Securing Windows Server 2016 — Question 169

Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows Server 2012. The forest contains 20 member servers that are configured as file servers. All domain controllers run Windows Server 2016.
You create a new forest named contosoadmin.com.
You need to use the Enhanced Security Administrative Environment (ESAE) approach for the administration of the resources in contoso.com.
Which two actions should you perform? Each correct answer presents part of the solution.

Answer options

• A. Configure contoso.com to trust contosoadmin.com.
• B. From the properties of the trust, enable selective authentication.
• C. Configure contosoadmin.com to trust contoso.com.
• D. From the properties of the trust, enable forest-wide authentication.
• E. Configure a two-way trust between both forests.

Correct answer: A, B

Explanation

The correct answers are A and B because configuring a trust from contoso.com to contosoadmin.com allows for the necessary communication between the forests, while enabling selective authentication ensures that only specific users from contosoadmin.com can access resources in contoso.com. Options C and E are incorrect as they suggest an incorrect trust direction or unnecessary trust type for the ESAE implementation, and D is not suitable for the security model intended.