You need to ensure that the migrated users can access the resources in contoso.com

Your network contains two Active Directory forests named contoso.com and adatum.com.
Contoso.com contains one domain. Adatum.com contains a child domain named child.adatum.com.
Contoso.com has a one-way forest trust to adatum.com. Selective authentication is enabled on the
forest trust.
Several user accounts are migrated from child.adatum.com to adatum.com.
Users report that after the migration, they fail to access resources in contoso.com. The users
successfully accessed the resources in contoso.com before the accounts were migrated.
You need to ensure that the migrated users can access the resources in contoso.com.
What should you do?

Your network contains two Active Directory forests named contoso.com and adatum.com.
Contoso.com contains one domain. Adatum.com contains a child domain named child.adatum.com.
Contoso.com has a one-way forest trust to adatum.com. Selective authentication is enabled on the
forest trust.
Several user accounts are migrated from child.adatum.com to adatum.com.
Users report that after the migration, they fail to access resources in contoso.com. The users
successfully accessed the resources in contoso.com before the accounts were migrated.
You need to ensure that the migrated users can access the resources in contoso.com.
What should you do?

A.
Replace the existing forest trust with an external trust.

B.
Run netdom and specify the /quarantine attribute.

C.
Disable SID filtering on the existing forest trust.

D.
Disable selective authentication on the existing forest trust.

Explanation:
Security Considerations for Trusts
Need to gain access to the resources in contoso.com
Disabling SID Filter Quarantining on External Trusts
Although it reduces the security of your forest (and is therefore not recommended), you can disable
SID filter quarantining for an external trust by using the Netdom.exe tool. You should consider
disabling SID filter quarantining only in the following situations:
* Users have been migrated to the trusted domain with their SID histories preserved, and you want
to grant them access to resources in the trusting domain based on the SID history attribute.

Etc.
Incorrect:
Not B. Enables administrators to manage Active Directory domains and trust relationships from the
command prompt, /quarantine Sets or clears the domain quarantine.
Not D. Selective authentication over a forest trust restricts access to only those users in a trusted
forest who have been explicitly given authentication permissions to computer objects (resource
computers) that reside in the trusting forest.

Security Considerations for Trusts
http://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx



Leave a Reply 2

Your email address will not be published. Required fields are marked *


tmkreddy55

tmkreddy55

C
Disable SID filtering on the existing forest trust.

ref- https://technet.microsoft.com/en-us/library/cc794801(v=ws.10).aspx

Disable SID filter Quarantining

You should consider disabling SID filter quarantining in the following situations:

You have an equally high level of confidence in the administrators who have physical access to domain controllers in the trusted domain and the administrators with such access in the trusting domain.

You have a strict requirement to assign universal groups to resources in the trusting domain, even when those groups were not created in the trusted domain.

Users have been migrated to the trusted domain with their SID histories preserved, and you want to grant those users access to resources in the trusting domain (the former domain of the migrated users) based on the sIDHistory attribute.

kurt

kurt

several user accounts are migrated to adatum. these users have SIDs that are the same as those in Contoso used by priviledged accounts. these users in adatum have admin access in contoso. SID filtering blocks users in a adatum from being able to grant themselves elevated user access in contoso by discarding all SIDs that dont have hte domain SID of the contoso