AZ-800 Question #145: Real Exam Question with Answer & Explanation

Question

Drag and Drop Question Your network contains two Active Directory Domain Services (AD DS) forests named contoso.com and fabrikam.com. Contoso.com contains three child domains named amer.contoso.com, apac.contoso.com, and emea.contoso.com. Fabrikam.com contains a child domain named apac.fabrikam.com. A bidirectional forest trust exists between contoso.com and fabrikam.com. You need to provide users in the contoso.com forest with access to the resources in the fabrikam.com forest. The solution must meet the following requirements: - Users in contoso.com must only be added directly to groups in the contoso.com forest. - Permissions to access the resources in fabrikam.com must only be granted directly to groups in the fabrikam.com forest. - The number of groups must be minimized. Which type of groups should you use to organize the users and to assign permissions? To answer, drag the appropriate group types to the correct requirements. Each group may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Answer:

Explanation

To grant users from one forest access to resources in another trusted forest while minimizing groups, users should be organized into Domain global groups in their home forest, which are then added to Domain local groups in the resource forest for assigning permissions.

Approach. The scenario describes a cross-forest access requirement with a bidirectional forest trust between contoso.com and fabrikam.com. Users in contoso.com need access to resources in fabrikam.com. The solution must adhere to specific requirements: users are added to groups in contoso.com, permissions are granted to groups in fabrikam.com, and the number of groups is minimized.

Following the standard AGUDLP (Accounts, Global, Universal, Domain Local, Permissions) best practice for cross-forest access:

1. Organize users (in contoso.com forest): Users from the contoso.com forest need to be grouped. A Domain global group is ideal for this. It can contain user accounts from its own domain (or child domains within contoso.com forest if it's created there) and can be used to grant permissions to resources in any domain in its own forest or any trusted forest. Crucially, a Domain global group can be a member of a Domain local group in a different, trusted forest. This meets the requirement that users are added to groups in the contoso.com forest.

2. Assign permissions (to resources in fabrikam.com forest): Permissions to resources in fabrikam.com must be granted directly to groups in the fabrikam.com forest. A Domain local group is the correct choice for this. It is designed to hold permissions on resources within its own domain (fabrikam.com in this case) and can contain members from any domain in any trusted forest. This means the Domain global group from contoso.com (containing the users) can be added as a member to the Domain local group in fabrikam.com, and the Domain local group then gets the permissions to the resources.

This approach effectively minimizes the number of groups by using one group type for user organization and another for resource permissions, adhering to the standard model for cross-forest resource access.

Common mistakes.

• common_mistake. 1. Using 'Universal' for 'Organize users': While a Universal group can contain users from any domain in its forest and be a member of a Domain local group in another forest, Domain global groups are generally preferred for user aggregation when the primary goal is cross-forest access, especially if users are primarily within one domain, due to their lighter replication overhead compared to Universal groups which replicate their full membership to all Global Catalog servers in the forest. For simple user grouping within a domain for cross-forest access, Domain global is the more efficient and common choice.

1. Using 'Universal' for 'Assign permissions': Universal groups are designed for grouping users/groups across domains within the same forest and can be used for permissions within their own forest or trusted forests, but they are not the designated group type for applying permissions directly to resources within a specific domain. That role belongs to Domain local groups, which are specifically scope-limited to their own domain for resource permissions but membership-flexible across trusts.
2. Using 'Domain local' for 'Organize users': A Domain local group can contain users from its own domain, but its primary function is to grant permissions to resources within its own domain. A Domain local group created in contoso.com cannot be used to grant permissions to resources in fabrikam.com, nor can it be a member of a group in fabrikam.com. For cross-forest access, the user-organizing group needs to be nestable into a resource group in the other forest, which Domain local groups are not designed for across forests.
3. Using 'Domain global' for 'Assign permissions': Domain global groups are best for grouping users or other global groups within their own domain. While they can be granted permissions to resources in other domains/forests, the best practice is to assign permissions to Domain local groups because Domain local groups are optimized for resource access control within their domain and can aggregate members from any trusted domain/forest, including Domain global groups from other forests.

Concept tested. Active Directory group scopes (Domain global, Domain local, Universal) and their appropriate use for user organization and resource permission assignment in a multi-forest environment with trusts (specifically the AGUDLP model).

No community discussion yet for this question.