###BeginCaseStudy###
Case Study: 1
Humongous Insurance
Scenario:
COMPANY OVERVIEW
Humongous Insurance has a main office and 20 branch offices. The main office is located in
New York. The branch offices are located throughout North America. The main office has
8,000 users. Each branch office has 2 to 250 users.
PLANNED CHANGES
Humongous Insurance plans to implement Windows BitLocker Drive Encryption (BitLocker)
on all servers.
EXISTING ENVIRONMENT
The network contains servers that run either Windows Server 2003, Windows Server 2008, or
Windows Server 2008 R2. All client computers run either Windows 7 Enterprise or Windows
Vista Enterprise.
Business Goals
Humongous Insurance wants to minimize costs whenever possible.
Existing Active Directory/Directory Services
The network contains a single Active Directory forest named humongousinsurance.com. The
forest contains two child domains named north.humongousinsurance.com and
south.humongousinsurance.com. The functional level of the forest is Windows Server 2008
R2.
Existing Network Infrastructure
Each child domain contains a Web server that has Internet Information Services (IIS)
installed. The forest root domain contains three Web servers that have IIS installed. The Web
servers in the forest root domain are configured in a Network Load Balancing (NLB) cluster.
Currently, all of the Web servers use a single domain user account as a service account.
Windows Server Update Services (WSUS) is used for company-wide patch management. The
WSUS servers do not store updates locally. The network contains Remote Desktop servers
that run Windows Server 2008 R2. Users in the sales department access a line-of-business
Application by using Remote Desktop. Managers in the sales department use the Application
to generate reports. Generating the reports is CPU intensive. The sales managers report that
when many users are connected to the servers, the reports take a long time to process.
Humongous Insurance has the following standard server builds:
• Class 1 – Dual x64 CPUs, 4-GB RAM, Windows Web Server 2008 R2
• Class 2 – Dual x64 CPUs, 4-GB RAM, Windows Server 2008 R2 Standard
• Class 3 – Quad x64 CPUs, 8-GB RAM, Windows Server 2008 R2 Standard
• Class 4 – Quad x64 CPUs, 8-GB RAM, Windows Server 2008 R2 Enterprise
Current Administration Model
Humongous Insurance currently uses the following technologies to manage the network:
• Microsoft Desktop Optimization Pack
• Microsoft Forefront EndPoint Protection
• Microsoft System Center Operations Manager
• Microsoft System Center Configuration Manager
TECHNICAL REQUIREMENTS
Humongous Insurance must meet the following technical requirements:
• A certificate must be required to recover BitLocker-protected drives.
• Newly implemented technologies must minimize the impact on LAN traffic.
• Newly implemented technologies must minimize the storage requirements.
• The management of disk volumes and shared folders must be performed remotely
whenever possible.
• Newly implemented technologies must minimize the amount of bandwidth used on
Internet connections.
• All patches and updates must be tested in a non-production environment before they
are App1ied to production servers.
• Multiple versions of a Group Policy object (GPO) must be maintained in a central
archive to facilitate a rol required.
The management of passwords and service principal names (SPNs) for all service accounts
must be automated whenever possible.
###EndCaseStudy###
You need to recommend a solution for managing GPOs. The solution must meet the company’s
technical requirements. What should you include in the recommendation?
A.
Desktop Optimization Pack
B.
Forefront EndPoint Protection
C.
System Center Configuration Manager
D.
System Center Operations Manager
Explanation:
http ://technet.microsoft.com/en-us/library/ee532079.aspx
Imagine a tool that could help you take control of Group Policy. What would this tool do? It could
help you delegate who can review, edit, approve, and deploy Group Policy objects (GPOs). It might
help prevent widespread failures that can result from editing GPOs in production environments. You
could use it to track each version of each GPO, just as developers use version control to track source
code. Any tool that provided these capabilities, cost little, and was easy to deploy would certainly be
worth a closer look.
Such a tool indeed exists, and it is an integral part of the Microsoft® Desktop Optimization Pack
(MDOP) for Software Assurance. MDOP can help organizations reduce the cost of deploying
applications, deliver applications as services, and better manage desktop configurations. Together,
the MDOP applications shown in Figure 1 can give Software Assurance customers a highly costeffective and flexible solution for managing desktop computers.
Microsoft Advanced Group Policy Management (AGPM) is the MDOP application that can help
customers overcome the challenges that can affect Group Policy management in any organization,
particularly those with complex information technology (IT) environments. A robust delegation
model, role-based administration, and change-request approval provide granular administrative
control. For example, you can delegate Reviewer, Editor, and Approver roles to other users—even
users who do not typically have access to production GPOs. (Editors can edit GPOs but cannot deploy
them; Approvers can deploy GPO changes.)AGPM can also help reduce the risk of widespread failures. You can use AGPM to edit GPOs offline,
outside of the production environment, and then audit changes and easily find differences between
GPO versions. In addition, AGPM supports effective change control by providing version tracking,
history capture, and quick rollback of deployed GPO changes. It even supports a management
workflow by allowing you to create GPO template libraries and send GPO change e-mail
notifications.
This white paper describes the key features of AGPM, such as change control and role-based
delegation. The paper then describes how Software Assurance customers can begin evaluating
AGPM today.
Offline Editing
The AGPM archive provides offline storage for GPOs. As Figure 2 shows, changes that you make to
GPOs in the archive do not affect the production environment until you deploy the GPOs. By limiting
changes to the archive, you can edit GPOs and test them in a safe environment, without affecting
the production environment.
After reviewing and approving the changes, you can then deploy them with the knowledge that you
can quickly roll them back if they have an undesired effect.
