###BeginCaseStudy###
Case Study: 13
Blue Yonder Airlines
Scenario
COMPANY OVERVIEW
Blue Yonder Airlines has a main office and four branch offices. Each branch office has six
satellite offices. The main office is located in Sydney. The branch offices are located in
London, New York, Bangkok, and Istanbul. The main office has 1,000 users. Each branch
office has 500 users. Each satellite office has 50 to 100 users.
PLANNED CHANGES
Each satellite office will have a single server deployed. The servers will have the following
server roles installed:
• File server
• Print server
• Read-only Domain Controller (RODC)
Each satellite office will have a local support technician who performs the following tasks:
• Manages printers.
• Manages server backups.
• Manages updates on the server.
Each support technician will only be permitted to manage the server located in his office.
You plan to implement a backup and recovery solution to restore deleted Active Directory
objects. The solution must ensure that the attributes of the deleted objects are restored to the
same state they were in before they were deleted. You plan to deploy a custom sales
Application named App2 to the portable computers of all company sales consultants. The
setup program of App2 requires local administrative privileges. App2 will be updated
monthly.
BUSINESS GOALS
Blue Yonder Airlines has the following business goals:
• Minimize server downtime.
• Minimize administrative effort.
Minimize interruptions to users caused by WAN link failures.
EXISTING ENVIRONMENT
The network contains servers that run either Windows Server 2008 R2 or Windows Server
2008. All client computers were recently replaced with new computers that run Windows 7
Enterprise.
Users do not have local administrator rights on the client computers.
Existing Active Directory/Directory Services
The network contains a single Active Directory domain named blueyonderairlines.com. The
functional level of the domain is Windows Server 2008. All domain controllers run Windows
Server 2008.
Existing Network Infrastructure
All offices have wired and wireless networks.
The main office has a file server that stores large graphics files. The files are used by all of
the users in all of the offices.
A Group Policy is used to assign an Application named App1 to all of the users in the
domain.
The branch offices contain public computers on which temporary employees can browse the
Internet and view electronic brochures. When the employees log on to the public computers,
they must all receive the same user settings. App1 must not be installed on the public
computers. The computer accounts for all of the public computers are in an organizational
unit (OU) name Public.
REQUIREMENTS
Security Requirements
All computers in the domain must have a domain-level security Group Policy object (GPO)
App1ied.
You plan to implement Network Access Protection (NAP) by using switches and wireless
access points (WAPs) as NAP enforcement points.
The public computers must meet the following security requirements:
• Only authorized Applications must be run.
• Automatic updates must be enabled and App1ied automatically.
Users must be denied access to the local hard disk drives and the network shares from the
public computers.
Technical Requirements
The file server in each branch office is configured as shown in the following table.
Each user is allocated 1 GB of storage on the Users share in their local office. Each user must
be prevented from storing files larger than 500 MB on the Data share in their local office.
Blue Yonder Airlines must meet the following requirements for managing App2:
• Sales consultants must use the latest version of the Application.
• When a new version of App2 is installed, the previous version must be uninstalled. Sales
consultants must be able to run App2 when they are disconnected from the network.
###EndCaseStudy###
You need to recommend an administrative solution for the local support technicians in the satellite
offices. The solution must meet the company’s security requirements. What should you include in
the recommendation?
A.
Active Directory delegation
B.
Administrator Role Separation
C.
managed service accounts
D.
Restricted Groups
Explanation:
http ://technet.microsoft.com/en-us/library/cc753170%28WS.10%29.aspx
This topic explains how you can use Administrator Role Separation (ARS) on a read-only domain
controller (RODC) to delegate RODC administration to a user who is not a member of the Domain
Admins group.
One problem encountered by administrators of domain controllers in perimeter networks is that
domain controllers typically have to be set up and administered by domain administrators.
Administrative operations, such as applying software updates, performing an offline
defragmentation, or backing up the system, cannot be delegated.
With the introduction of RODCs, domain administrators can delegate both the installation and the
administration of RODCs to any domain user, without granting them any additional rights in the
domain. The ability to perform this delegation is called ARS.