Configure Forest Trust Authentication
Question
Your network contains an Active Directory Domain Services (AD DS) forest named contoso.com. The forest root domain contains a server named server1.contoso.com.
A two-way forest trust exists between the contoso.com forest and an AD DS forest named fabrikam.com. The fabrikam.com forest contains 10 child domains.
You need to ensure that only the members of a group named fabrikam\Group1 can authenticate to server1.contoso.com.
What should you do first?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.C
Selective authentication restricts access over an external or forest trust to only those users in a trusted domain or forest who have been explicitly given authentication permissions to computer objects (resource computers) residing in the trusting domain or forest. This authentication setting must be manually enabled.
Note: When a two way Forest Trust is created between Forest A and Forest B, all domains in Forest A will trust all domains in Forest B and vice versa.
Incorrect:
Not B: When SID Filtering is enabled, all the foreign SIDs will be removed (quarantined) from user's access token while accessing any resource through Forest
Trust. The most common impact of this is, a migrated user account which is still using any resource using old SID will not be able to access that resource anymore. This is because when SID Filtering is enabled, it will block (filter) SID History through a Forest Trust.
When we create a forest Trust, SID Filtering is enabled by default. In some cases, we need to disable SID Filtering.
Not D: When a two way Forest Trust is created between Forest A and Forest B, all domains in Forest A will trust all domains in Forest B and vice versa.
If a one way Forest Trust is created, where Forest A is Trusting Domain and Forest B is Trusted Domain, then Forest B can access resources within Forest A, however Forest A cannot access resources within Forest B.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755321(v=ws.10)The correct answer is C. Enable Selective authentication for the trust.
Explanation: To restrict authentication to a specific group from another forest, you can use Selective Authentication. When Selective Authentication is enabled, the forest trust is still two-way, but only members of the specified group can access resources in the trusting forest.
Option A is incorrect because adding a group to the local Users group on a server will not restrict authentication to that group only.
Option B is incorrect because SID filtering removes SIDs that are not from the trusted forest, which would not restrict authentication to a specific group.
Option D is incorrect because changing the trust to a one-way external trust would allow authentication only in one direction, which would not meet the requirement of restricting authentication to a specific group.
Therefore, the correct answer is to enable Selective Authentication for the trust, which can be done through Active Directory Domains and Trusts by following these steps:
- Open Active Directory Domains and Trusts.
- Right-click the forest root domain and select Properties.
- Select the Trusts tab and click the Edit button.
- Select the forest trust you want to modify and click the Properties button.
- Select the Authentication tab and click the Selective Authentication button.
- Add the group that should be allowed to authenticate to the trusted forest.
After enabling Selective Authentication, only members of the specified group will be able to authenticate to the server1.contoso.com.
