Your company, which is named Contoso, Ltd., has a main office and two branch offices. The
main office is located in North America. The branch offices are located in Asia and Europe.
You plan to design an Active Directory forest and domain infrastructure.
You need to recommend an Active Directory design to meet the following requirements:
The contact information of all the users in the Europe office must not be visible to the users
in the other offices.
The administrators in each office must be able to control the user settings and the computer
settings of the users in their respective office.
The solution must use the least amount of administrative effort.
What should you include in the recommendation?
A.
One forest that contains three domains
B.
Three forests that each contain one domain
C.
Two forests that each contain one domain
D.
One forest that contains one domain
Explanation:
http://www.informit.com/articles/article.aspx?p=32080&seqNum=5
I believe this should be A.
One forest and three domains.
Otherwise ‘all users’ priveleges would give everyone rights to see contact information of all regions.
Correct D: I Forest 1 Domain. Make the attribute confidential and then apply ACL
I agree with Sjoerd that 1 forest and 1 domain is enough. But I do not agree with his reasoning. Contact information, a bit vague i.m.h.o., consists of many so called base-schema or category 1 attributes which can’t be made confidential.
But it is possible to change security on European users so that certain attributes cannot be read by others.
http://windowsitpro.com/active-directory/hiding-data-active-directory
It also says that it must minimize administrative effort. D.