Domain trust design: all users belong to the ACE account domain; most resources are in PUBS and CAD resource domains. With the fewest trusts, how can you let ACE users access all resources?

Introduction / Context:
In classic Windows NT multi-domain models, a common pattern is one account domain for users and passwords and multiple resource domains for servers and shares. You minimize the number of trusts by having each resource domain trust the account domain, so all resources can authenticate users from the single account domain.

Given Data / Assumptions:

• Users reside in ACE (account domain).
• Resources reside in PUBS and CAD (resource domains).
• Goal: minimal trust relationships while enabling access.
• One-way trust semantics: if X trusts Y, then X accepts Y’s accounts for authentication.

Concept / Approach:

To allow ACE users to access PUBS and CAD, each resource domain must accept (trust) ACE. This requires two one-way trusts: PUBS → ACE and CAD → ACE. No need for ACE to trust PUBS/CAD because ACE does not need to accept their identities. Permissions are then granted to ACE global groups on resources in PUBS and CAD.

Step-by-Step Solution:

Verification / Alternative check:

The well-known “master account domain/resource domain” design prescribes exactly this trust direction to centralize users and decentralize resources with minimal trusts.

Why Other Options Are Wrong:

ACE trusts PUBS/CAD: That would let ACE accept identities from resource domains, which is unnecessary and does not help PUBS/CAD accept ACE users.

Cross or mixed trusts: Add complexity without benefit in this scenario.

None of the above: Incorrect because the minimal two trusts are clearly defined.

Common Pitfalls:

Reversing trust direction; creating redundant bidirectional trusts; granting permissions to users directly instead of groups.

Final Answer:

Establish one-way trusts: PUBS trusts ACE; CAD trusts ACE