Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

70-294 ,"trust" issues

Status
Not open for further replies.
tulipca

tulipca

MIS
Sep 16, 2002
9
US
I am currently preparing this exam and getting very frustated with the errors on the pratice exam I have. Here is a typical one.
You are the network administrator for Certkiller. The company consists of two subsidiaries named Contoso, Ltd, and City Power & Light. The network contains two Active Directory forests named contoso.com and cpand1.com. The functional level of each forest is Windows Server 2003. A two-way forest trust relationship exists between the forests. You need to achieve the following goals: • Users in the contoso.com forest must be able to access all resources in the cpand1.com forest. • Users in the cpand1.com forest must be able to access only resources on a server named HRApps.contoso.com. You need to configure the forest trust relationship and the resources on HRApps.contoso.com to achieve the goals. Which three actions should you take? (Each correct answer presents part of the solution. Choose three)

A. On a domain controller in the contoso.com forest, configure the properties of the incoming forest trust relationship to use selective authentication.
B. On a domain controller in the contoso.com forest, configure the properties of the incoming forest trust relationship to use forest-wide authentication.
C. On a domain controller in the cpand1.com forest, configure the properties of the incoming forest trust relationship to use selective authentication.
D. On a domain controller in the cpand1.com forest, configure the properties of the incoming forest trust relationship to use forest-wide authentication.
E. Modify the discretionary access control list (DACLs) on HRApps.contoso.com to allow access to the Other Organization security group.
F. Modify the discretionary access control lists (DACLs) on HRApps.contoso.com to deny access to This Organization security group.

The correct answer in several sources are A, D, E. My choice is B, C, E.
Here is why: Trust direction is Resource trust Account (Resource-->Account). Trust properies under Incoming trusts is domains where account resides. Question is: Users in the contoso.com forest must be able to access all resources in the cpand1.com forest. Trust is cpand1.com trust Contoso.com. So you'd need to setup the incoming trust on Contoso.com which is B. And for Users in the cpand1.com forest must be able to access only resources on a server named HRApps.contoso.com., you'd need to setup incoming trust on cpand1.com to allow access of selective resouces on contoso.com.

Maybe I studied too much lately and lost my clear mind. Can someone please share your thoughts? very much appricated.
 
Sort by date Sort by votes
Correction: Trust Properties under Incoming trusts is described as "Domains that trust this domain" meaning that domains listed under here is resource domains not account domains.
 
Upvote 0 Downvote
My first visit to this forum and I found this thread. I have encountered exactly the same issue that you have. I believe the test exam is wrong (but am I missing something as well?)
 
Upvote 0 Downvote
Is the practice exam Test King?

Lilliabeth
-Why use a big word when a diminutive one will do?-
 
Upvote 0 Downvote
I've tried to get the definitive Microsoft answer on this one, but I'm ending up even more confused.

From Microsoft Technet:
"A one-way, incoming, external trust allows users in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to access resources in another Active Directory domain (outside your forest) or in a Windows NT 4.0 domain. For example, if you are the administrator of sales.wingtiptoys.com and users in that domain need to access resources in the marketing.tailspintoys.com domain (which is located in another forest), you can use this procedure (in conjunction with another procedure, which is executed by the administrator in the other forest) to establish one side of the relationship so that users in your domain can access resources in the marketing.tailspintoys.com domain."

So far, so good...

BUT -
The following text is from the Windows 2003 Help and Support Center. This seems to totally conflict with the above text. Am I reading it wrong???

"If you use domain-wide authentication on the incoming external trust, users in the second domain would have the same level of access to resources in the local domain as users who belong to the local domain. For example, if DomainA has an incoming external trust from DomainB and domain-wide authentication is used, any user from DomainB would be able to access any resource in DomainA (assuming that they have the required permissions)."

Any thoughts?
 
Upvote 0 Downvote
Funny, I've been checking if anyone had any response until yesterday afternoon. All the sudden received so many posts after I passed the exam this morning (70-294).
I've seen this question in TestKing, CertKiller and some other sites. I also searched TechNet and this None of them seems to have a clear answer.
But anyway, I believe I am right with choice of B, C, E. Especiallly after seeing abstractmechanic'reponse.

Thanks everyone.
 
Upvote 0 Downvote
Congrats on passing your exam tulipca!

