Designing and Implementing a Server Infrastructure — Question 9

Your company has two divisions named Division1 and Division2.
The network contains an Active Directory domain named contoso.com. The domain contains two child domains named divisionl.contoso.com and division2.contoso.com.
The company sells Division1 to another company.
You need to prevent administrators in contoso.com and division2.contoso.com from gaining administrative access to the resources in division1.contoso.com.
What should you recommend?

Answer options

• A. Create a new tree in the forest named contoso.secure. Migrate the resources and the accounts in division1.contoso.com to contoso.secure.
• B. On the domain controller accounts in division1.contoso.com, deny the Enterprise Admins group the Allowed to Authenticate permission.
• C. Create a new forest and migrate the resources and the accounts in division1.contoso.com to the new forest.
• D. In division1.contoso.com, remove the Enterprise Admins group from the Domain Admins group and remove the Enterprise Admins group from the access control list (ACL) on the division1.contoso.com domain object.

Correct answer: C

Explanation

The correct answer is C because creating a new forest completely isolates division1.contoso.com from the other domains, ensuring that administrators from contoso.com and division2.contoso.com have no access. Option A does not provide the necessary isolation since it only creates a new tree within the same forest. Option B may restrict authentication but does not prevent administrative access effectively. Option D alters group memberships but still exists within the same forest structure, which does not fully secure division1.