###BeginCaseStudy###
Case Study: 6
Lucerne Publishing
Scenario:
COMPANY OVERVIEW
Overview
Lucerne Publishing is a large publishing company that produces both traditional books and ebooks.
Physical Location
The company has a main office and a branch office. The main office is located in New York.
The branch office is located in San Francisco. The main office has a satellite office located in
Boston. The company has 7,500 users.
EXISTING ENVIRONMENT
Active Directory Environment
The network contains an Active Directory forest. The forest contains a single domain named
lucernepublishing.com.
Network Infrastructure
Client computers in the New York office and the San Francisco office run either Windows
Vista or Windows XP. All client computers in the Boston office run Windows 7.
The company has a finance department. All of the client computers in the finance department
run Windows XP. The finance department uses an Application named App1. App1 only runs
on Windows XP.
The relevant servers in the New York office are configured as shown in the following table.
The servers have the following configurations:
• Remote Desktop is enabled on all servers.
• The passwords for all service accounts are set to never expire.
• Server1 stores roaming user profiles for users in the Boston office.
• SQL1 and SQL2 are deployed in a two-node failover cluster named Clusterl.
• All servers have Pre-Boot Execution Environment (PXE)-compliant network
adapters.
• The servers in the San Francisco office contain neither a recovery partition nor optical
media drives. DFSl and DFS2 are members of the same DFS Replication group. The DFS
namespace is configured to use Windows 2000 Server mode.
The Boston office has no servers. The Boston office connects to the New York office by
using a dedicated hardware VPN device.
The finance department publishes monthly forecast reports that are stored in DFS.
REQUIREMENTS
Business Goals
Lucerne Publishing must minimize administrative costs, hardware costs, software costs, and
development costs, whenever possible.
Planned Changes
All client computers will be upgraded to Windows 7.
A VPN server will be deployed in the main office. All VPN clients must have the latest
Windows updates before they can access the internal network.
You plan to deploy a server that has the Remote Desktop Gateway (RD Gateway) role
service installed.
Technical Requirements
Lucerne Publishing must meet the following technical requirements:
• Upgrade all client computers to Windows 7.
• Minimize Group Policy-related replication traffic.
• Ensure that App1 can be used from client computers that run Windows 7.
• Ensure that users can use App1 when they are disconnected from the network.
• Ensure that you can perform a bare metal recovery of the servers in the San Francisco
office.
• Minimize the amount of time it takes users in the Boston office to log on to their
client computers.
• Ensure that domain administrators can connect remotely to all computers in the
domain through RD Gateway.
• Ensure that file server administrators can access DFS servers and file servers through
the RD Gateway.
• Prevent file server administrators from accessing other servers through the RD
Gateway
Security Requirements
Lucerne Publishing must meet the following security requirements:
• USB storage devices must not be used on any servers.
• The passwords for all user accounts must be changed every 60 days.
• Users must only be able to modify the financial forecast reports on DFSl. DFS2 must
contain a read-only copy of the financial forecast reports.
• All operating system drives on client computers that run Windows 7 must be
encrypted.
• Only approved USB storaqe devices must be used on client computers that run
Windows 7.
###EndCaseStudy###
You need to recommend an RD Gateway configuration that meets the company’s technical
requirements. What should you recommend?
A.
Create two Remote Desktop connection authorization policies (RD CAPs) and one Remote
Desktop resource authorization policy (RD RAP).
B.
Create one Remote Desktop connection authorization policy (RD CAP) and two Remote Desktop
resource authorization policies (RD RAPs).
C.
Create one Remote Desktop resource authorization policy (RD RAP) and deploy the Remote
Desktop Connection Broker (RD Connection Broker) role service.
D.
Create one Remote Desktop connection authorization policy (RD CAP) and deploy the Remote
Desktop Connection Broker (RD Connection Broker) role service.
Explanation:
CAP=who can connect RAP=what resources are available
Connection Authorization Policies (CAP)
Terminal Services connection authorization policies (TS-CAPs) specify which users are allowed to
connect through the TS Gateway Server to resources located on your organization’s internal
network. This is usually done by specifying a local group on the TS Gateway Server or a group within
Active Directory. Groups can include user or computer accounts. You can also use TS-CAPs to specify
whether remote clients use password or smart-card authentication to access internal network
resources through the TS Gateway Server. You can use TS-CAPs in conjunction with NAP; this
scenario is covered in more detail by the next lesson.
Resource Authorization Policies (RAP)
Terminal Services resource authorization policies (TS-RAPs) are used to determine the specific
resources on an organization’s network that an incoming TS Gateway client can connect to. When
you create a TS-RAP you specify a group of computers that you want to grant access to and the
group of users that you will allow this access to. For example, you could create a group of computers
called AccountsComputers that will be accessible to members of the Accountants user group. To be
granted access to internal resources, a remote user must meet the conditions of at least one TS-CAP
and at least one TS-RAP.