In the last post I summarized the content underlying domain 2, section 2 (“Configure trusts”) in the Microsoft 70-640 Active Directory Configuration certification exam blueprint. Today I will provide a sample practice question and a detailed explanation and analysis.

You are the Active Directory architect for a two-forest enterprise whose logical topology is shown in the following diagram:

Active Directory Truts - Topology sample

Active Directory - Logical topology

Your IT security team determined that due to the sensitivity of their project work, users in the lab domain should not be allowed to access resources in the forest.

Which of the following actions should you undertake in order to accomplish your goal?

A. Redefine the forest trust as an external trust.

B. Redefine the forest trust to use selective authentication.

C. Remove the SID History attribute(s) from users in the domain.

D. Create a shortcut trust between the lab and corpA domains.

The Correct answer, explanation, and analysis ^

The correct answer is B. By default, forest trusts use forest-wide authentication, which enables users to authenticate to any domain on either side of the trust relationship. This works fine when both forests are owned by the same people.

However, there are cases in which administrators need to be more selective in terms of which user accounts are allowed to cross a trust. This is where the selective authentication feature of Active Directory Domain Services (AD DS) trust relationships becomes relevant.

Enabling selective authentication is a two-step process. First, we must enable the feature by examining the properties of the trust relationship. The relevant dialog box here is shown in the following screenshot.

Active Directory Trusts- Enabling selective authentication

Enabling selective authentication

NOTE: We can also specify the authentication security type during trust creation in the New Trust wizard.

The distractor choices in this practice item can be ruled out easily if you have a good grasp of (a) the different types of trust relationships that are available; and (b) when to apply each one. For instance, we can rule out choice A because external trusts are intransitive. In this scenario we do indeed want all involved domains to access each other across the forest trust relationship. Only the lab domain has the special security concern.

Choice C is a red herring that assumes that you have no idea what SID history is. The fact that Active Directory stores the SIDs of user accounts that have been migrated to a new domain is not in the least bit relevant to the item’s scenario. Finally, we can dismiss choice D because shortcut trusts are used to reduce logon times between non-adjacent domains, not to selectively filter access across a forest trust relationship.

Conclusion ^

I hope that you found working through this sample practice question to be fruitful to your certification studies. If you remain unclear on how Active Directory trust relationships work, then see the companion piece that I wrote for You are also free to leave your questions, comments, and concerns in the comments portion of this post. In my next post in this series I will cover the Configuring Sites subobjective.


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account