Your network consists of a single Active Directory domain. All domain controllers run Windows
Server 2008 R2. You need to plan an auditing strategy that meets the following requirements:
• Audits all changes to Active Directory Domain Services (AD DS)
• Stores all auditing data in a central location
What should you include in your plan?
A.
Configure an audit policy for the domain. Configure Event Forwarding.
B.
Configure an audit policy for the domain controllers. Configure Data Collector Sets.
C.
Implement Windows Server Resource Manager (WSRM) in managing mode.
D.
Implement Windows Server Resource Manager (WSRM) in accounting mode.
Explanation:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:
The configuration of a subscription filter is more like the configuration of a custom view in that you
are able to specify multiple event log sources, rather than just a single Event Log source. In addition,
the subscription will be saved whereas you need to re-create a filter each time you use one. By
default, all collected Event Log data will be written to the Forwarded Event Event Log. You can
forward data to other logs by configuring the properties of the subscription. Even though you use a
filter to retrieve only specific events from source computers and place them in the destination log,
you can still create and apply a custom view to data that is located in the destination log. You could
create a custom view for each source computer, which would allow you to quickly limit events to
that computer rather than viewing data from all source computers at the same time.
You configure collector initiated subscriptions through the application of Group Policy. To do this
you must configure the collector computer in the same manner as you did in the previous steps.
When configuring the subscription type, select Source Computer Initiated rather than Collector
Initiated. To set up the source computers, apply a GPO where you have configured the Computer
Configuration\Policies\AdministrativeTemplates\Windows Components\Event Forwarding node and
configure the Server Address, Refresh Interval, And Issuer Certificate policy with the details of the
collector computer, as shown in Figure 7-10.
■ Auditing enhancements You can use the new Directory Service Changes audit policy subcategory
when auditing Windows Server 2008 AD DS. This lets you log old and new values when changes are
made to AD DS objects and their attributes. You can also use this new feature when auditing Active
Directory Lightweight Directory Services (AD LDS).
Planning AD DS Auditing
In Windows Server 2008, the global audit policy Audit Directory Service Access is enabled by default.
This policy controls whether auditing for directory service events is enabled or disabled. If you
configure this policy setting by modifying the Default Domain Controllers Policy, you can specify
whether to audit successes, audit failures, or not audit at all. You can control what operations to
audit by modifying the System Access Control List (SACL) on an object. You can set a SACL on an AD
DS object on the Security tab in that object’s
Properties dialog box.
As an administrator one of your tasks is to configure audit policy. Enabling success or failure auditing
is a straightforward procedure. Deciding which objects to audit; whether to audit success, failure or
both; and whether to record new and old values if changes are made is much more difficult. Auditing
everything is never an option—too much information is as bad as too little. You need to be selective.
In Windows 2000 Server and Windows Server 2003, you could specify only whether DS access was
audited. Windows Server 2008 gives you more granular control. You can audit the following:
■DS access
■DS changes (old and new values)
■DS replication