You need to ensure that the Contoso users can access the shared folders on the file servers

Your network contains two Active Directory forests named contoso.com and adatum.com.
Each forest contains one domain. Contoso.com has a two-way forest trust to adatum.com.
Selective authentication is enabled on the forest trust.
Contoso contains 10 servers that have the File Server role service installed. Users
successfully access shared folders on the file servers by using permissions granted to the
Authenticated Users group.
You migrate the file servers to adatum.com.
Contoso users report that after the migration, they are unable to access shared folders on
the file servers.
You need to ensure that the Contoso users can access the shared folders on the file
servers.
What should you do?

Your network contains two Active Directory forests named contoso.com and adatum.com.
Each forest contains one domain. Contoso.com has a two-way forest trust to adatum.com.
Selective authentication is enabled on the forest trust.
Contoso contains 10 servers that have the File Server role service installed. Users
successfully access shared folders on the file servers by using permissions granted to the
Authenticated Users group.
You migrate the file servers to adatum.com.
Contoso users report that after the migration, they are unable to access shared folders on
the file servers.
You need to ensure that the Contoso users can access the shared folders on the file
servers.
What should you do?

A.
Disable selective authentication on the existing forest trust.

B.
Disable SID filtering on the existing forest trust.

C.
Run netdom and specify the /quarantine attribute.

D.
Replace the existing forest trust with an external trust.

Explanation:
Ref: http://technet.microsoft.com/en-us/library/cc794713(v=ws.10).aspx



Leave a Reply 34

Your email address will not be published. Required fields are marked *


Andy

Andy

The correct answer is A.

Disabling the SID filtering only applies to user migration, not file server migration.

The question specifically states that the users are using permissions granted to them by the authenticated users permissions, meaning that their selective authentication is set to authenticated users for the contoso.com domain.

Disabling the selective authentication on the existing forest trust grants those users access to the adatum domain without standard authentication.

Guy

Guy

You might be right. Answer C is actually identical to B. Can someone confirm A is correct?

Kenny

Kenny

I think it is A.

http://technet.microsoft.com/nl-nl/library/cc755321%28v=ws.10%29.aspx

Impact of Selective Authentication
Because all verification of incoming interforest authentication requests is done locally on the receiving domain controller in the trusting forest, access to resources in the trusting forest is likely to be extremely limited for a broad set of users on the network (which is the purpose of this security setting). Consequently, implementing selective authentication might require user education, particularly due to the following reasons:
Users browsing network resources through My Network Places to resources located in a trusting forest might get access denied messages when attempting to access those resources.

Resources in the trusting forest that were once available to users in a trusted forest might no longer be available.

mostly

mostly

premium dump is B

JD

JD

Agree it’s A

How do you copy & paste on here ???

kurt

kurt

seems like u lost a lot of money on those premium dumps

BitterSysAdmin

BitterSysAdmin

Premium Dumps are made by no one more than basic assholes like you and I.

You understand all a premium dump is a collection of what some asshole THINKS the current trend of questions are?

I have purchased premium dumps before and holy fuck 20-25% of the questions are wrong.

alex

alex

I took dumps with more premium content than some of these so called “premium dumps”!
always double check and do some research.

Peter Korterink

Peter Korterink

Answer is B.

Although it is not recommended, you can use this procedure to disable SID filter quarantining for an external trust with the Netdom.exe tool. You should consider disabling SID filter quarantining only in the following situations:

Users have been migrated to the trusted domain with their SID histories preserved, and you want to grant those users acces to resources in the trusting domain (former domain of the migrated users) based on the SIDHistory attribute.

Etc.

ref: Disabling SID filter quarantining

http://technet.microsoft.com/en-us/library/cc794713(v=ws.10).aspx

James L

James L

Here is my thinking. Read the wording carefully in all questions MS are very clever in how they phrase their questions to see how you logically think through a problem

1. The Forest trust is 2 way but there is no indication that selective authentication has been applied on the adatum domain (Trusting) to contoso domain(Trusted). It seems to indicate that selective authentication is applied the other way ie adatum (Trusted) users are selectively authenticated against contoso (Trusting) file servers. This is fine whilst contoso authenticated users wish to access the file servers when the file servers are in the contoso domain.

