What should you include in the recommendation?

Your company, which is named Contoso, Ltd., has a main office and two branch offices. The
main office is located in North America. The branch offices are located in Asia and Europe.
You plan to design an Active Directory forest and domain infrastructure.
You need to recommend an Active Directory design to meet the following requirements:
The contact information of all the users in the Europe office must not be visible to the users
in the other offices.
The administrators in each office must be able to control the user settings and the computer
settings of the users in their respective office.
The solution must use the least amount of administrative effort.
What should you include in the recommendation?

Your company, which is named Contoso, Ltd., has a main office and two branch offices. The
main office is located in North America. The branch offices are located in Asia and Europe.
You plan to design an Active Directory forest and domain infrastructure.
You need to recommend an Active Directory design to meet the following requirements:
The contact information of all the users in the Europe office must not be visible to the users
in the other offices.
The administrators in each office must be able to control the user settings and the computer
settings of the users in their respective office.
The solution must use the least amount of administrative effort.
What should you include in the recommendation?

A.
One forest that contains three domains

B.
Three forests that each contain one domain

C.
Two forests that each contain one domain

D.
One forest that contains one domain

Explanation:
http://www.informit.com/articles/article.aspx?p=32080&seqNum=5

Show Hint

Leave a Reply 6

Your email address will not be published. Required fields are marked *

PPGrillo

PPGrillo

That’s wrong. A is the answer: 1 forest 3 domains.
Even when most of the tasks can be done with Delegation, the domain isolation is the best option and recommended.

Reply

Emo

Emo

See again requirements – “The solution must use less administrative effort”. One forest and one domain it the right answer.

Reply

Ranger

Ranger

@Emo: but if you have one forest the default behaviour is having a trust among the domains in the forest, so you can see users information of all the domains. For me the right answer is the B.

Reply

Tech1

Tech1

If you create 3 forests then surely that is not achieving the task with the least administrative effort.

One forest with one domain would just require you to then restrict access to the contact information for the Europe Office so you would edit the permissions for the container that those users are stored in.

I’d go with D.

Reply

jimilives

jimilives

D: is correct.

This article explains the models: http://windowsitpro.com/active-directory/hiding-data-active-directory

This particular picture in the article gives a good representation of what attributes you can hide simply by changing permissions.
http://windowsitpro.com/site-files/windowsitpro.com/files/archive/windowsitpro.com/content/content/142135/grillenmeier_win2523_fig2-lg.jpg

A single OU with Delegation and Permissions changed to Deny outside groups from seeing attributes is the design with the least administrative effort. In the real world, a Single Forest and Single Domain is used most of the time. You can control everything by OU boundaries.

Reply

James L

James L

Agree with jimilives, Emo and Tech1
I Forest 1 Domain. Make the attribute confidential and then apply ACL

Reply