CORRECTED (Previously A)Your network contains two Active Directory forests named contoso.com and
adatum.com. Each forest contains one domain. Contoso.com has a two-way forest trust to adatum.com.
Selective authentication is enabled on the forest trust.
Contoso contains 10 servers that have the File Server role service installed. Users successfully access shared
folders on the file servers by using permissions granted to the Authenticated Users group.
You migrate the file servers to adatum.com.
Contoso users report that after the migration, they are unable to access shared folders on the file servers.
You need to ensure that the Contoso users can access the shared folders on the file servers.
What should you do?
A.
Disable selective authentication on the existing forest trust.
B.
Disable SID filtering on the existing forest trust.
C.
Run netdom and specify the /quarantine attribute.
D.
Replace the existing forest trust with an external trust.
Explanation:
After lots of reading (including pros & cons from previous versions) I’m going with answer A – Disable selective authentication on the existing forest trust.
https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx
part: Processing authentication requests made over forest trusts with selective authentication enabled
&
Part: Impact of Selective Authentication
“Because all verification of incoming interforest authentication requests is done locally on the receiving domain controller in the trusting forest, access to resources in the trusting forest is likely to be extremely limited for a broad set of users on the network (which is the purpose of this security setting). Consequently, implementing selective authentication might require user education, particularly due to the following reasons:
Users browsing network resources through My Network Places to resources located in a trusting forest might get access denied messages when attempting to access those resources.
Resources in the trusting forest that were once available to users in a trusted forest might no longer be available.
Note
As a security best practice it is recommended that resource administrators in a trusting forest remove the default access rights granted to the Authenticated Users group in all of the shared resources in the trusting forest. This practice will help to further minimize the possibility of authenticated users inside and outside of a forest from accessing protected resources.”
I agree. If the users were migrated, it would be B and SID filtering would need to be disabled. But because the file servers were migrated, they need to have selective authentication disabled.
PikaPoka quotes the same article I found. Since there is no discussion in the technet article about:
– the migration of server resources
and there is no option in the question addressing:
– the reference about security practices and “authenticated users” group
I concur with pikapoka and bob (below) the SID Filtering response is least likely.
I will choose to disable selective authentication.
I also like A as the correct answer for a server move.
Answer: A
Better answer that is not listed is to modify the server object properties in adatum to add the authentication permission for contoso users.