Your network consists of two Active Directory forests named Forest1 and Forest2. The functional
level of both forests is Windows Server 2003. Both forests contain only domain controllers that run
Windows Server 2008. You install a new server named Server1 in Forest2.
You need to recommend an access solution that meets the following requirements:
• Users in Forest1 must have access to resources on Server1.
• Users in Forest1 must be denied access to all other resources within Forest2.
What should you recommend?
A.
Raise the forest functional level of Forest1 and Forest2 to Windows Server 2008.
B.
Raise the domain functional level of all domains in both forests to Windows Server 2008.
C.
Create a forest trust between Forest1 and Forest2. Set the Allowed to Authenticate right on the
computer object for Server1.
D.
Create a forest trust between Forest1 and Forest2. Set the Allowed to Authenticate right on the
computer object for the Forest2 infrastructure operations master object.
Explanation:
To ensure that the users in Forest1 are denied access to all the resources Forest2 except the
resources on Server1, you need to create a forest trust between Forest1 and Forest2 so that
resources can be shared between both the forests. You can however set the trust authentication
setting to selective authentication so that only selected authentication is allowed. Next you need to
set the Allowed to Authenticate right on the computer object for Server1 so that each user must be
explicitly granted the Allowed to Authenticate permission to access resources on Server1. You
should not set the Allowed to Authenticate right on the computer object for the Forest2
infrastructure operations master object because Allowed to Authenticate right is set for the users in
a trusted Windows Server 2003 domain or forest to be able to access resources in a trusting
Windows Server 2003 domain or forest, where the trust authentication setting has been set to
selective authentication, each user must be explicitly granted the ‘Allowed to Authenticate’permission on the security descriptor of the computer objects (resource computers) that reside in
the trusting domain or forest.
Grant the Allowed to Authenticate permission on computers in the trusting domain or
forest
http://technet2.microsoft.com/windowsserver/en/library/b4d96434-0fde-4370-bd29-
39e4b3cc7da81033.mspx?mfr=true