ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-800 All Questions

View all questions & answers for the AZ-800 exam
Go to Exam

Exam AZ-800 topic 1 question 21 discussion

Actual exam question from Microsoft's AZ-800
Question #: 21
Topic #: 1
[All AZ-800 Questions]

HOTSPOT -
Your network contains three Active Directory Domain Services (AD DS) forests as shown in the following exhibit.

The network contains the users shown in the following table.

The network contains the security groups shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise. select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Yes -
User1 is in east.contoso.com. Group1 is Domain Local group in west.adutm.com.
Accounts from any domain or any trusted domain Global groups from any domain or any trusted domain can be members of Domain Local groups.
Accounts, Global groups, and Universal groups from other forests and from external domains can also be members of Domain Local groups.

Box 2: No -
User2 is in the fabrikam.com domain.
Group3 is a Universal group in east.contso.com.
Only accounts from any domain in the same forest can be added as members.

Box 3: Yes -
Group2 is a Universal group in contoso.com.
Group2 can grant permissions On any domain in the same forest or trusting forests.
Active Directory Domain Services add to Domain Local group.
Reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
by edykss at Sept. 7, 2022, 6:25 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Lu5ck
Highly Voted 1 year, 10 months ago
This is about trust. Contoso <-> Adatum <-> Fabrikam User1 is from Contoso Group1 is from Adatum Both forests trusted each other, so Yes. User2 is from Fabrikam Group2 is from Contoso Both forests don't trust each other, so No. Transitive trust is only applicable to domain under the said forest. Group2 is from Contoso Fabrikam is another forest Both forests don't trust each other, so No. Transitive trust is only applicable to domain under the said forest. Yes No No
upvoted 30 times
RickySmith
10 months ago
Yes Accounts from any domain or any trusted domain https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255(v=ws.11)?redirectedfrom=MSDN No Accounts from any domain in the same forest. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255(v=ws.11)?redirectedfrom=MSDN N Forest trusts can only be created between two forests and can't be implicitly extended to a third forest. https://learn.microsoft.com/en-us/entra/identity/domain-services/concepts-forest-trust#forest-trusts
upvoted 3 times
...
DesolateMarauder
1 year, 10 months ago
All Forests trust each other, look at the links I provided below. I'm testing here in a few hours...
upvoted 3 times
Lu5ck
1 year, 10 months ago
No. Transitive trust is only applicable to domains under the said forest. What this means is that Contoso will trust Adatum and all the domains part of Adatum. However, Contoso will not trust Fabrikam because Fabrikam is not part of Adatum. Trusts between forests are required to be made explicitly.
upvoted 11 times
...
...
...
DesolateMarauder
Highly Voted 1 year, 10 months ago
Yes - Domain Local Possible Members: Accounts from any domain or any trusted domain https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255(v=ws.11)?redirectedfrom=MSDN No - Universal Possible Members: Accounts from any domain in the same forest. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255(v=ws.11)?redirectedfrom=MSDN Yes - Universal Permissions: On any domain in the same forest or trusting forests https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255(v=ws.11)?redirectedfrom=MSDN
upvoted 10 times
...
Opoveda
Most Recent 1 month, 1 week ago
I think is Y N N
upvoted 1 times
...
MR_Eliot
1 year, 1 month ago
Correct Answer: YES: -> User 1 can be added, because it is a domain local. In a domain local you can add users from current forest and other forests (I have tested this). NO: -> User 1 can not be a group member of "group3", because Group3 is a Universal group. In a Universal group you can only add Root en child domain users (I have tested this). YES: -> "Group3" is a universal group, which can be used to assign permissions in another forest. Only domain local groups cannot be assigned (I have tested this).
upvoted 1 times
MR_Eliot
1 year, 1 month ago
After further investigation, correct answer is: YES, NO, NO
upvoted 2 times
...
...
Returnerwesley
1 year, 4 months ago
Yes, no, yes should be correct
upvoted 1 times
...
Gore
1 year, 6 months ago
Yes No No https://learn.microsoft.com/en-us/azure/active-directory-domain-services/concepts-forest-trust
upvoted 4 times
...
syu31svc
1 year, 7 months ago
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/concepts-forest-trust#forest-trusts Forest trusts can only be created between two forests and can't be implicitly extended to a third forest Yes No No
upvoted 5 times
...
BryRob
1 year, 9 months ago
For me this is Yes (had forest trust) No (had forest trust) No (no forest trust between contoso.com and fabrikam.com)
upvoted 3 times
BryRob
1 year, 9 months ago
Correction Yes (had forest trust) No ((no forest trust between contoso.com and fabrikam.com) No (no forest trust between contoso.com and fabrikam.com)
upvoted 2 times
...
...
muzet112
1 year, 10 months ago
All domain trusts in an AD DS forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain
upvoted 2 times
...
Kurko
1 year, 11 months ago
Yes, No, No Forest trusts can only be created between two forests and can't be implicitly extended to a third forest. https://learn.microsoft.com/en-us/azure/active-directory-domain-services/concepts-forest-trust#forest-trusts
upvoted 4 times
...
kijken
2 years ago
I would say yes,yes,yes I think if that is not the case it has to be yes,no, no b and c are going though 2 trusts. So it works for both or it does not work for both cases
upvoted 1 times
kijken
2 years ago
After more invesitgation I know the answer is yes no no: Explicit trusts are also used to enable authenticate across forests. When a forest trust is created, a transitive trust is created between the forest root domains in both forests. This allows all the members in the forest to exchange authentication information with the other forest. The forest trust is also called an explicit trust between the two forests. If an additional forest trust is created between one of the original forests and a third forest, an implicit trust with the other original forest is not established to the third forest. In order for the third forest to have a trust relationship with the other forest, an explicit forest trust must be created between the two https://www.sciencedirect.com/topics/computer-science/transitive-trust#:~:text=A%20forest%20trust%20is%20also,use%20resources%20in%20the%20other.
upvoted 6 times
...
...
GeertVanAssen
2 years ago
edit: the explanation of the second question can you assign user two to group3? actually moves on the same presumption. You cannot assign the user to this group because they aren't in the same forest, implying that there is no trust between the contoso and fabrikam root domain forests
upvoted 1 times
...
GeertVanAssen
2 years ago
I dont think the last answer is correct. First off the question doesn't make explicit whether these are transitive or non-transitive trusts and one way or two way. Whatever may be the case, transitivy on a forest level does not span multiple forest like it does for multidomain trees. So if A establishes a forest trust with B, and B does the same with C, there should not be any trust or relationship between Forest A and C. Unfortanetely my source is behind a paywall: https://www.skillpipe.com/#/reader/urn:uuid:dfd3a70a-25b7-5262-b225-a862fec9817c@2022-01-18T21:50:42Z/content
upvoted 1 times
...
edykss
2 years, 1 month ago
Seems correct.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago