You need to ensure that the migrated users can access the resources in contoso.com

Your network contains two Active Directory forests named contoso.com and adatum.com.
Contoso.com contains one domain. Adatum.com contains a child domain named
child.adatum.com.
Contoso.com has a one-way forest trust to adatum.com. Selective authentication is enabled
on the forest trust.
Several user accounts are migrated from child.adatum.com to adatum.com.
Users report that after the migration, they fail to access resources in contoso.com. The users
successfully accessed the resources in contoso.com before the accounts were migrated.
You need to ensure that the migrated users can access the resources in contoso.com.
What should you do?

A.
Replace the existing forest trust with an external trust.

B.
Run netdom and specify the /quarantine attribute.

C.
Disable SID filtering on the existing forest trust.

D.
Disable selective authentication on the existing forest trust.

Explanation:
B) Enables administrators to manage Active Directory domains and trust relationships from
the command prompt, /quarantine Sets or clears the domain quarantine
C) Need to gain access to the resources in contoso.com
D) Selective authentication over a forest trust restricts access to only those users in a trusted
forest who have been explicitly given authentication permissions to computer objects
(resource computers) that reside in the trusting forest
http://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc758152(v=ws.10).aspx

Show Hint

← Previous question

Next question →

Leave a Reply 21

bobsmith

Answer = D
http://technet.microsoft.com/nl-nl/library/cc755321%28v=ws.10%29.aspx

Ebrahim Ali

BobSmith,
Disabling selective authentication will not solve the issue when SID filtering is still active because “Users who use SID history data for authorization to resources in the trusting domain no longer have access to those resources.”
But if you Disable SID filtering and not Disabling selective authentication then the users who use SID history data for authorization to resources in the trusting domain will have access to those resources because migrating already selected authenticated user accounts from child.adatum.com to adatum.com will have access because of SID history when SID filtering is disabled.

Ebrahim Ali

So the correct answer is C. Disable SID filtering on the existing forest trust.

Loc

The question does not mention that SID Filtering is turned on. I think Bob is right in that case.

Billy

SID filtering is turned on by default.

BigBob

Selective authentication When configured, users from the trusted forest will not be
automatically authenticated. This allows you to configure the specific servers and domains within the trusting forest that you want to make available to users in the trusted forest. This option is suitable when each forest belongs to a separate entity. To allow a user or group from a trusted forest to access a resource in a trusting forest, configure the Allowed To Authenticate permission on that resource for the user or group from the trusting forest.

SID filtering is enabled by default on domain controllers running Windows
Server 2012 and Windows Server 2012 R2

http://technet.microsoft.com/en-us/library/cc794801%28v=ws.10%29.aspx

Billy

It is C.

From https://technet.microsoft.com/en-us/library/cc772816%28v=ws.10%29.aspx

Although it is not recommended, you can disable security identifier (SID) filter quarantining for an external trust by using the Netdom.exe tool. You should consider disabling SID filter quarantining only in the following situations:

You have an equally high level of confidence in the administrators who have physical access to domain controllers in the trusted domain and the administrators with such access in the trusting domain.

You have a strict requirement to assign universal groups to resources in the trusting domain, even when those groups were not created in the trusted domain.

***Users have been migrated to the trusted domain with their SID histories preserved, and you want to grant those users access to resources in the trusting domain based on the SIDHistory attribute.***

NOTE: It could also be ‘B’, but you should actually run ‘netdom trust’ and not just netdom.

Billy

Nevermind, can’t be B! /quarantine is only for a domain trust, and this is for a forest trust.

James L

Billy you are correct, it cannot be B but be careful to understand and use your trust terminology correctly.
( FYI /quarantine is for external trusts /enablesidhistory is for forest trusts)
This article clearly explains the details of SID Filtering and Selective Authentication in interforest trust relationships IE External and Forest trusts
https://technet.microsoft.com/en-us/library/cc755321(WS.10).aspx

B-Art

THIS IS IT!

Despite what people and the explanation says, ANSWER C is correct because:
You have a strict requirement to assign universal groups to resources in the trusting domain, even when those groups were not created in the trusted domain.

If the universal group in the trusted forest was not created in the trusted domain, even though it might contain users from the trusted domain as members, authentication requests made by members of that universal group will be filtered and discarded. Therefore, before assigning access to resources in the trusting domain for users in the trusted domain, you should confirm that the universal group containing the trusted domain users was created in the trusted domain.

nicola

ech

answer is C, I tested it on a test enviroment. SID filtering is enabled in W2K12 R2 by default.

My explanation :
SID history is regarding the user token. Nothing changes with the user account.
Because the file server is moved to a different domain, you have to change the selective authentication which is regarding the computer object. Because the file server computer object does not receive a token with the Own Organization attribute, (users are now from Other Organization), the authenicated users group needs to have the “allow to autehnicate” right on the file server object. If you disable selective authenication, this permission is not required and authenicated users can access the file server normally

Correction : This answer belongs to the question where the file servers are moved Q54942

SID history is correct

joe

A – would not resolve anything, would just mean that the trust is between 2 domains rather than an entire forest
B – this is the same as disabling SID filtering but used for external trusts and not forest trusts
C – would allow users to authenticate based on their old SID
D – Would technically work but would not be the best thing to do as you probably have selective authentication enabled for a reason such as security requirements. This will allow users to authenticate who are not meant to be allowed.

jealheca

Hi, Which is the answer? Thank you

Your network contains one Active Directory forest named contoso.com. the forest contains two child domains and six domain controllers. The domain controllers are configured as shown in the following table.
Name Domain Site
DC1 Contoso.com Main Office
DC2 Contoso.com Main Office
DC3 Contoso.com Europe Office
DC4 Contoso.com Asia Office
DC5 Sales.contoso.com Main Office
DC6 Manufacturiung.contoso.com Main Office
you need to enable universal group membership caching for the europe office and asia office sites.
What should you use?
A. Set-ADSite
B. Set-ADReplicationSite
C. Set-ADDomain
D. Set-ADReplicationSiteLink
E. Set-ADGroup
F. Set-ADForest
G. Netdom

botski

@Jealheca,

It’s B.

Lionel Ançay

Passed 70-412 exam today. 880 points! A new question on Azure Backup. 90% or more exam questions are available in passleader 70-412 dumps(http://www.passleader.com/70-412.html).