What should you recommend on each branch office domain controller?

Your company has one main office and 10 branch offices. The network consists of one Active
Directory domain. All domain controllers run Windows Server 2008 and are located in the main
office. You plan to deploy one Windows Server 2008 domain controller in each branch office. You
need to recommend a security solution for the branch office domain controllers. The solution must
prevent unauthorized users from copying the Active Directory database from a branch office domain
controller by starting the server from an alternate startup disk. What should you recommend on
each branch office domain controller?

Your company has one main office and 10 branch offices. The network consists of one Active
Directory domain. All domain controllers run Windows Server 2008 and are located in the main
office. You plan to deploy one Windows Server 2008 domain controller in each branch office. You
need to recommend a security solution for the branch office domain controllers. The solution must
prevent unauthorized users from copying the Active Directory database from a branch office domain
controller by starting the server from an alternate startup disk. What should you recommend on
each branch office domain controller?

A.
Enable the secure server IPsec policy.

B.
Enable the read-only domain controller (RODC) option.

C.
Enable Windows BitLocker Drive Encryption (BitLocker).

D.
Enable an Encrypting File System (EFS) encryption on the %Systemroot%\NTDS folder.

Explanation:
To configure domain controller of each branch office to ensure to no unauthorized user should be
allowed to copy the Active Directory database from a branch office domain controller by starting the
server from an alternate startup disk, you need to use Windows BitLocker Drive Encryption
(BitLocker)
BitLocker allows you to encrypt all data stored on the Windows operating system volume and use
the security of using a Trusted Platform Module (TPM) that helps protect user data and to ensure
that a computer running Windows Vista or Server 2008 have not been tampered with while the
system was offline. In addition, BitLocker offers the option to lock the normal startup process until
the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a
flash drive, that contains a startup key. This process will ensure that all the users can access all files
on the servers if they have the PIN. You cannot use an alternate startup disk to boot the disk.
BitLocker Drive Encryption Technical Overview
http://technet2.microsoft.com/windowsserver2008/en/library/a2ba17e6-153b-4269-bc46-
6866df4b253c1033.mspx?mfr=true



Leave a Reply 0

Your email address will not be published. Required fields are marked *