Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

70-294 ,"trust" issues

Status
Not open for further replies.

tulipca

MIS
Sep 16, 2002
9
US
I am currently preparing this exam and getting very frustated with the errors on the pratice exam I have. Here is a typical one.
You are the network administrator for Certkiller. The company consists of two subsidiaries named Contoso, Ltd, and City Power & Light. The network contains two Active Directory forests named contoso.com and cpand1.com. The functional level of each forest is Windows Server 2003. A two-way forest trust relationship exists between the forests. You need to achieve the following goals: • Users in the contoso.com forest must be able to access all resources in the cpand1.com forest. • Users in the cpand1.com forest must be able to access only resources on a server named HRApps.contoso.com. You need to configure the forest trust relationship and the resources on HRApps.contoso.com to achieve the goals. Which three actions should you take? (Each correct answer presents part of the solution. Choose three)

A. On a domain controller in the contoso.com forest, configure the properties of the incoming forest trust relationship to use selective authentication.
B. On a domain controller in the contoso.com forest, configure the properties of the incoming forest trust relationship to use forest-wide authentication.
C. On a domain controller in the cpand1.com forest, configure the properties of the incoming forest trust relationship to use selective authentication.
D. On a domain controller in the cpand1.com forest, configure the properties of the incoming forest trust relationship to use forest-wide authentication.
E. Modify the discretionary access control list (DACLs) on HRApps.contoso.com to allow access to the Other Organization security group.
F. Modify the discretionary access control lists (DACLs) on HRApps.contoso.com to deny access to This Organization security group.

The correct answer in several sources are A, D, E. My choice is B, C, E.
Here is why: Trust direction is Resource trust Account (Resource-->Account). Trust properies under Incoming trusts is domains where account resides. Question is: Users in the contoso.com forest must be able to access all resources in the cpand1.com forest. Trust is cpand1.com trust Contoso.com. So you'd need to setup the incoming trust on Contoso.com which is B. And for Users in the cpand1.com forest must be able to access only resources on a server named HRApps.contoso.com., you'd need to setup incoming trust on cpand1.com to allow access of selective resouces on contoso.com.

Maybe I studied too much lately and lost my clear mind. Can someone please share your thoughts? very much appricated.
 
Correction: Trust Properties under Incoming trusts is described as "Domains that trust this domain" meaning that domains listed under here is resource domains not account domains.
 
My first visit to this forum and I found this thread. I have encountered exactly the same issue that you have. I believe the test exam is wrong (but am I missing something as well?)
 
Is the practice exam Test King?

Lilliabeth
-Why use a big word when a diminutive one will do?-
 
I've tried to get the definitive Microsoft answer on this one, but I'm ending up even more confused.

From Microsoft Technet:
"A one-way, incoming, external trust allows users in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to access resources in another Active Directory domain (outside your forest) or in a Windows NT 4.0 domain. For example, if you are the administrator of sales.wingtiptoys.com and users in that domain need to access resources in the marketing.tailspintoys.com domain (which is located in another forest), you can use this procedure (in conjunction with another procedure, which is executed by the administrator in the other forest) to establish one side of the relationship so that users in your domain can access resources in the marketing.tailspintoys.com domain."

So far, so good...

BUT -
The following text is from the Windows 2003 Help and Support Center. This seems to totally conflict with the above text. Am I reading it wrong???

"If you use domain-wide authentication on the incoming external trust, users in the second domain would have the same level of access to resources in the local domain as users who belong to the local domain. For example, if DomainA has an incoming external trust from DomainB and domain-wide authentication is used, any user from DomainB would be able to access any resource in DomainA (assuming that they have the required permissions)."

Any thoughts?
 
Funny, I've been checking if anyone had any response until yesterday afternoon. All the sudden received so many posts after I passed the exam this morning (70-294).
I've seen this question in TestKing, CertKiller and some other sites. I also searched TechNet and this None of them seems to have a clear answer.
But anyway, I believe I am right with choice of B, C, E. Especiallly after seeing abstractmechanic'reponse.

Thanks everyone.
 
Congrats on passing your exam tulipca!

I guess I don't understand the confusion here. I'm currently studying for this exam as well and before scrolling down to see any answers I came up with the A, D, and E. On the contoso domain you set the incoming trust as selective authentication and then allow access to only the HR domain. Of course on the cpand1 domain you all full access for contoso users.
 
Thanks for the congrats.

I think that's why this question is tricky. The key thing is to understand what is incoming trust. We all know that when setting up trust you need to setup: Resource trusts Account. That is the direction of trust. Just take a look at the Trust Properties under Incoming trusts--described as "Domains that trust this domain" and see what answers you come up with.

Good luck.
 
When I went through this question I came up with A,D & E

Answer B would grant access to all resources on contoso for cpand1 users. The question states they should only have access to the specific server.

Answer C restricts access to specific user groups from Contoso where as the question states all contoso users should have access to resources.

Not sure if i'm missing something here, hope not as I have the 294 exam next Tuesday!

A+,N+,S+,MCP,MCSA
70-270-passed
70-290-passed
70-291-passed
70-293-passed
70-294 - Pending
 
I'm going to take this exam on Thursday so I revisited this forum.

For anyone else viewing this question, here is why A, D, and E are correct.

Tulipca said, "Trust direction is Resource trust Account (Resource-->Account)."

It should be..."Trust direction is Resource trust Account (Resource<--Account)". Tulipca had the trust arrow going the wrong direction. The arrow should point to the trusting domain. The resource is trusting the account.

So back to the question...
1. Users in the cpand1.com forest must be able to access only resources on a server named HRApps.contoso.com
Answer: A - the contoso forest needs to selectively trust the candp1 forest (candp1 --> contoso)

2. Users in the contoso.com forest must be able to access all resources in the cpand1.com forest.
Answer: D - the candp1 forest needs to trust the contoso forest (candp1 <-- contoso)

Hope this helps.
 
Managed to pass 70-294 today but it was pretty close!

I got loads of questions relating to trust relationships, the information above was invaluable.

Resource --> Security principle, definately agree with Xanien's comments.

The simulations where pretty tame, one had me disabling schema classes and adding to Schema Admins group, another asks you to change the subnet ranges of sites using GPMC.

The most trouble I had was with OU design, as the questions are very long winded and take alot of time to digest.

I found that exam quite difficult, thinking of using the online MS lessons as the format and look of the questions is accurate.

Its all prety fresh in my head at the moment so if anyone has any questions fire away.





A+,N+,S+,MCP,MCSA
70-270-passed
70-290-passed
70-291-passed
70-293-passed
70-294 - Pending
 
Managed to pass 70-294 today but it was pretty close!

I got loads of questions relating to trust relationships, the information above was invaluable.

Resource --> Security principle, definately agree with Xanien's comments.

The simulations where pretty tame, one had me disabling schema classes and adding to Schema Admins group, another asks you to change the subnet ranges of sites using GPMC.

The most trouble I had was with OU design, as the questions are very long winded and take alot of time to digest.

I found that exam quite difficult, thinking of using the online MS lessons as the format and look of the questions is accurate.

Its all prety fresh in my head at the moment so if anyone has any questions fire away.


A+,N+,S+,MCP,MCSA
70-270-passed
70-290-passed
70-291-passed
70-293-passed
70-294 passed
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top