###BeginCaseStudy###
Case Study: 18
Tailspin Toys
Scenario
General Background
You are the Windows server administrator for Tailspin Toys. Tailspin Toys has a main office
and a manufacturing office. Tailspin Toys recently acquired Wingtip Toys and is in the
beginning stages of merging the IT environments. Wingtip Toys has a main office and a sales
office.
Technical Background
The companies use the network subnets indicated in the following table.
The Tailspin Toys network and the Wingtip Toys network are connected by a point-to-point
dedicated 45 Mbps circuit that terminates in the main offices.
Tailspin toys
The current Tailspin Toys server topology is shown in the following table.
The Tailspin Toys environment has the following characteristics:
• All servers are joined to the tailspintoys.com domain.
• In the Default Domain Policy, the Retain old events Group Policy setting is enabled.
• An Active Directory security group named “Windows system administrators” is
used to control all files and folders on TT-PRINT01.
• A Tailspin Toys administrator named Marc has been delegated rights to multiple
organizational units (OUs) and object in the tailspintoys.com domain.
• Tailspin Toys developers use Hyper-V virtual machines (VMs) for development.
There are 20 development VMs named TT-DEV01 through TT-DEV20.
Wingtip Toys
The current Wingtip Toys server topology is shown in the following table.
All servers in the Wingtip Toys environment are joined to the wingtiptoys.com domain.
Infrastructure Services
You must ensure that the following infrastructure services requirements are met:
• All domain zones must be stored as Active Directory-integrated zones.
• Only DNS servers located in the Tailspin Toys main office may communicate with
DNS servers at Wingtip Toys.
• Only DNS servers located in the Wingtip Toys main office may communicate with
DNS servers at Tailspin Toys.
• All tailspintoys.com resources must be resolved from the Wingtip Toys offices.
• All wingtiptoys.com resources must be resolved from the Tailspin Toys offices.
• Certificates must be distributed automatically to all Tailspin Toys and Wingtip Toys
computers.
Delegated Administration
You must ensure that the following delegated administration requirements are met:
• Tailspin Toys IT security administrators must be able to create, modify, and delete
user objects in the wingtiptoys.com domain.
• Members of the Domain Admins group in the tailspintoys.com domain must have full
access to the wingtiptoys.com Active Directory environment.
• A delegation policy must grant minimum access rights and simplify the process of
delegating rights.
• Minimum permissions must always be delegated to ensure that the least privilege is
granted for a job or task.
• Members of the TAILSPINTOYS\HeIpdesk group must be able to update drivers and
add printer ports on TT-PRINT01.
• Members of the TAILSPINTOYS\Helpdesk group must not be able to cancel a print
job on TT-PRINT01.
• Tailspin Toys developers must be able to start, stop, and Apply snapshots to their
development VMs.
IT Security
You must ensure that the following IT security requirements are met:
• Server security must be automated to ensure that newly deployed servers
automatically have the same security configuration as existing servers.
• Auditing must be configured to ensure that the deletion of user objects and OUs is
logged.
• Microsoft Word and Microsoft Excel files must be automatically encrypted when
uploaded to the Confidential document library on the Tailspin Toys Microsoft SharePoint
site.
• Multifactor authentication must control access to Tailspin Toys domain controllers.
• All file and folder auditing must capture the reason for access.
• All folder auditing must capture all delete actions for all existing folders and newly
created folders.
• New events must be written to the Security event log in the tailspintoys.com domain
and retained indefinitely.
• Drive X:\ on TT-FILE01 must be encrypted by using Windows BitLocker Drive
Encryption and must automatically unlock.
###EndCaseStudy###
You are planning for the IT integration of Tailspin Toys and Wingtip Toys. The company has decided
on the following name resolution requirements:
• Name resolution for Internet-based resources must continue to operate by using the same
DNS servers as prior to the merger.
• The existing connectivity between Tailspin Toys and Wingtip Toys must be used for all
network communication.
• The documented name resolution goals must be met.
You need to provide a name resolution solution that meets the requirements. What should you
recommend? (Choose all that Apply.)
A.
On TT-DC01, TT-DC02, TT-DC03, and TT-DC04, add forwarders with the IP addresses of
172.16.10.10 and 172.16.10.11.
B.
On TT-DC01, add a conditional forwarder for wingtiptoys.com, use 172.16.10.10 and 172.16.10.11
as the IP addresses, and then configure it to replicate to all DNS servers in the tailspintoys.com
domain.
C.
On TT-DC01, TT-DC02, TT-DC03, and TT-DC04, add a secondary DNS zone for wingtiptoys.com and
specify 172.16.10.10 and 172.16.10.11 as the master DNS servers.
D.
On WT-DC01 and WT-DC02, add a secondary DNS zone for tailspintoys.com and specify
10.10.10.10 and 10.10.10.11 as the master DNS servers.
E.
On WT-DC01, WT-DC02, WT-DC03, and WT-DC04, add forwarders with the IP addresses of
10.10.10.10 and 10.10.10.11.
F.
On WT-DC01, add a conditional forwarder for tailspintoys.com, use 10.10.10.10 and 10.10.10.11
as the IP addresses, and configure it to replicate to all DNS servers in the wingtiptoys.com domain.
Explanation:
Conditional forwarding is used to control where a DNS server forwards queries for a specific domain.
A DNS server on one network can be configured to forward queries to a DNS server on another
network without having to query DNS servers on the Internet. They can also be used to help
companies resolve each other’s namespace in a situation where companies collaborate a merger is
underway.
Forwarders and Forwarding
When a name server is queried in DNS, the way it responds depends on the type of query issued,
which can be either iterative or recursive. In an iterative query, the client asks the name server for
the best possible answer to its query. The name server checks its cache and the zones for which it is
authoritative and returns the best possible answer to the client, which could be either a full answer
like “here is the IP address of the host you are looking for” or a partial answer like “try this other
name server instead, it might know the answer.”
In a recursive query, things work a little different for here the client demands either a full answer
(the IP address of the target host) or an error message like “sorry, name not found.” In Windows
DNS, client machines always send recursive queries to name servers, and name servers usually send
iterative queries to other name servers.
What Conditional Forwarding Does
A conditional forwarder is one that handles name resolution only for a specific domain. For example,
you could configure your name server to forward any requests for hosts in the domain google.com
directly to a specific name server that is authoritative for the google.com domain. What this does is
speed up the name resolution process by eliminating the need to go up to root to find this
authoritative server.
So in our question above we would create a conditional forwarder in Wingtiptoys.com for
tailspintoys.com and then create a conditional forwarder in tailspintoys.com for windtiptoys.com.
additionally in Server 2008 there is a separate node in DNS Manager to configure Conditional
Forwarders, previously if you wanted to configure Forwarding for a certain DNS domain, and you
wanted to do this on all DNS Servers, you had to do this for all the DNS servers separately.Forwarders can be configured centrally and can be configured as ‘Active Directory’ integrated
What does this mean: well this means they are stored in Active Directory and you can configure a
replication scope, in the same way you can with AD Integrated DNS Zones, they can be replicated
using following scopes:
– All DNS servers in this forest (through the ForestDNSZones Application Partition)
– All DNS servers in this domain (through the DomainDNSZones Application Partition)
-All Domain Controllers in this domain (for Windows 2000 compatibility), stored in the Domain
Partition
– In a custom Application Partition of your liking, if you want to replicate only to certain Domain
Controllers (that are probably your DNS servers)
