Pro: Windows Server 2008, Server Administrator
Question No: 111 – (Topic 2)
You need to recommend a solution for managing GPOs. The solution must meet the company#39;s technical requirements.
What should you include in the recommendation?
Desktop Optimization Pack
Forefront EndPoint Protection
System Center Configuration Manager
System Center Operations Manager
Answer: A Explanation:
Imagine a tool that could help you take control of Group Policy. What would this tool do? It could help you delegate who can review, edit, approve, and deploy Group Policy objects (GPOs). It might help prevent widespread failures that can result from editing GPOs in
production environments. You could use it to track each version of each GPO, just as developers use version control to track source code. Any tool that provided these capabilities, cost little, and was easy to deploy would certainly be worth a closer look. Such a tool indeed exists, and it is an integral part of the Microsoft庐 Desktop Optimization Pack (MDOP) for Software Assurance. MDOP can help organizations reduce the cost of deploying applications, deliver applications as services, and better manage desktop configurations. Together, the MDOP applications shown in Figure 1 can give Software Assurance customers a highly cost-effective and flexible solution for managing desktop computers.
Microsoft Advanced Group Policy Management (AGPM) is the MDOP application that can help customers overcome the challenges that can affect Group Policy management in any organization, particularly those with complex information technology (IT) environments. A robust delegation model, role-based administration, and change-request approval provide granular administrative control. For example, you can delegate Reviewer, Editor, and Approver roles to other users-even users who do not typically have access to production GPOs. (Editors can edit GPOs but cannot deploy them; Approvers can deploy GPO changes.)
AGPM can also help reduce the risk of widespread failures. You can use AGPM to edit GPOs offline, outside of the production environment, and then audit changes and easily find differences between GPO versions. In addition, AGPM supports effective change control by providing version tracking, history capture, and quick rollback of deployed GPO changes. It even supports a management workflow by allowing you to create GPO template libraries and send GPO change e-mail notifications.
This white paper describes the key features of AGPM, such as change control and role- based delegation. The paper then describes how Software Assurance customers can begin
evaluating AGPM today.
The AGPM archive provides offline storage for GPOs. As Figure 2 shows, changes that you make to GPOs in the archive do not affect the production environment until you deploy the GPOs. By limiting changes to the archive, you can edit GPOs and test them in a safe environment, without affecting the production environment.
After reviewing and approving the changes, you can then deploy them with the knowledge that you can quickly roll them back if they have an undesired effect.
AGPM has a server component (the AGPM Service) and a client component (the AGPM snap-in), each of which you install separately. First, you install Microsoft Advanced Group Policy Management – Server on a system that has access to the policies that you want to manage. Then, you install the Microsoft Advanced Group Policy Management – Client on any system from which Group Policy administrators will review, edit, and deploy GPOs.
The AGPM snap-in integrates completely with the Group Policy Management Console (GPMC), as Figure 3 shows. Click Change Control in the console tree to open AGPM in the details pane and to manage the AGPM archive on the Contents tab. Here, you can review, edit, and deploy controlled GPOs (that is, GPOs in the archive). You can also take control of uncontrolled GPOs (that is, GPOs that are not in the archive), approve pending changes, and manage GPO templates. On the Domain Delegation tab, AGPM Administrators (Full Control) delegate roles to AGPM users and configure e-mail notifications. Configure the AGPM Server connection on the AGPM Server tab. AGPM 3.0 introduced the Production Delegation tab, which AGPM Administrators can use to delegate permission to edit GPOs in the production environment.
AGPM provides advanced change control features that can help you manage the lifecycle of GPOs. Many of the AGPM change control concepts will be familiar to administrators who have experience using common version-control tools, such as the version control feature in Microsoft Office SharePoint庐 Server 2007. The following steps are necessary to change and deploy a GPO:
Check out the GPO from the archive.
Edit the GPO as necessary.
Check in the GPO to the archive.
Deploy the GPO to production.
Change control means more than locking a GPO to prevent multiple users from changing it at the same time. AGPM keeps a history of changes for each GPO, as shown in Figure 4. You can deploy any version of a GPO to production, so you can quickly roll back a GPO to an earlier version if necessary. AGPM can also compare different versions of a GPO, showing added, changed, or deleted settings. Therefore, you can easily review changes before approving and deploying them to the production environment. In addition, a complete history of each GPO enables you to audit not only changes but also all activities related to that GPO.