2. Whilst B & C may appear to be the same answer B relates to SID filtering in a Forest Trust and Answer C relates to SID Filtering in an External Trust of which there is no mention so that would rule out C as a possible answer

3. An External trust is a trust between two individual domains in separate forests that contain multiple different domains in the forest structure and as it states clearly in the question that each forest contains one domain this choice would seem illogical and can also rule out D as an answer

4. We are now left with A & B as possible options. As stated in step 1 there is no indication that selective authentication has been enabled for Contoso users to access Adatum resources so why would we need to disable it ruling out A as the answer

5. When the servers are migrated to Adatum the users from Contoso (who are now authenticated users in a different domain) will now need to pass their SID across the Forest Trust to allow them access to the newly migrated Adatum resources (ie the 10 file servers). As SID Filtering is enabled by default you would need to disable it to allow the SID to pass through and allow them to be authenticated against the servers using authenticated users permissions

My thinking makes B the answer

Note that SID filtering is a common method used to prevent SID History being used maliciously after user migration but it is SID filtering of any attribute containing a SID and not just SID History filtering (In which case MS may have named it SID History filtering and not SID Filtering)

Please comment or correct if you feel anything is wrong in my own logical thinking

James L

James L

Sorry peeps. The more I research this and think about it the more I confuse even myself but after reading the following (see below) I think that Andy may have been right from the start. So maybe A is the correct answer after all.

Allowing SID History to Traverse Forest Trusts

If users are migrated from one domain to another in different forests, you may want to allow the migrated users to access resources in their original forest using their migrated (SID history) credentials. The default SID filtering applied to forest trusts prevents user resource access requests from traversing the trusts with the credentials of the original domain. If you want to enable users to use the credentials that were migrated from their original domain, you can allow SID history to traverse forest trusts by using the Netdom command.

After reading that Im thinking that if SID filtering is enabled by default and it applied to the SID of a user in their original domain (not the SID History from their old domain after a domain user migration has taken place)then a user would not be able to pass their original SID across a Forest Trust and that would make no sense.

Anyone care to comment and put us all out of our crazed minds with the definitive answer

eric

eric

Selective authentication between forests
If you decide to set selective authentication on an incoming forest trust, you need to manually assign permissions on each computer in the domain as well as the resources to which you want users in the second forest to have access. To do this, set a control access right Allowed to authenticate on the computer object that hosts the resource in Active Directory Users and Computers in the second forest. Then, allow user or group access to the particular resources you want to share.

In this case, after migrate the file server, if you want user in Contoso can access, either assign permission on file server account, or disable Selective authentication.

So answer is A.

Pirulo

Pirulo

From an excelent article by Jan De Clerq, we get :

When you enable the selective authentication feature of a forest trust relationship, users accessing cross-forest resources from one forest cannot authenticate to a domain controller or resource server (e.g., file server, print server) in the other forest unless they are explicitly allowed to do so. Selective authentication is available for both forest and external trust relationships if both forests are at the highest Windows Server 2003 functional level. This highest functional level, which is also Windows Server 2003’s native functional level, requires that all domain controllers run Windows Server 2003. Microsoft added selective authentication in Windows Server 2003 to allow a more granular cross-forest trust definition. In beta versions of Windows Server 2003, Microsoft referred to selective authentication as the authentication firewall. When selective authentication isn’t enabled, in terms of access control, all users from the foreign forest become almost perfect peers of the local forest users. This situation exists because foreign forest users are added to the Authenticated Users group of the local forest when they cross the trust. Even though foreign forest users also become members of the Authenticated Users group when you enable the selective authentication option, those users can authenticate to the local forest only after they pass an additional access-control check.

if we delve deeper on Microsoft documentation, we have this:

https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx

I cite this snippet here :

Users browsing network resources through My Network Places to resources located in a trusting forest might get access denied messages when attempting to access those resources.

Resources in the trusting forest that were once available to users in a trusted forest might no longer be available.

But the whole article is worth reading.

So, to me answer is A

Joe

Joe

Can’t seem to figure this out, it is either A or B (I have arguments for and against both)
A – Disable selective authentication … authenticated users has permissions, this means users who have logged into the domain or a trusted domain, nothing should have changed here as they have been authenticated into a trusted domain. Maybe migrating file servers corrupt this so taking off selective authentication would fix it?
B – Disable SID filter … I believe that this is so that ‘users’ can still access servers after their accounts have been migrated, can’t see anything on SID filtering relating to the server being migrated. Although it does make some sense to do this as the file server will now have a different SID, maybe the user is trying to connect to the old SID or something?

