Your network consists of one Active Directory domain. The functional level of the domain is
Windows Server 2008. The domain has 30 domain controllers. Twenty administrators manage the
domain. You plan to implement an audit and compliance policy. You need to ensure that all changes
made to Active Directory objects are recorded. What should you do?
A.
On all domain controllers, run the Security Configuration Wizard (SCW).
B.
In the Default Domain Controller Policy, configure a Directory Services Auditing policy.
C.
In the Default Domain Controller Policy, configure and implement a file-level audit policy for the
SYSVOL volume.
D.
Create a Group Policy object (GPO) linked to the Domain Controllers OU. Configure the GPO to
install the Microsoft Baseline Security Analyzer (MBSA).
Explanation:
To implement an audit and compliance policy and ensure that all changes made to Active Directory
objects are recorded, you need to configure a Directory Services Auditing policy in the Default
Domain Controller Policy. In Windows Server 2008, you can enable Audit Directory Service Access
policy to log events in the Security event log whenever certain operations are performed on objects
stored in Active Directory. Enabling the global audit policy, Audit directory service access, enables all
directory service policy subcategories. You can set this global audit policy in the Default Domain
Controllers Group Policy (under Security Settings\Local Policies\Audit Policy).
Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide
http://technet2.microsoft.com/windowsserver2008/en/library/a9c25483-89e2-4202-881cea8e02b4b2a51033.mspx?mfr=true