Your network contains two Active Directory forests named contoso.com and adatum.com. Each
forest contains one domain. Contoso.com has a two-way forest trust to adatum.com. Selective
authentication is enabled on the forest trust.
Contoso contains 10 servers that have the File Server role service installed. Users successfully access
shared folders on the file servers by using permissions granted to the Authenticated Users group.
You migrate the file servers to adatum.com.
Contoso users report that after the migration, they are unable to access shared folders on the file
servers.
You need to ensure that the Contoso users can access the shared folders on the file servers.
What should you do?
A.
Disable selective authentication on the existing forest trust.
B.
Disable SID filtering on the existing forest trust.
C.
Run netdom and specify the /quarantine attribute.
D.
Replace the existing forest trust with an external trust.
Explanation:
Although it is not recommended, you can use this procedure to disable security identifier (SID) filter
quarantining for an external trust with the Netdom.exe tool. You should consider disabling SID filter
quarantining only in the following situations:
* Users have been migrated to the trusted domain with their SID histories preserved, and you want
to grant those users access to resources in the trusting domain (the former domain of the migrated
users) based on the sIDHistory attribute.
Etc.Disabling SID filter quarantining
http://technet.microsoft.com/en-us/library/cc794713(v=ws.10).aspx
A is correct.
It’s tough choice between A and B but I think I’ll go with A
I think B, based on this technet article : https://technet.microsoft.com/en-us/library/cc755321%28v=ws.10%29.aspx
And the key point being, access for contoso users before migration was based on the Authenticated users group. So see following quote from article;
“If the universal group in the trusted forest was not created in the trusted domain, even though it might contain users from the trusted domain as members, authentication requests made by members of that universal group will be filtered and discarded. Therefore, before assigning access to resources in the trusting domain for users in the trusted domain, you should confirm that the universal group containing the trusted domain users was created in the trusted domain.”
A is correct.
Why?
Because in this scenario SIDHistory is not used!
The file servers are migrated, not the uisers. That’s the 1. key point.
The 2. key point is that Selective Authentication is activated.
So Authenticated Users from the other forest are not allowed to authenticate at the file servers. In real life you would allow them at Computer AD Object of the file server, but that’s not an option in the answers. So only disabling it would work here.
B in my opinion. Servers were migrated not users. Shares on migrated servers are now in domain adatum.com. Credentials of users from contoso.com to be usable in adatum.com must pass forest trust, but here is the selective authentication enabled.
A of course, not B.
A server was migrated. eg, PC1.contoso.com -> PC1.adatum.com ; you need to explicit to allow the user to authenticate to the pc1.adatum.com or disable the selective authentication.
Agreed. A it is for exactly the reasons that Hmmm stated
A Servers were migrated not users. Shares on migrated servers are now in domain adatum.com. Credentials of users from contoso.com to be usable in adatum.com must pass forest trust, but selective authentication is enabled. selective authentication denies access to all users from contoso.com. you have to go and explicitly allow the users to authenticate to the adatum.com or disable selective authentication.