HOTSPOT
Your network contains three Active Directory forests. The forests are configured as shown in
the following table.
A two-way forest trust exists between contoso.com and divisionl.contoso.com. A two-way
forest trust also exists between contoso.com and division2.contoso.com.
You plan to create a one-way forest trust from divisionl.contoso.com to
division2.contoso.com.
You need to ensure that any cross-forest authentication requests are sent to the domain
controllers in the appropriate forest after the trust is created.
How should you configure the existing forest trust settings?
In the table below, identify which configuration must be performed in each forest. Make only
one selection in each column. Each correct selection is worth one point.
Answer: 
Explanation:
There will be a one-way forest trust from division1.contoso.com to division2.contoso.com
Division1 trusts Division2. Division2 must be able to access resources in Division1.
Division1 should not be able to access resources in Division2.
so you leave the other two blank?
Being radio boxes i doubt they should be left without selecting one of the variants.
But it’s wrote “make only one selection in each column”. So i think it’s correct
True, missed that part somehow 🙂
Wow! Missed that one too!
off-topic: To me Microsoft puts a lot of effort in confusing students. Not testing them on their actual knowledge but more whether they read well.
Of course, if your knowledge is on the right level you should be able to pass the test but my flaw is that I read to quick 🙁
agree with this answer.
Based on the following article “http://blogs.technet.com/b/askds/archive/2009/04/10/name-suffix-routing.aspx”, answer above may be wrong.
Answer is more likely to be :
1. Add division2.contoso.com as an exclusion to the name suffix routing entry of contoso.com on Division1.contoso.com ( as above)
2. Add division1.contoso.com as an exclusion to the name suffix routing entry of contoso.com on Division2.contoso.com
Agreed.
Apparently even though the trust between divisions domains is configured one-way.
Still, we need to prevent authentication requests going from division1 to contoso.com forest.
After looking at this again. The question does say ALL requests should go to the direct dcs. You may be correct.
I fail to realize how you got to this conclusion. The routing entry MUST be created on division2. Also, creating an exclusion on contoso2 won’t do anything to acomplish the task, nor is the link you provided endorsing such a thing. The situation there is quite different.
No, the routing entry on division2 will be created anyway when the new one-way trust is established. No need to do it manually.
The situation described in the linked article is exactly the same as this one.
In v3 of this test, people seem to like this answer:
Add division1.contoso.com as a name suffix routing entry = Division2.contoso.com
Add division2.contoso.com as an exclusion to the name suffix routing entry of contoso.com = Division1.contoso.com
However, I can’t understand why. Shouldn’t we route authentication to the forest with the user accounts (div2)?
My answer:
Add division2.contoso.com as a name suffix routing entry = Division1.contoso.com
Add division1.contoso.com as an exclusion to the name suffix routing entry of contoso.com = Division2.contoso.com
Its very possible that I am wrong, but would appreciate a proper explanation for this question if I am.
BTW – I wrote the exam and failed. I had this exact question on my test.
I agree with you. If there is a one way trust from div1 to div2. Then users in div2 need to access resources in div1. That means div1 needs to be able to send authentication requests from div2 users to div2 dcs. So div1 needs the upn routing to bypass the transitive trust.
Now it’s a one-way trust so users in div1 should not have access to anything in div2. So on div2 we need to prevent local dcs from sending authentication requests through the transitive trust so we exclude div1 upns on the trust to contoso.
The accepted answer seems wrong.
There is no transitivity here.
Transitive means signals travel in a forest to child domains.
These are three separate forests, even if the naming implies otherwise (Which is why there is a problem to begin with).
Between forests, all trusts need to be specifically implemented.
And according to MS, if you implement a trust, the routing is set for you.
The thing with this question is:
Even before you implement the one way trust, this setup has issues.
If you wanted to login from one division to another, you wouldn’t get a proper deny, but either would send the packet to contoso.com (because *div(x).cont.com routes to *.cont.com because of the two way trusts, assuming that div(x) is a child domain of contoso.com, which they aren’t)
So basically even without the one way trust it would be more proper to already exclude the two divs from routing.
When an account (from the division2) attempts to authenticate (to the division1) and that account does not exist in the local domain (in the division1), the Name Suffix Route is used to direct authentication requests to the trusted forest root domain (to the division2).
The provided answer is correct.
It only takes 3-5 minutes to read this website’s scenario to understand why
division2.contoso.com would have issue routing if an exclusion wasnt setup in division1.contoso.com
https://span.eu/en/2016/09/kerberos-conflicting-upns/
So – Are we being tested on our knowledge of the technology, or our ability to spot clever trick questions? Asking for a friend…