How should you configure the existing forest trust sett…

Your network contains three Active Directory forests. The forests are configured as shown in the following table.

A two-way forest trust exists between contoso.com and divisionl.contoso.com. A two-way forest trust also exists
between contoso.com and division2.contoso.com.
You plan to create a one-way forest trust from divisionl.contoso.com to division2.contoso.com.
You need to ensure that any cross-forest authentication requests are sent to the domain controllers in the
appropriate forest after the trust is created.
How should you configure the existing forest trust settings? In the table below, identify which configuration must
be performed in each forest. Make only one selection in each column. Each correct selection is worth one point.
Hot Area:

Your network contains three Active Directory forests. The forests are configured as shown in the following table.

A two-way forest trust exists between contoso.com and divisionl.contoso.com. A two-way forest trust also exists
between contoso.com and division2.contoso.com.
You plan to create a one-way forest trust from divisionl.contoso.com to division2.contoso.com.
You need to ensure that any cross-forest authentication requests are sent to the domain controllers in the
appropriate forest after the trust is created.
How should you configure the existing forest trust settings? In the table below, identify which configuration must
be performed in each forest. Make only one selection in each column. Each correct selection is worth one point.
Hot Area:

Answer:

Explanation:

There will be a one-way forest trust from division1.contoso.com to division2.contoso.com
Division1 trusts Division2. Division2 must be able to access resources in Division1.
Division1 should not be able to access resources in Division2.



Leave a Reply 8

Your email address will not be published. Required fields are marked *


dsa

dsa

don’t believe its correct.
on Division 2, add Division 1 as exclusion.

and vise versa.

dunderhead

dunderhead

This is actually a very ambiguous and poorly written question. I have a real problem with the word “exclusion” when the administration of name suffix routing in Domains and Trusts is done by “enable” and “disable”.

I think the knowledge objective is to ensure the proper trust path is used when trying to validate users in a trusted domain. The 1-way trust is essentially “shortcutting” the user validation path from division1 to division2. This scenario says nothing about preventing validation of division1 users to resources in division2.

So, the appropriate selections would be:
On Division1, add a name routing entry for Division2
Also On Division1, create an exclusion entry for Division2 on the contoso.com trust.

Additional notes:
Adding Division2 across the new 1-way trust – which, by the way, should already be created as part of creating the 1-way trust.
If the scenario were to mention preventing user validation (disabling name suffix routing) from Division2 to Division1, then, instead of adding Division2 across the trust on Division1, select on Division2, add an exclusion for Division1 across contoso.com.

dunderhead

dunderhead

further review of the words in the question “configure the existing forest trusts”, the provided answer is the most logical response. Division2 would need to know Division1 exists across the trust with contoso and Division1 would need to exclude Division2 from its existing trust with contoso. Once the new trust is created, division2 would be named on that trust. Dang me for reading too much into a simple question… In my defense, nothing with Microsoft is ever simple.

Chris

Chris

The question is valid, as is the answer provided.
See below link (not posting for some reason when I put the text from the 2nd paragraph in here):
https://technet.microsoft.com/en-us/library/cc816626%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

Chris

Chris

Side note, this is a setting for Forest trusts not domain trusts.
Active Directory Domains and Trusts\Properties of Domain\Trust Tab\Properties of Trust\Name Suffix Routing Tab. Select the Forest that has the common name (in this case contoso.com), click Edit, Add the suffixes that will not be forwarded to this forest (in this case Division1.contoso.com or Division2.contoso.com).

Chris

Chris

As a side note the wording on this question really does suck, but the answer is still correct.
“Add division1.contoso.com as a name suffix routing entry” is just another way of saying setting up a trust from Division1 to Division2.

Chris

Chris

Disregard this, the correct answer is:
o x
x o
o x
x o