Your network contains three Active Directory Domain Services (AD DS) forests as shown in the following exhibit.
The network contains the users shown in the following table.
The network contains the security groups shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise. select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Box 1: Yes -
User1 is in east.contoso.com. Group1 is Domain Local group in west.adatum.com.
Accounts from any domain or any trusted domain Global groups from any domain or any trusted domain can be members of Domain Local groups.
Accounts, Global groups, and Universal groups from other forests and from external domains can also be members of Domain Local groups.
Box 2: No -
User2 is in the fabrikam.com domain.
Group3 is a Universal group in east.contso.com.
Only accounts from any domain in the same forest can be added as members.
Box 3: Yes -
Group2 is a Universal group in contoso.com.
Group2 can grant permissions On any domain in the same forest or trusting forests.
Active Directory Domain Services add to Domain Local group.
Reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
https://learn.microsoft.com/en-us/entra/identity/domain-services/concepts-forest-trust
The suggested answer is incorrect
- Yes
- No
- No
The following diagram shows two separate forest trust relationships between three AD DS forests in a single organization.
This example configuration provides the following access:
- Users in Forest 2 can access resources in any domain in either Forest 1 or Forest 3
- Users in Forest 3 can access resources in any domain in Forest 2
- Users in Forest 1 can access resources in any domain in Forest 2
This configuration doesn't allow users in Forest 1 to access resources in Forest 3 or vice versa. To allow users in both Forest 1 and Forest 3 to share resources, a two-way transitive trust must be created between the two forests.
Lu5ck
Highly Voted 1 year, 11 months ago
This is about trust. Contoso <-> Adatum <-> Fabrikam User1 is from Contoso Group1 is from Adatum Both forests trusted each other, so Yes. User2 is from Fabrikam Group2 is from Contoso Both forests don't trust each other, so No. Transitive trust is only applicable to domain under the said forest. Group2 is from Contoso Fabrikam is another forest Both forests don't trust each other, so No. Transitive trust is only applicable to domain under the said forest. Yes No No
upvoted 29 times
DesolateMarauder
1 year, 11 months ago
All Forests trust each other, look at the links I provided below. I'm testing here in a few hours...
upvoted 3 times
Lu5ck
1 year, 11 months ago
No. Transitive trust is only applicable to domains under the said forest. What this means is that Contoso will trust Adatum and all the domains part of Adatum. However, Contoso will not trust Fabrikam because Fabrikam is not part of Adatum. Trusts between forests are required to be made explicitly.
upvoted 10 times
RickySmith
11 months, 1 week ago
Yes Accounts from any domain or any trusted domain https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255(v=ws.11)?redirectedfrom=MSDN No Accounts from any domain in the same forest. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255(v=ws.11)?redirectedfrom=MSDN N Forest trusts can only be created between two forests and can't be implicitly extended to a third forest. https://learn.microsoft.com/en-us/entra/identity/domain-services/concepts-forest-trust#forest-trusts
upvoted 3 times
DesolateMarauder
Highly Voted 1 year, 11 months ago
Yes - Domain Local Possible Members: Accounts from any domain or any trusted domain https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255(v=ws.11)?redirectedfrom=MSDN No - Universal Possible Members: Accounts from any domain in the same forest. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255(v=ws.11)?redirectedfrom=MSDN Yes - Universal Permissions: On any domain in the same forest or trusting forests https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255(v=ws.11)?redirectedfrom=MSDN
upvoted 10 times
MR_Eliot
Most Recent 1 year, 2 months ago
Correct Answer: YES: -> User 1 can be added, because it is a domain local. In a domain local you can add users from current forest and other forests (I have tested this). NO: -> User 1 can not be a group member of "group3", because Group3 is a Universal group. In a Universal group you can only add Root en child domain users (I have tested this). YES: -> "Group3" is a universal group, which can be used to assign permissions in another forest. Only domain local groups cannot be assigned (I have tested this).
upvoted 1 times
MR_Eliot
1 year, 2 months ago
After further investigation, correct answer is: YES, NO, NO
upvoted 2 times
Returnerwesley
1 year, 6 months ago
Yes, no, yes should be correct
upvoted 1 times
Gore
1 year, 8 months ago
Yes No No https://learn.microsoft.com/en-us/azure/active-directory-domain-services/concepts-forest-trust
upvoted 4 times
syu31svc
1 year, 8 months ago
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/concepts-forest-trust#forest-trusts Forest trusts can only be created between two forests and can't be implicitly extended to a third forest Yes No No
upvoted 5 times
BryRob
1 year, 10 months ago
For me this is Yes (had forest trust) No (had forest trust) No (no forest trust between contoso.com and fabrikam.com)
upvoted 3 times
BryRob
1 year, 10 months ago
Correction Yes (had forest trust) No ((no forest trust between contoso.com and fabrikam.com) No (no forest trust between contoso.com and fabrikam.com)
upvoted 2 times
muzet112
2 years ago
All domain trusts in an AD DS forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain
upvoted 2 times
Kurko
2 years, 1 month ago
Yes, No, No Forest trusts can only be created between two forests and can't be implicitly extended to a third forest. https://learn.microsoft.com/en-us/azure/active-directory-domain-services/concepts-forest-trust#forest-trusts
upvoted 4 times
kijken
2 years, 1 month ago
I would say yes,yes,yes I think if that is not the case it has to be yes,no, no b and c are going though 2 trusts. So it works for both or it does not work for both cases
upvoted 1 times
kijken
2 years, 1 month ago
After more invesitgation I know the answer is yes no no: Explicit trusts are also used to enable authenticate across forests. When a forest trust is created, a transitive trust is created between the forest root domains in both forests. This allows all the members in the forest to exchange authentication information with the other forest. The forest trust is also called an explicit trust between the two forests. If an additional forest trust is created between one of the original forests and a third forest, an implicit trust with the other original forest is not established to the third forest. In order for the third forest to have a trust relationship with the other forest, an explicit forest trust must be created between the two https://www.sciencedirect.com/topics/computer-science/transitive-trust#:~:text=A%20forest%20trust%20is%20also,use%20resources%20in%20the%20other.
upvoted 6 times
GeertVanAssen
2 years, 1 month ago
edit: the explanation of the second question can you assign user two to group3? actually moves on the same presumption. You cannot assign the user to this group because they aren't in the same forest, implying that there is no trust between the contoso and fabrikam root domain forests
upvoted 1 times
GeertVanAssen
2 years, 1 month ago
I dont think the last answer is correct. First off the question doesn't make explicit whether these are transitive or non-transitive trusts and one way or two way. Whatever may be the case, transitivy on a forest level does not span multiple forest like it does for multidomain trees. So if A establishes a forest trust with B, and B does the same with C, there should not be any trust or relationship between Forest A and C. Unfortanetely my source is behind a paywall: https://www.skillpipe.com/#/reader/urn:uuid:dfd3a70a-25b7-5262-b225-a862fec9817c@2022-01-18T21:50:42Z/content
upvoted 1 times
edykss
2 years, 3 months ago
Seems correct.
upvoted 2 times