Group Policy already provides a rich delegation model that allows you to delegate administration to regional and task-oriented administrators. However, Group Policy also lets administrators approve their own changes. In contrast, AGPM provides a role-based delegation model that adds a review and approval step to the workflow, as shown in Figure 5.
An AGPM Administrator has full control of the AGPM archive. In addition to the AGPM Administrator role, AGPM defines three special roles to support its delegation model:
Reviewer. Reviewers can view and compare GPOs. They cannot edit or deploy GPOs.
Editor. Editors can view and compare GPOs. They can also check out GPOs from the
archive, edit GPOs, and check in GPOs to the archive. Editors can request deployment of a GPO.
Approver. Approvers can approve the creation and deployment of GPOs. (When Approvers create or deploy a GPO, approval is automatic.)
As an AGPM Administrator, you can delegate these roles to users and groups for all controlled GPOs within the domain (domain delegation). For example, you can delegate the Reviewer role to users, allowing them to review any controlled GPO in the domain. You can also delegate these roles to users for individual controlled GPOs. Rather than allow users to edit any controlled GPO in the domain, for example, you can give them permission to edit a specific controlled GPO by delegating the Editor role for that GPO only.
Search and Filter
AGPM 4.0 introduces the ability to filter the list of GPOs that it displays. For example, you can filter the list by name, status, or comment. You can even filter the list to show GPOs that were changed by a particular user or on a specific date. AGPM displays partial matches, and searches are not case sensitive.
AGPM supports complex search strings using the format column: string, where column is the name of the column by which to search and string is the string to match. For example, to display GPOs that were checked in by Jerry, type state: “checked in” changed by: Jerry in the Search box. Figure 6 shows another example. You can also filter the list by GPO attributes by using the format attribute: string, where attribute is the name of the GPO attribute to match. To display all GPOs that use the Windows庐 Management Instrumentation (WMI) filter called MyWMIFilter, type wmi filter: mywmifilter in the Search box.
When searching for GPOs, you can use special terms to search by date, dynamically. These special terms are the same terms that you can use when using Windows Explorer to search for files. For example, you can filter the list to display GPOs that were changed today, yesterday, this week, last week, and so on.
In addition to filtering, AGPM 4.0 also introduces cross-forest management. You can use the following process to copy a controlled GPO from a domain in one forest to a domain in a second forest:
Export the GPO from a domain in the first forest to a CAB file, by using AGPM (Figure 7).
On a computer in a domain in the first forest, copy the CAB file to a portable storage device.
Insert the portable storage device into a computer in a domain in the second forest.
Import the GPO into the archive in a domain in the second forest, by using AGPM. When you import the GPO into the second forest, you can import it as a new controlled GPO. You can also import it to replace the settings of an existing GPO that is checked out of the archive.
The obvious benefit of cross-forest management is testing. Combined with offline editing and change control, cross-forest management enables you to test GPOs in a controlled test environment (the first forest). After verifying the GPO, you can move it into the production environment (the second forest).
Three versions of AGPM are available: AGPM 2.5, AGPM 3.0, and AGPM 4.0. Each is incompatible with the others and supports different Windows operating systems. For more information about choosing the right version of AGPM for your environment and about the Windows operating systems that each supports, see Choosing Which Version of AGPM to Install.
AGPM 4.0 introduces support for Windows 7 and Windows Server庐 2008 R2. Additionally,
AGPM 4.0 still supports Windows Vista庐 with Service Pack 1 (SP1) and Windows Server 2008. Table 1 describes limitations in mixed environments that include newer and older Windows operating systems.
Question No: 112 – (Topic 2)
You need to recommend a server build for the Web servers. Which server build should you recommend?
Question No: 113 – (Topic 2)
You need to recommend a strategy for using managed service accounts on the Web servers.
How many managed service accounts should you recommend?
