Question 26 of 50, Practice Assessment for Exam AZ-800: Administering Windows Server Hybrid Core Infrastructure

Question

Your network contains two Active Directory Domain Services (AD DS) forests named contoso.com and nwtraders.com.

Contoso.com has a child domain named accounts.contoso.com that contains a domain-local group named Group1.

Group1 contains user accounts and global groups from accounts.contoso.com.

You need to add Group1 to a local group on a server located in nwtraders.com.

The solution must follow the principle of least privilege.

Which two actions should you perform? Each correct answer presents part of the solution.

Select all answers that apply.

Convert Group1 into a universal group. <This answer is correct>.

Convert Group1 into a global group.

Establish a one-way domain trust. <This answer is correct>.

Establish a one-way forest trust. <This answer is incorrect>.

Establish two-way forest trust.

Establish two-way domain trust. To be able to access resources in another forest, you need to establish a forest trust. As it is not required for the users in nwtraders.com to access the resources in contoso.com, there is no need for a two-way forest trust or a two-way domain trust. Group1 must be converted into a universal group, as only universal groups allow permissions to be granted to Local groups on computers in trusting forests.

Need some clarification?

Why 'one-way forest trust' is incorrect in this scenario? <Snap also attached>

Answer 1

Hi AJ75N,

Thank you for posting in the Microsoft Community Forums.

In this case, the “one-way forest trust” is incorrect mainly because of the specific requirement mentioned in the question and the difference between forest trust and domain trust.

Specific requirement: The question asks to add Group1 (a domain local group) in the contoso.com forest to a local group on a server in the nwtraders.com forest. This means that there needs to be a way for the nwtraders.com forest to recognize and access the group in the contoso.com forest.

Forest Trust vs. Domain Trust:

Forest Trust: a forest trust is a trust relationship established between two forests that allows users and resources in one forest to access resources in the other forest. A forest trust can be one-way (one forest trusts another forest) or two-way (two forests trust each other).

Domain trusts: Domain trusts are trust relationships established between two domains, usually within the same forest. They can also be one-way or two-way, but only apply to domains within the same forest.

Why one-way forest trusts are incorrect:

While one-way forest trusts allow users and resources in one forest to access resources in another forest, in this particular scenario we only need to add one group (Group1) in contoso.com to a local group in nwtraders.com. This means we don't need full access to the entire contoso.com forest to the nwtraders.com forest.

Additionally, forest trust typically involves more complex security and management considerations, including trust transmissibility, authentication protocols, and permissions management. For simple group access needs, this may be over-configuration.

Why one-way domain trust doesn't work either:

One-way domain trust only applies between domains within the same forest. Since contoso.com and nwtraders.com are two different forests, domain trust cannot be established directly between them.

Why one-way forest trust (theoretically feasible but non-optimal) is chosen over other methods:

Theoretically, if nwtraders.com fully trusts all users and resources in contoso.com and this trust is unidirectional (i.e., nwtraders.com trusts contoso.com, but the reverse is not true), then a one-way forest trust can be established. However, this is usually not best practice as it provides broader access than is actually needed.

A better approach is to establish a one-way external trust (if available, but this is not a native feature of Windows AD) or use other technologies such as Security Assertion Markup Language (SAML) or OAuth for more granular access control. However, in this case, converting Group1 to a generic group and establishing one-way domain trust (via a bridge header domain between forests, if possible) or using other identity federation techniques would be a more complex solution.

Practical solution:

Convert Group1 to a generic group, since generic groups can be accessed across multiple domains (or even across forests, if proper trust is established).

Establish one-way trust, but in this scenario, since we are working between two forests, what we actually need is to simulate or enable group access across forests in some way (possibly by bridging domains or using a third-party identity federation solution). However, in the standard functionality of Windows AD, this usually means establishing a forest trust (although not optimal since, as mentioned earlier, it provides broader access). In this simplified multiple-choice environment, however, we assume that through some unspecified mechanism (possibly a detail that the question omits for the sake of simplicity), one-way forest trust is used as an alternative formulation of a viable, but non-optimal, solution (although it should actually be more precise about the need for a method that enables cross-forest access to groups, which may involve more complex configurations or third-party tools). However, based on the direct requirements of the question, we chose to convert Group1 to a generic group and establish a one-way trust (which, despite being a forest trust, was accepted as part of the answer in this context, possibly for the purpose of simplifying the question).

Best regards

Neuvi

Answer 2

Thank you for simplified version of the answer.