I guess the only way to find out for definite is to do it in a virtual environment.

David S

David S

It’s A.

Abdul

Abdul

it seems Microsoft have updated their exam questions.. like 40% new questions on this one. David is right its A!!.

Joe

Joe

I think it’s A, it does not say anything about authenticated users being given the ‘allowed to authenticate’ permissions, so the first thing I would check is this. So I would either turn of selective authentication or give authenticated users the allowed to authenticate permissions.

joe

joe

The more I actually READ this question the more obvious it becomes.

contoso users can access shared content on a file server in contoso (same domain)

This will be using NTFS permissions assigned to each folder/file therefore selective authentication does not stop them from accessing the data as they are in the same domain as the file server.

When the file server is moved, this is when the selective authentication comes into play. the users and file server are now on different domains, so although contoso users still have permissions to the folders/files, they also need to be given the rights to authenticate to the file server. Turning off selective authentication would in a way do this as all users will then be allowed to authenticate.

disabling SID filtering would not do anything as the users SID’s are still the same, so if they were added into the server permissions as allowed to authenticate they would still be there (permissions are given based on the user SID so nothing has changed here.

andry79

andry79

Hi all,
i tested the question in my virtual lab and disabling the SID filtering i can’t access to the shared folder on the adatum forest. After i disabled the selective authentication I have had access to the shared folder. If the selective authentication was enabled you have to give the permission allow to authenticate at the user groups.

Sami

Sami

Its gotta be A. When you Disable selective authentication on the existing forest trust, you automatically enable forest-wide authentication over a forest trust. This is the default setting for a forest trust.

SID History filtering is useful if you migrate users from one domain to another.

ikke

ikke

user –> Disable SID filtering on the existing forest trust.
file –> Disable selective authentication on the existing forest trust.

VYgq4Makw

VYgq4Makw

402777 543059Yay google is my world beater helped me to discover this fantastic web website ! . 700894

Alexandre Ferreira

Alexandre Ferreira

Sid Filtering will prevent Migrated users from accessinbg the resources with their OLD SID (SID history).
Permission on Contoso still REMEBERS the OLD SIDS only.
So you need to Disable SID filtering.

mslover

mslover

You would be right, except that is is stated that the “Authenticated Users Group” is used to provide permissions (who would do that on a real network!). As someone said above, this is a well-known-sid. It will be the same on both sides of the trust.

This removes B as a possibility, so it has to be A.

mslover

mslover

Actually I dont think it even has anything to do with the “Authenticated Users Group” now I think about it, as SID history only applies to MIRGATED accounts.

The user accounts are NOT migrated, the server is migrated to ADATUM, the ACL’s on disk would still have the CONTOSO SIDs, SID history will have no effect in this situation.

derHedomat

derHedomat

the file servers will have a new computer object in the second forest, and so a new sid. the users have the same sid as before, so to disable sid filtering can’t be the goal.
you have to change the “logon to” permissions on the new computer objects, or disable selective authentication!

testing king

testing king

lets get some term definition
selective authentication on a 2 way forest trust means that users from contoso can access some resources on adatum and users from adatum can access some resources on contoso.
U move a file server from contoso to adatum so u need to enable sid history= disable sid filtering on the trusting forest which leave us with 2 options B and C
the key to determine which option it is is the 2 WAY FOREST TRUST.
to disable sid history on a trusting domain use netdom with the /quarantine
to disable sid history on a trusting Forest use netdom with the /enable sid history
We have a trusting Forest here cause we have a 2 way forest trust so answer is B

https://technet.microsoft.com/en-us/library/cc794801%28v=ws.10%29.aspx

testing king

testing king

never mind, the Answer is A cause we are migrating files not users didnt read that the first time around.

click the up coming web page

click the up coming web page

This design is steller! You definitely know how to keep a reader amused. Between your wit and your videos, I was almost moved to start my own blog (well, almost…HaHa!) Fantastic job. I really enjoyed what you had to say, and more than that, how you presented it. Too cool!|

toni

toni

One comment: The question is “you need to ensure that the Contoso users can access the shared folders”. So… only one answer can get it.
You get it disabling selective authentication? yes, of course.
You get it disabling SID filtering? No, becouse previous answer is yes.
cannot be two valid answers.
So, I think it must be A.