Your network contains an Active Directory forest named contoso.com. The forest contains
three domains. All domain controllers run Windows Server 2012 R2.
The forest has a two-way realm trust to a Kerberos realm named adatum.com.
You discover that users in adatum.com can only access resources in the root domain of
contoso.com.
You need to ensure that the adatum.com users can access the resources in all of the
domains in the forest.
What should you do in the forest?
A.
Delete the realm trust and create a forest trust.
B.
Delete the realm trust and create three external trusts.
C.
Modify the incoming realm trust.
D.
Modify the outgoing realm trust.
Answer = D
http://www.c-sharpcorner.com/UploadFile/cd7c2e/creating-one-way-outgoing-realm-trust-for-one-side-of-trust/
http://www.c-sharpcorner.com/UploadFile/cd7c2e/creating-one-way-incoming-realm-trust-for-one-side-of-trust/
trust direction is opposite of access direction
makes sense amal
Thanks Amal
When creating the realm trust, you have to select the trust transitivity. Here you have 2 options:
– nontransitive = include only the domain and the realm
– transitive = include the domain and the realm and also the children of the domain and the realm in the relationship.
As amal2885 said, the trust direction is opposite of access direction.
So, it’s D: you have to modify the outgoing realm trust and set it as transitive.
answer D
I genuinely believe the answer is A, as they are both kerberos enabled forests. There would be absolutely no need for the trust to be a real trust, a forest trust would fit the scenario better, and resolve the problem of transitive trust. Can anybody give me a good reason as to why this wouldnt work?
The offiial Mirosoft book on this exam states “Realm trusts are used when you want to create a trust relationship between a non-kerberos realm, such as one running in a linux environment, and an active directory domain services domain”
The fact that this question stated that th domain IS kerberos enabled to me is a giveaway that they want you to change it to a forest trust.
Ahmmp.. Can anyone confirm the best/right 🙂 answer in this question. Thank you so much guys.
Id say because they are kerberos enabled forests. Then a realm trust is not needed. So changing to a forest trust meets the access requirements of the question.
finally figured this out. question states that contoso has a trust with a REALM. there fore that that rules out A & B https://technet.microsoft.com/en-us/library/cc775736(v=ws.10).aspx. somone mentioned in this thread because kerberos is used the answer should be A. again, look at the technet article which says ‘Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and a Windows Server’
as you are on contoso you would be configuring the outgoing trust so D is the answer.
On the same link that you just posted it states:
Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2003 domain
In this scenario, there is no Window Server 2003 domain…?
I stand by my answer of A because the official Microsoft 70-412 book says only use a realm trust when connecting to a non kerberos enabled domain.This book was published in 2014…that Technet article was last updated 10 years ago.
We do not know if the other ‘realm’ is windows or not, all we know is that it is a Kerberos one. Therefore, we can’t just remove the realm trust as the forest trust may not work.
It doesn’t say anything about a realm trust being used for a non Kerberos realm it say non windows Kerberos realm (meaning it is a Kerberos realm but not a windows one)
I think the answer is D although I first though A
As i keep saying though, the Official 70-412 book says:
“Realm trusts are used when you want to create a trust relationship between a non-kerberos realm, such as one running in a linux environment, and an active directory domain services domain”
It doesnt say it has to be a windows domain, it is basically saying:
“If it is a non-kerberos domain then use a realm trust”
In my eyes that means if it ISNT a non-kerberos domain then DONT use a realm trust.
Sorry you are wrong, I have the same book (the official Microsoft 70-412 book with a green front cover!) and it says non-WINDOWS Kerberos realm, not a non-Kerberos realm
@Gareth, kerberos wasn’t invented by microsoft. Kerberos are used by other Vendors too for authentication. so i think D is correct
yes I know…but i dont understand what that has to do with anything…?
Verbatim from the official 70-412 book, page 325: “A realm trust is a one-way or two-way, transitive or non-transitive trust between an ADDS domain and a non-Microsoft Kerberos realm.”
Therefore if it is Kerberos REALM, it is not a Microsoft DOMAIN, so realm trust is what you do.
Thanks for the clarification!
Realm trust needs to be modified from Non-Transitive to Transitive, so ALL domains beneath Contoso are Trusted.
It reports that ADATUM can reach CONTOSO root only, therefore the trust must be Non-Transitive in this scenario.
Change it to Transitive Trust. The Answer is D.
Cannot use a Forest Trust because you have a Kerberos Realm that you need to include aswell.
The time to read or check out the subject material or web-sites we have linked to below.