You are implementing Privileged Access Management (PAM) for an Active Directory forest named
contoso.com.
You install a bastion forest named adatum.com, and you establish a trust between the forests.
You need to create a group in contoso.com that will be used by Microsoft Identity Manager to create groups in
adatum.com.
How should you configure the group? Choose Two.
A.
Group name: ADATUM$$$
B.
Group name: CONTOSO$$$
C.
Group name: CONTOSO_Adatum$
D.
Group name: MIM$
E.
Group type: a domain local distribution group
F.
Group type: a domain local security group
G.
Group type: a global distribution group
H.
Group type: a universal distribution group
I.
Group type: a universal security group
Explanation:
Production forest is contoso.com
Bastion forest is adatum.com
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment
A security group on the local domain (contoso.com)
There must be a group in the existing domain, whose name is the NetBIOS domain name followed by
three dollar signs, e.g., CONTOSO$$$.
The group scope must be domain local and the group type must be Security.
This is needed for groups to be created in the dedicated administrative forest (adatum.com) with the same
Security identifier as groups in this domain
(contoso.com).
Create this group with the following
New-ADGroup -name ‘CONTOSO$$$’ -GroupCategory Security -GroupScope DomainLocal –
SamAccountName ‘CONTOSO$$$’
After this, MIM could create “Shadow Group” in bastion adatum.com forest.