GPMC Integration
AGPM has a server component (the AGPM Service) and a client component (the AGPM snap-in),
each of which you install separately. First, you install Microsoft Advanced Group Policy Management
– Server on a system that has access to the policies that you want to manage. Then, you install the
Microsoft Advanced Group Policy Management – Client on any system from which Group Policy
administrators will review, edit, and deploy GPOs.
The AGPM snap-in integrates completely with the Group Policy Management Console (GPMC), as
Figure 3 shows. Click Change Control in the console tree to open AGPM in the details pane and to
manage the AGPM archive on the Contents tab. Here, you can review, edit, and deploy controlled
GPOs (that is, GPOs in the archive). You can also take control of uncontrolled GPOs (that is, GPOs
that are not in the archive), approve pending changes, and manage GPO templates. On the Domain
Delegation tab, AGPM Administrators (Full
Control) delegate roles to AGPM users and configure e-mail notifications. Configure the AGPM
Server connection on the AGPM Server tab. AGPM 3.0 introduced the Production Delegation tab,
which AGPM Administrators can use to delegate permission to edit GPOs in the production
environment.
Change Control
AGPM provides advanced change control features that can help you manage the lifecycle of GPOs.
Many of the AGPM change control concepts will be familiar to administrators who have experience
using common version-control tools, such as the version control feature in Microsoft Office
SharePoint® Server 2007. The following steps are necessary to change and deploy a GPO:
1. Check out the GPO from the archive.
2. Edit the GPO as necessary.
3. Check in the GPO to the archive.
4. Deploy the GPO to production.
Change control means more than locking a GPO to prevent multiple users from changing it at the
same time. AGPM keeps a history of changes for each GPO, as shown in Figure 4. You can deploy any
version of a GPO to production, so you can quickly roll back a GPO to an earlier version if necessary.
AGPM can also compare different versions of a GPO, showing added, changed, or deleted settings.
Therefore, you can easily review changes before approving and deploying them to the production
environment. In addition, a complete history of each GPO enables you to audit not only changes but
also all activities related to that GPO.
Role-Based Delegation
Group Policy already provides a rich delegation model that allows you to delegate administration to
regional and task-oriented administrators. However, Group Policy also lets administrators approve
their own changes. In contrast, AGPM provides a role-based delegation model that adds a review
and approval step to the workflow, as shown in Figure 5.
An AGPM Administrator has full control of the AGPM archive. In addition to the AGPM
Administrator role, AGPM defines three special roles to support its delegation model:
· Reviewer. Reviewers can view and compare GPOs. They cannot edit or deploy GPOs.
· Editor. Editors can view and compare GPOs. They can also check out GPOs from the archive, edit
GPOs, and check in GPOs to the archive. Editors can request deployment of a GPO.
· Approver. Approvers can approve the creation and deployment of GPOs. (When Approvers create
or deploy a GPO, approval is automatic.)
As an AGPM Administrator, you can delegate these roles to users and groups for all controlled GPOs
within the domain (domain delegation). For example, you can delegate the Reviewer role to users,allowing them to review any controlled GPO in the domain. You can also delegate these roles to
users for individual controlled GPOs. Rather than allow users to edit any controlled GPO in the
domain, for example, you can give them permission to edit a specific controlled GPO by delegating
the Editor role for that GPO only.
Search and Filter
AGPM 4.0 introduces the ability to filter the list of GPOs that it displays. For example, you can filter
the list by name, status, or comment. You can even filter the list to show GPOs that were changed by
a particular user or on a specific date. AGPM displays partial matches, and searches are not case
sensitive.
AGPM supports complex search strings using the format column: string, where column is the name
of the column by which to search and string is the string to match. For example, to display GPOs that
were checked in by Jerry, type state: “checked in” changed by: Jerry in the Search box. Figure 6
shows another example. You can also filter the list by GPO attributes by using the format attribute:
string, where attribute is the name of the GPO attribute to match. To display all GPOs that use the
Windows® Management Instrumentation (WMI) filter called MyWMIFilter, type wmi filter:
mywmifilter in the Search box.
When searching for GPOs, you can use special terms to search by date, dynamically. These special
terms are the same terms that you can use when using Windows Explorer to search for files. For
example, you can filter the list to display GPOs that were changed today, yesterday, this week, last
week, and so on.
Cross-Forest Management
In addition to filtering, AGPM 4.0 also introduces cross-forest management. You can use the
following process to copy a controlled GPO from a domain in one forest to a domain in a second
forest:
1. Export the GPO from a domain in the first forest to a CAB file, by using AGPM (Figure 7).
2. On a computer in a domain in the first forest, copy the CAB file to a portable storage device.
3. Insert the portable storage device into a computer in a domain in the second forest.
4. Import the GPO into the archive in a domain in the second forest, by using AGPM.When you import the GPO into the second forest, you can import it as a new controlled GPO. You
can also import it to replace the settings of an existing GPO that is checked out of the archive.
The obvious benefit of cross-forest management is testing. Combined with offline editing and
change control, cross-forest management enables you to test GPOs in a controlled test environment
(the first forest). After verifying the GPO, you can move it into the production environment (the
second forest).
Windows Support
Three versions of AGPM are available: AGPM 2.5, AGPM 3.0, and AGPM 4.0. Each is incompatible
with the others and supports different Windows operating systems. For more information about
choosing the right version of AGPM for your environment and about the Windows operating systems
that each supports, see Choosing Which Version of AGPM to Install.
AGPM 4.0 introduces support for Windows 7 and Windows Server® 2008 R2. Additionally, AGPM 4.0
still supports Windows Vista® with Service Pack 1 (SP1) and Windows Server 2008. Table 1 describes
limitations in mixed environments that include newer and older Windows operating systems.
