In the last post I summarized the content underlying domain 2, section 2 (“Configure trusts”) in the Microsoft 70-640 Active Directory Configuration certification exam blueprint. Today I will provide a sample practice question and a detailed explanation and analysis.
You are the Active Directory architect for a two-forest enterprise whose logical topology is shown in the following diagram:
Active Directory – Logical topology
Your IT security team determined that due to the sensitivity of their project work, users in the lab domain should not be allowed to access resources in the 4SysopsA.com forest.
Which of the following actions should you undertake in order to accomplish your goal?
A. Redefine the forest trust as an external trust.
B. Redefine the forest trust to use selective authentication.
C. Remove the SID History attribute(s) from users in the lab.4SysopsB.com domain.
D. Create a shortcut trust between the lab and corpA domains.
The Correct answer, explanation, and analysis
The correct answer is B. By default, forest trusts use forest-wide authentication, which enables users to authenticate to any domain on either side of the trust relationship. This works fine when both forests are owned by the same people.
However, there are cases in which administrators need to be more selective in terms of which user accounts are allowed to cross a trust. This is where the selective authentication feature of Active Directory Domain Services (AD DS) trust relationships becomes relevant.
Enabling selective authentication is a two-step process. First, we must enable the feature by examining the properties of the trust relationship. The relevant dialog box here is shown in the following screenshot.
Enabling selective authentication
NOTE: We can also specify the authentication security type during trust creation in the New Trust wizard.
The distractor choices in this practice item can be ruled out easily if you have a good grasp of (a) the different types of trust relationships that are available; and (b) when to apply each one. For instance, we can rule out choice A because external trusts are intransitive. In this scenario we do indeed want all involved domains to access each other across the forest trust relationship. Only the lab domain has the special security concern.
Choice C is a red herring that assumes that you have no idea what SID history is. The fact that Active Directory stores the SIDs of user accounts that have been migrated to a new domain is not in the least bit relevant to the item’s scenario. Finally, we can dismiss choice D because shortcut trusts are used to reduce logon times between non-adjacent domains, not to selectively filter access across a forest trust relationship.
I hope that you found working through this sample practice question to be fruitful to your certification studies. If you remain unclear on how Active Directory trust relationships work, then see the companion piece that I wrote for 4sysops.com. You are also free to leave your questions, comments, and concerns in the comments portion of this post. In my next post in this series I will cover the Configuring Sites subobjective.