Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each forest contains one domain. A two-way forest trust exists between the forests.
You plan to add users from fabrikam.com to groups in contoso.com.
You need to identify which group you must use to assign users in fabrikam.com access to the shared folders in contoso.com.
To which group should you add the users?
A.
Group 1: Security Group – Domain Local.
B.
Group 2: Distribution Group – Domain Local.
C.
Group 3: Security Group – Global.
D.
Group 4: Distribution Group – Global.
E.
Group 5: Security Group – Universal.
F.
Group 6: Distribution Group – Univeral.
Explanation:
I think A is wrong here. You would need to use Universal groups to assign users across forests.Domain local groups Groups that are used to grant permissions within a single domain. Members of domain local groups can include only accounts (both user and computer accounts) and groups from the domain in which they are defined.
Global groups Groups that are used to grant permissions to objects in any domain in the domain tree or forest. Members of global groups can include only accounts and groups from the domain in which they are defined.
Universal groups Groups that are used to grant permissions on a wide scale throughout a domain tree or forest. Members of global groups include accounts and groups from any domain in the domain tree or forest.
Security groups Groups that can have security descriptors associated with them. You define security groups in domains using Active Directory Users And Computers.
Distribution groups Groups that are used as e-mail distribution lists. They can’t have security descriptors associated with them. You define distribution groups in domains using Active Directory Users And Computers.
http://technet.microsoft.com/en-us/library/bb726978.aspx
To assign permissions to resources that are to be accessed by users from a different forest, create resource-based domain local groups in every domain and use these groups to assign permissions on the resources in that domain. For example, in ForestB, create a domain local group called OrderEntryApp. Add this group to the access control list (ACL) that allows access to the order entry application, and assign appropriate permissions.
http://technet.microsoft.com/en-us/library/cc772808(v=ws.10).aspx
The explanation lists an article in technet based on server 2000, where universal groups did not have security scopes only distribution groups. Definition of a DL group in server 2008: http://technet.microsoft.com/en-us/library/cc733001.aspx
However this does not reference anything about cross-forest membership. There doesn’t seem to be a server 2008 equivalent to the article in the above comment but I would think the same should apply to Server 2008, so that you can add a group from another forest to the DL group with permissions to the shared folders in contoso.com.
The Question
“You need to identify which group you must use to assign users in fabrikam.com access to the shared folders in contoso.com.”
If you are going to grant access to a share or ntfs permission on the Contoso file server. You cannot add a domain local or global group from another forest. You would only be able to assign a universal group.
ryt answear pls
Mahlatse,
You wrote three words and misspelled all of them. Learn to spell, learn to study, learn to research, and then decide which answer is correct.
THANKS DSR
Exam D, Q 26
Answer should be D and not B.
The [ServerName] “Specifies the DNS server the administrator plans to manage…”
Should be DC3 and not DC1 with the /forest switch
distribution cannot be assigned permission to users. so only the security would work, but just confused about the C and E, to assign permission across the forest, it has global and universal, why not choose global group, I mean C instead of E? would anyone explain that? thanks