you need to collect the error events from all of the web servers

Your network contains an Active Directory domain named adatum.com. The domain contains a member server
named Server1 and 10 web servers. All of the web servers are in an organizational unit (OU) named
WebServers_OU. All of the servers run Windows Server 2012 R2.
On Server1, you need to collect the error events from all of the web servers. The solution must ensure that
when new web servers are added to WebServers_OU, their error events are collected automatically on
Server1.
What should you do?

Your network contains an Active Directory domain named adatum.com. The domain contains a member server
named Server1 and 10 web servers. All of the web servers are in an organizational unit (OU) named
WebServers_OU. All of the servers run Windows Server 2012 R2.
On Server1, you need to collect the error events from all of the web servers. The solution must ensure that
when new web servers are added to WebServers_OU, their error events are collected automatically on
Server1.
What should you do?

A.
On Server1, create a source computer initiated subscription. From a Group Policy object (GPO), configure
the Configure target Subscription Manager setting.

B.
On Server1, create a source computer initiated subscription. From a Group Policy object (GPO), configure
the Configure forwarder resource usage setting.

C.
On Server1, create a collector initiated subscription. From a Group Policy object (GPO), configure the
Configure forwarder resource usage setting.

D.
On Server1, create a collector initiated subscription. From a Group Policy object (GPO), configure the
Configure target Subscription Manager setting.

Explanation:

Source-initiated subscriptions allow you to define a subscription on an event collector computer without
defining the event source computers, and then multiple remote event source computers can be set up (using a
group policy setting) to forward events to the event collector computer. This differs from a collector initiated
subscription because in the collector initiated subscription model, the event collector must define all the event
sources in the event subscription.
1. Run the following command from an elevated privilege command prompt on the Windows Server domain
controller to configure Windows Remote Management: winrm qc -q
2. Start group policy by running the following command: %SYSTEMROOT%\System32\gpedit. msc
3. Under the Computer Configuration node, expand the Administrative Templates node, then expand the
Windows Components node, then select the Event Forwarding node.
4. Right-click the SubscriptionManager setting, and select Properties. Enable the SubscriptionManager setting,
and click the Show button to add a server address to the setting. Add at least one setting that specifies the
event collector computer. The SubscriptionManager Properties window contains an Explain tab that describes
the syntax for the setting.
5. After the SubscriptionManager setting has been added, run the following command to ensure the policy is
applied: gpupdate /force.
If you want to configure a source computer-initiated subscription, you need toconfigure the following group
policies on the computers that will act as the event forwarders:
* (A) Configure Target Subscription Manager This policy enables you to set the location of the collector
computer.

Show Hint

Leave a Reply 6

Your email address will not be published. Required fields are marked *

Niels

Niels

“Source-initiated subscriptions allow you to define a subscription on an event collector computer without defining the event source computers, and then multiple remote event source computers can be set up (using a group policy setting) to forward events to the event collector computer. This differs from a collector initiated subscription because in the collector initiated subscription model, the event collector must define all the event sources in the event subscription.”
– Quote: https://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx

B

Reply

ilovehc

ilovehc

It is D because in this policy you can set up the name/IP of the Subscription manager server. The B is a different policy which allows you to put a limit on the number of events you send to the target server in order to limit the load.

The description for: Configure target Subscription Manager settings

This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager.

If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics.

Use the following syntax when using the HTTPS protocol:
Server=https://:5986/wsman/SubscriptionManager/WEC,Refresh=,IssuerCA=. When using the HTTP protocol, use port 5985.

If you disable or do not configure this policy setting, the Event Collector computer will not be specified.

Reply

ilovehc

ilovehc

SORRY I MEAN IT’S A

Reply

den

den

interesting that the explanation is about gpedit.msc which is for local policy, but all of the answers state GPO, so I assume you create a GPO that will apply to all of the web servers, also newly joined ones. therefore you just take’em up in the domain and you do not have to configure anything further as they get their config by that GPO.
so GPMC.msc might be the better choice 😉

Reply

mist74

mist74

Checked already by myself, it is A. In GPO on the branch:
Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding\Configure targert Subscription Manager
witch description:
“This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager. …”

Reply