Your network contains an Active Directory forest named contoso.com. You deploy another Active Directory forest named admin.contoso.com.
You create a trust relationship between the two forests. The trust relationship has the following configurations:
SID history is disabled
SID filtering is disabled
You need to implement Privileged Access Management (PAM) and to specify admin.contoso.com as an administrative forest. What should you do?
A. Run netdom.exe and specify the /quarantine switch.
B. Enable SID filtering on the trust.
C. Run netdom.exe and specify the /transitive switch.
D. Enable SID history on the trust.
Must be D, the /transitive switch is valid only for non-Windows realm trusts
I think it is D. Enable SID History. See https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-5-establish-trust-between-priv-corp-forests#give-forests-read-access-to-active-directory.
I guess Enable SID history is more suitable.
I am not sure about this question. Looks like we need two action:
netdom trust corp.secid.se /domain:priv.secid.se /ForestTRANsitive:Yes
netdom trust corp.secid.se /domain:priv.secid.se /EnableSIDHistory:Yes
So what answer is fit better?