Your network consists of a single Active Directory domain. All domain controllers run Windows
Server 2008 R2. Your company and an external partner plan to collaborate on a project. The external
partner has an Active Directory domain that contains Windows Server 2008 R2 domain controllers.
You need to design a collaboration solution that meets the following requirements:
• Allows users to prevent sensitive documents from being forwarded to untrusted recipients
or from being printed.
• Allows users in the external partner organization to access the protected content to which
they have been granted rights.
• Sends all interorganizational traffic over port 443.
• Minimizes the administrative effort required to manage the external users.
What should you include in your design?
A.
Establish a federated trust between your company and the external partner. Deploy a Windows
Server 2008 R2 server that has Microsoft SharePoint Foundation 2010 installed.
B.
Establish a federated trust between your company and the external partner. Deploy a Windows
Server 2008 R2 server that runs Microsoft SharePoint 2010 and that has the Active Directory Rights
Management Services (AD RMS) role installed.
C.
Establish an external forest trust between your company and the external partner. Deploy a
Windows Server 2008 R2 server that has the Active Directory Certificate Services server role
installed. Implement Encrypting File System (EFS).
D.
Establish an external forest trust between your company and the external partner. Deploy a
Windows Server 2008 R2 server that has the Active Directory Rights Management Service (AD RMS)
role installed and Microsoft SharePoint Foundation 2010 installed.
Explanation:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:
Active Directory Federation Services
You can create forest trusts between two or more Windows Server 2008 forests (or Windows Server
2008 and Windows Server 2003 forests). This provides cross-forest access to resources that are
located in disparate business units or organizations. However, forest trusts are sometimes not the
best option, such as when access across organizations needs to be limited to a small subset of
individuals. Active Directory Federation Services (AD FS) enables organizations to allow limited
access to their infrastructure to trusted partners. AD
FS acts like a cross-forest trust that operates over the Internet and extends the trust relationship to
Web applications (a federated trust). It provides Web single-sign-on (SSO) technologies that can
authenticate a user over the life of a single online session. AD FS securely shares digital identity and
entitlement rights (known asclaims) across security and enterprise boundaries.
Windows Server 2003 R2 introduced AD FS and Windows Server 2008 expands it. New AD FS
features introduced in Windows Server 2008 include the following:
■Improved application supportWindows Server 2008 integrates AD FS with Microsoft Office
SharePoint Server 2007 and Active Directory Rights Management Services (AD RMS).
■Improved installationAD FS is implemented in Windows Server 2008 as a server role. The
installation wizard includes new server validation checks.
■Improved trust policyImprovements to the trust policy import and export functionality help to
minimize configuration issues that are commonly associated with establishing federated trusts.
AD FS extends SSO functionality to Internet-facing applications. Partners experience the same
streamlined SSO user experience when they access the organization’s Web-based applications as
they would when accessing resources through a forest trust. Federation servers can be deployed to
facilitate businesstobusiness (B2B) federated transactions.
AD FS provides a federated identity management solution that interoperates with other security
products by conforming to the Web Services Federation(WS-Federation) specification. This
specification makes it possible for environments that do not use Windows to federate with Windows
environments. It also provides an extensible architecture that supports the Security Assertion
Markup Language (SAML) 1.1 token type and Kerberos authentication. AD FS can perform claim
mapping—for example, modifying claims using business logic variables in an access request.
Organizations can modify AD FS to coexist with their current security infrastructure and business
policies.
Finally, AD FS supports distributed authentication and authorization over the Internet. You can
integrate it into an organization’s existing access management solution to translate the claims that
are used in the organization into claims that are agreed on as part of a federation. AD FS can create,
secure, and verify claims that move between organizations. It can also audit and monitor the
communication activity between organizations and departments to help ensure secure transactions.