Answer: D Explanation:
There are 5 web servers in total, 3 in the forest root domain and 1 in each child domain. Q 9 in this exam actually confirms the answer is 5 Service Account Vulnerability The practice of configuring services to use domain accounts for authentication leads to potential security exposure. The degree of risk exposure is dependent on various factors, including:
The number of servers that have services that are configured to use service accounts. The vulnerability profile of a network increases for every server that has domain account authenticated services that run on that server. The existence of each such server increases
the odds that an attacker might compromise that server, which can be used to escalate privileges to other resources on a network.
The scope of privileges for any given domain account that services use. The larger the scope of privileges that a service account has, the greater the number of resources that can be compromised by that account.
Domain administrator level privileges are a particularly high risk, because the scope of vulnerability for such accounts includes any computer on the network, including the domain controllers. Because such accounts have administrative privileges to all member servers, the compromise of such an account would be severe and all computers and data in the domain would be suspect.
The number of services configured to use domain accounts on any given server. Some services have unique vulnerabilities, which make them somewhat more susceptible to attacks. Attackers will usually attempt to exploit known vulnerabilities first. Use of a domain account by a vulnerable service presents an escalated risk to other systems, which could have otherwise been isolated to a single server.
The number of domain accounts that are used to run services in a domain. Monitoring and managing the security of service accounts requires more diligence than ordinary user accounts, and each additional domain account in use by services only complicates administration of those accounts. Given that administrators and security administrators need to know where each service account is used to detect suspicious activity highlights The need to minimize the number of those accounts.
The preceding factors lead to several possible vulnerability scenarios that can exist, each with a different level of potential security risk. The following diagram and table describe these scenarios.
For these examples it is assumed that the service accounts are domain accounts and each account has at least one service on each server using it for authentication. The following information describes the domain accounts shown in the following figure.
Account A has Administrator-equivalent privileges to more than one domain controller. Account B has administrator-equivalent privileges on all member servers.
Account C has Administrator-equivalent privileges on servers 2 and 3. Account D has Administrator-equivalent privileges on servers 4 and 5.
Account E has Administrator-equivalent privileges on a single member server only.
Question No: 114 – (Topic 2)
You are evaluating whether to use express installation files as an update distribution mechanism. Which technical requirement is met by using the express installation files?
Newly implemented technologies must minimize the impact on LAN traffic.
Newly implemented technologies must minimize the storage requirements.
Newly implemented technologies must minimize the amount of bandwidth used on Internet connections.
All patches and updates must be tested in a nonproduction environment before they are App1ied to production servers.
Answer: A Explanation:
The express installation files feature is an update distribution mechanism. You can use express installation files to limit the bandwidth consumed on your local network, but at the cost of bandwidth consumption on your Internet connection. By default, WSUS does not use express installation files. To better understand the tradeoff, you first have to understand how WSUS updates client computers.
Updates typically consist of new versions of files that already exist on the computer being
updated. On a binary level these existing files might not differ very much from updated versions. The express installation files feature is a way of identifying the exact bytes that change between different versions of files, creating and distributing updates that include just these differences, and then merging the original file with the update on the client computer. Sometimes this is called delta delivery because it downloads only the difference, or delta, between two versions of a file.
When you distribute updates by using this method, it requires an initial investment in bandwidth. Express installation files are larger than the updates they are meant to distribute. This is because the express installation file must contain all the possible variations of each file it is meant to update.
The upper part of the quot;Express Installation Files Featurequot; illustration depicts an update being distributed by using the express installation files feature; the lower part of the illustration depicts the same update being distributed without using the express installation files feature. Notice that with express installation files enabled, you incur an initial download three times the size of the update. However, this cost is mitigated by the reduced amount of bandwidth required to update client computers on the corporate network. With express installation files disabled, your initial download of updates is smaller, but whatever you download must then be distributed to each of the clients on your corporate network.
Although there are some variables with express installation files, there are also some things you can count on.
For example, express installation files are always bigger in size than the updates they are meant to distribute.
As far as bandwidth goes, it is always less expensive to distribute updates using express installation files than to distribute updates without.
Not all updates are good candidates for distribution using express installation files. If you select this option, you obtain express installation files for any updates being distributed this way. If you are not storing updates locally, you cannot use the express installation files feature. By default, WSUS does not use express installation files.
To enable this option see http://technet.microsoft.com/en- us/library/cc708460(v=ws.10).aspx
Update Storage Options
Use the Update Files section to determine if updates will be stored on WSUS or if client computers wil