Your network consists of two Active Directory forests. The Active Directory forests are configured as
shown in the following table. (Click the Exhibit)
The servers in both forests run Windows Server 2008. A forest trust exists between the
fabrikam.com forest and the contoso.com forest. Fabrikam.com has a server named
server1.fabrikam.com. Contoso.com has a global group named ContosoSales. Users in the
ContosoSales global group access an application on server1.fabrikam.com. You discover that users
from other groups in the contoso.com domain can log on to servers in the fabrikam.com domain.
You need to implement an authentication solution to meet the following requirements:
Users in the ContosoSales global group must be able to access server1.fabrikam.com.
Users in the ContosoSales global group must be denied access to all other servers in the
fabrikam.com forest.
All other users in the contoso.com domain must be able to access only resources in the contoso.com
forest.
What should you do?
A.
Replace the existing forest trust with an external trust between the contoso.com domain and the
fabrikam.com domain. On the server1.fabrikam.com computer object, grant the Allowed to
Authenticate permission to the ContosoSales global group.
B.
Replace the existing forest trust with an external trust between the contoso.com domain and the
fabrikam.com domain. In the local security policy of server1.fabrikam.com, assign the Access this
computer from the network user right to the ContosoSales global group.
C.
Set the authentication scope of the existing forest trust in the fabrikam.com domain to Allow
authentication only for selected resources in the local domain. On the server1.fabrikam.com
computer object, grant the Allowed to Authenticate permission to the ContosoSales global group.
D.
Set the authentication scope of the existing forest trust in the fabrikam.com domain to Allow
authentication only for selected resources in the local domain. In the local security policy on
server1.fabrikam.com, assign the Access this computer from the network user right to the
ContosoSales global group.
Explanation:
To ensure that the users in the ContosoSales global group are allowed to access
server1.Fabrikam.com you need to assign the Access this computer from the network option to the
ContosoSales global group in the local security policy of server1.Fabrikam.com to allow remote users
to have permission to connect to the remote computer. To ensure that the ContosoSales global
group users should not be allowed to access any other server in the Fabrikam.com forest, you need
to grant the Allowed to Authenticate permission to the ContosoSales global group on the
server1.Fabrikam.com computer object. The Allowed to authenticate on an object allows you to set
the selective authentication on an incoming external trust from the external domain. Authentication
requests made from one domain to another are successfully routed in order to provide a seamless
coexistence of resources across domains. Users can only gain access to resources in other domains
after first being authenticated in their own domain.
View Full Version : Network Problems – Should be simple right?
http://forums.pcworld.co.nz/archive/index.php/t-57658.html
Accessing resources across domains
http://technet2.microsoft.com/windowsserver/en/library/e36ceae6-ff36-4a1b-9895-
75f0eacfe94c1033.mspx?mfr=true