
To remove values:
-AllowedDNSSuffixes @{Remove=value3,value4,…}
…..
The following example shows how to add and remove DNS suffixes for a domain.
-AllowedDNSSuffixes@{Add= “corp.contoso.com,contoso.com”};@{Remove=”corpnet.contoso.com”}
So answer is C
Any thoughts ?
The key part is the “You need to prevent the sales.contoso.com and the manufacturing.contoso.com NAMES from being used”. So the users still need to authenticate, but the names of the child domains must not be used in those requests.
In my opinion Pirulu is right except that that command would need to be run on the forest, not the domain.
My answer is F
I agree with Pirulo. Answer is C.
I don’t think it’s F because F only allows you to remove UPNs. Just because you remove the UPN doesn’t mean the user cannot login, it just means he can’t login with that UPN. He will still have another UPN.
So what? The question asks “prevent names”, not “prevent users”.
The question relates to forest authentication. If you remove the DNS suffixes you will get internal DNS issues surely?
@bopbop “Just because you remove the UPN doesn’t mean the user cannot login, it just means he can’t login with that UPN. He will still have another UPN.”
I think this is the answer: Because you remove the UPN, the user cannot login with that name. They will be forced to use another UPN.
“You need to prevent the sales.contoso.com and the manufacturing.contoso.com NAMES from being used in authentication requests across the forest trust”
I Would have to go with Gareth.
This change needs to be done in the forest.
It’s explicitly stated in the question.
My answer is Set-ADForest
netdom trust sales.contoso.com /namesuffixes:otherdomain.com /togglesuffix:1
netdom trust manufacturiung.contoso.com /namesuffixes:otherdomain.com /togglesuffix:1
http://windowsitpro.com/networking/using-netdom-control-name-suffix-routing-cross-forest-trust
My answer is Netdom
I agree, especially after googling “set-adforest trust” and getting absolutely nothing.
Trust Tools
The two principal Microsoft tools that can be used to create and manage trusts are Active Directory Domains and Trusts (Domain.msc) and Windows Domain Manager, also called Netdom (Netdom.exe).
https://technet.microsoft.com/en-us/library/cc756944(v=ws.10).aspx
I think both answer, F and G will be right.
From http://windowsitpro.com/networking/using-netdom-control-name-suffix-routing-cross-forest-trust we see:
” For example, Table 2 shows that to disable the *.adatum.com name suffix, you type:
netdom trust fabrikam.com /namesuffixes:adatum.com /togglesuffix:1
This command is equivalent to clicking the Disable button from the Name Suffix Routing tab of the forest Properties dialog box, as Figure 1 shows. You reach this dialog box from the properties of a forest appearing in the Active Directory Domains and Trusts MMC snap-in. It effectively disables all name-suffix routing from *.adatum .com and any domains below that, such as corp.adatum.com. ”
So, F and G are only different ways for achiving result.
Take a look https://technet.microsoft.com/en-us/library/cc816626(v=ws.10).aspx
this question was on my exam
you’re an asshole dude
No clue where people are pulling set-adforest from. You can remove and change UPNs, but it’s within the forest and domain, but it doesn’t have anything to do with selective authorisation.
NETDOM is the tool of choice for this, and only if you don’t have access to ADDT
https://technet.microsoft.com/en-us/library/cc776879(v=ws.10).aspx
Agree. Removing UPN suffixes in your own forest would potentially be harmful. What you need is to disable suffix routing (netdom), not remove UPN suffix from your forest (set-adforest).
Disabling a namespace in the properties of forest trust relationship fully disables the routing of requests to that namespace and all its subordinate namespaces. For example, disabling the hp.com namespace will disable the routing from all subordinate namespaces including emea.hp.com, americas.hp.com, and asiapac.hp.com. Top Level Name (TLN) restrictions also let you exclude the routing of only certain subordinate namespaces. For example, if routing from the hp.com namespace was enabled, you could exclude just the routing from the emea.hp.com subordinate namespace.
netdom trust /RemoveTLN
https://technet.microsoft.com/en-us/library/cc835085.aspx
Actually /RemoveTLN seems to be for non-Windows trusts so it looks like the bellow is more accurate.
netdom trust /namesuffixes /togglesuffix
G. Netdom
https://msdn.microsoft.com/fr-fr/library/cc786254(v=ws.10).aspx
“You can exclude existing name suffixes from routing to local forests by using the New Trust Wizard in Active Directory Domains and Trusts or by using the Netdom command-line tool.”
this settles it for me.
It’s G.