I guess I don't understand the confusion here. I'm currently studying for this exam as well and before scrolling down to see any answers I came up with the A, D, and E. On the contoso domain you set the incoming trust as selective authentication and then allow access to only the HR domain. Of course on the cpand1 domain you all full access for contoso users.
 
Upvote 0 Downvote
Thanks for the congrats.

I think that's why this question is tricky. The key thing is to understand what is incoming trust. We all know that when setting up trust you need to setup: Resource trusts Account. That is the direction of trust. Just take a look at the Trust Properties under Incoming trusts--described as "Domains that trust this domain" and see what answers you come up with.

Good luck.
 
Upvote 0 Downvote
When I went through this question I came up with A,D & E

Answer B would grant access to all resources on contoso for cpand1 users. The question states they should only have access to the specific server.

Answer C restricts access to specific user groups from Contoso where as the question states all contoso users should have access to resources.

Not sure if i'm missing something here, hope not as I have the 294 exam next Tuesday!

A+,N+,S+,MCP,MCSA
70-270-passed
70-290-passed
70-291-passed
70-293-passed
70-294 - Pending
 
Upvote 0 Downvote
I'm going to take this exam on Thursday so I revisited this forum.

For anyone else viewing this question, here is why A, D, and E are correct.

Tulipca said, "Trust direction is Resource trust Account (Resource-->Account)."

It should be..."Trust direction is Resource trust Account (Resource<--Account)". Tulipca had the trust arrow going the wrong direction. The arrow should point to the trusting domain. The resource is trusting the account.

So back to the question...
1. Users in the cpand1.com forest must be able to access only resources on a server named HRApps.contoso.com
Answer: A - the contoso forest needs to selectively trust the candp1 forest (candp1 --> contoso)

2. Users in the contoso.com forest must be able to access all resources in the cpand1.com forest.
Answer: D - the candp1 forest needs to trust the contoso forest (candp1 <-- contoso)

Hope this helps.
 
Upvote 0 Downvote
Managed to pass 70-294 today but it was pretty close!

I got loads of questions relating to trust relationships, the information above was invaluable.

Resource --> Security principle, definately agree with Xanien's comments.

The simulations where pretty tame, one had me disabling schema classes and adding to Schema Admins group, another asks you to change the subnet ranges of sites using GPMC.

The most trouble I had was with OU design, as the questions are very long winded and take alot of time to digest.

I found that exam quite difficult, thinking of using the online MS lessons as the format and look of the questions is accurate.

Its all prety fresh in my head at the moment so if anyone has any questions fire away.





A+,N+,S+,MCP,MCSA
70-270-passed
70-290-passed
70-291-passed
70-293-passed
70-294 - Pending
 
Upvote 0 Downvote
Managed to pass 70-294 today but it was pretty close!

I got loads of questions relating to trust relationships, the information above was invaluable.

Resource --> Security principle, definately agree with Xanien's comments.

The simulations where pretty tame, one had me disabling schema classes and adding to Schema Admins group, another asks you to change the subnet ranges of sites using GPMC.

The most trouble I had was with OU design, as the questions are very long winded and take alot of time to digest.

I found that exam quite difficult, thinking of using the online MS lessons as the format and look of the questions is accurate.

Its all prety fresh in my head at the moment so if anyone has any questions fire away.


A+,N+,S+,MCP,MCSA
70-270-passed
70-290-passed
70-291-passed
70-293-passed
70-294 passed
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

doktor
  • Locked
  • Question
&quot;642-437 - Implementing Cisco Unified Communications Voice over IP and QoS v8.0 (CVOICE v8.0)&q
Replies
1
Views
126
gnrslash4life
gnrslash4life
Skittle
  • Locked
  • Question
Microsoft Server Admin 70-463 - Virtual Environment
Replies
0
Views
68
Skittle
Skittle
brokenhalo
  • Locked
  • Question
70-662 Exam Prep 1
Replies
2
Views
84
theravager
theravager
Absolution84
  • Locked
  • Helpful tip
70-640 Resources 1
Replies
0
Views
55
Absolution84
Absolution84
aetius90887
  • Locked
  • Question
70-640 AD Question
Replies
3
Views
80
kmcferrin
kmcferrin

Part and Inventory Search

Sponsor

Back
Top