###BeginCaseStudy###
Case Study: 2
Contoso, Ltd.
Scenario:
COMPANY OVERVIEW
Contoso, Ltd. is a consulting company that has a main office and two branch offices. The
main office is located in Johannesburg. The branch offices are located in Brisbane and
Montreal. The Johannesburg office has 400 users. Each branch office has 100 users.
PLANNED CHANGES
Contoso plans to open a new branch office. The new office will have a 512-Kbps connection
to the Montreal office and a 2-Mbps connection to the Internet. The new branch office will
have a domain controller, a DirectAccess server, a file server, and a Web server. All branch
office servers will be virtualized. Contoso plans to implement role-based access control for
all new virtual machines (VMs) deployed on Hyper-V servers.
In the new branch office, a user named User1 must be permitted to perform only the
following actions on the Hyper-V server:
• Start the VMs.
• View the configuration of the VMs.
EXISTING ENVIRONMENT
All servers run Windows Server 2008 R2. All client computers run Windows 7 Enterprise.
The main office has multiple file servers. Each branch office has one file server. Each file
server has two hard disks. One disk has the server’ s operating system installed and the other
disk stores data files. File server backups are performed regularly. The main office has a
Windows Server Update Services (WSUS) server. All client computers are configured to
receive updates from the WSUS server. The main office connects to each branch office by
using a 512-Kbps WAN link.
Existing Active Directory/Directory Services
The network contains a single Active Directory domain named contoso.com. An Active
Directory site exists for each office. Each Active Directory site contains three subnets. Each
subnet contains client computers.
The main office has two domain controllers. Each branch office has one domain controller.
REQUIREMENTS
Storage Requirements
Contoso must meet the following storage requirements:
• Improve data availability on the file servers.
• Improve the performance of the file servers.
• Limit each user’s storage space on the file servers to 2 GB.
• Prevent users from storing audio and video files on the file servers.
• Provide additional storage on the file servers without causing downtime.
• Enable users to access the previous versions of all the files stored on the file servers.
Technical Requirements
Contoso must meet the following technical requirements:
• Minimize the potential attack surface.
• Minimize WAN link utilization between the offices.
• Minimize the number of server licenses purchased.
• Minimize server downtime caused by Applying updates.
• Minimize the amount of administrative effort required to approve the updates.
• Minimize the amount of time it takes for users in the branch offices to access files on
the file servers in the main office.
Problem Statements
Users in the accounting department use a custom Application named App1. The
configurations for App1 can only be changed by editing the registry. Currently, a technician
must visit each client computer in the accounting department to change the App1
configurations.
###EndCaseStudy###
You need to recommend a solution that enables User1 to perform the required actions on the
HyperV server. What should you include in the recommendation?
A.
Active Directory delegation
B.
Authorization Manager role assignment
C.
local security groups on the Hyper-V server
D.
local security groups on the VMs
Explanation:
http ://technet.microsoft.com/en-us/library/dd283030%28v=ws.10%29.aspx
You use Authorization Manager to provide role-based access control for Hyper-V. For instructions on
implementing role-based access control.
Authorization Manager is comprised of the following:
Authorization Manager snap-in (AzMan.msc). You can use the Microsoft Management Console
(MMC) snapin to select operations, group them into tasks, and then authorize roles to perform
specific tasks. You also use it to manage tasks, operations, user roles, and permissions. To use the
snap-in, you must first create an authorization store or open an existing store. For more information,
see http ://go.microsoft.com/fwlink/?
LinkId=134086.Authorization Manager API. The API provides a simplified development model in which to manage
flexible groups and business rules and store authorization policies. For more information, see Rolebased Access
Control (http ://go.microsoft.com/fwlink/?LinkId=134079).
Authorization Manager requires a data store for the policy that correlates roles, users, and access
rights. This is called an authorization store. In Hyper-V, this data store can be maintained in an Active
Directory database or in an XML file on the local server running the Hyper-V role. You can edit the
store through the Authorization Manager snap-in or through the Authorization Manager API, which
are available to scripting languages such as VBScript.
If an Active Directory database is used for the authorization store, Active Directory Domain Services
(AD DS) must be at the Windows Server 2003 functional level.
The XML store does not support delegation of applications, stores, or scopes because access to the
XML file is controlled by the discretionary access control list (DACL) on the file, which grants or
restricts access to the entire contents of the file. (For more information about Authorization
Manager delegation, see http ://go.microsoft.com/fwlink/?LinkId=134075). Because of this, if an
XML file is used for the authorization store, it is important that it is backed up regularly. The NTFS file
system does not support applications issuing a sequence of separate write operations as a single
logical write to a file when multiple applications write to the same file.
This means an Authorization Manager policy file (XML file) could be edited simultaneously by two
administrative applications and could become corrupted. The Hyper-V VSS writer will back up the
authorization store with the server running the Hyper-V role.
http ://technet.microsoft.com/en-us/library/cc725995%28WS.10%29.aspx
A role assignment is a virtual container for application groups whose members are authorized for
the role. A role assignment is based on a single role definition, and a single role definition can be the
basis of many role assignments.
The most common procedure that administrators carry out is the assignment of application groups,
or Windows users and groups, to a role. For step-by-step instructions, see Assign a Windows User or
Group to a Role or
Assign an Application Group to a Role.