###BeginCaseStudy###
Topic 6, Contoso Ltd, Case B
Background
OverviewContoso, Ltd., is a software development company. Contoso has a main office in London and two branch
offices, one in Madrid and the other in Dublin. The company is in the process of adopting Microsoft Azure to
host business critical resources and applications.
Contoso has an Active Directory Domain Services (AD DS) domain named contoso.com. All devices in the
three offices are members of the domain. Each office has a dedicated organizational unit (OU) in the root of
the domain named London. Madrid, and Dublin, respectively. Each office OU has three child OUs named
Computers, Users, and Groups.
The local Administrator account is disabled on all client devices in the domain by using a Group Policy object
(GPO) named SecurityConflguration that is linked to the root of the domain. Contoso’s security department
also has a GPO named WSUSConfiguration. WSUSConfiguration defines the configuration of Windows
Update Services on the Windows Server Update Services (WSUS) server named WSUS1.
You have a GPO named RemoteSales that uses a WMI filter. The GPO prevents users from launching
applications that are not approved.
DNS Services
Contoso uses a DNS service that is installed on two domain controllers in the main office. The domain
controllers are named DO and DC2. Both DO and DC2 run Windows Server 2008 R2. Both domain controllers
host Active Directory integrated zones named contoso.com and lab.contoso.com. The zones are configured
to allow only secure updates.
Research
Contoso creates a new research department to develop integration between Contoso’s software and public
cloud services.
Finance Department
Users in the finance department use a client-server application named App1. App1 uses custom Active
Directory attributes to store encryption keys. App1 is a business critical application that must be migrated to
Windows Azure.
A server named SERVER2 hosts Appl. SERVER2 runs Windows Server 2008 R2. The disk configuration for
SERVER2 is shown in the following table:
A server named SERVER1 hosts a database that is used by Appl. SERVER1 runs Windows Server 2008 R2 and
SQL Server 2008 R2. The disk configuration for SERVER1 is shown in the following table:
The Contoso management team plans to increase the use of Appl. To accommodate these plans, the size of
the datable must be increased
Sales Department
Users in the sales department use laptop computers when they travel. Salespeople use a legacy application
named ContosoSales on their laptop computers. Salespeople can use a pool of shared desktop computers in
each office.
The ContosoSales app is dependent on a specific registry key that is frequently overwritten by third-party
applications. This causes the ContosoSales app to stop working.
Business Requirements
All DNS servers must be placed in a physically secure location.
Software development department
All software developers must migrate their servers and workstations to the DNS domain lab.contoso.com to
ensure that frequent changes to DNS do not interfere with the production environment.
Finance department
All servers that host App1 must be migrated to Windows Azure. A new Azure virtual machine (VM) named
CL0UD2 must be deployed to Windows Azure.
Sales department
Users in the sales department should not be able to run applications on their laptop computers that are not
approved by the security department. Users in the sales department should have no such restrictions while
they work on the desktop computers in the office.
Technical Requirements
App1 requirements
You have the following requirements: The size of the database for App1 must be increased to 8 TB.
The encryption keys for App1 should not be replicated to the offices where physical
server security is not guaranteed.
The amount of disk space that is used by Windows Azure must be minimized.
Infrastructure requirements
You have the following requirements:
The lab.contoso.com DNS domain zone must not be replicated or transferred to DNS
servers outside of the London office.
A new DNS domain zone named research.contoso.com must be deployed for users in
the research department.
The research.contoso.com DNS domain zone must be protected by using DNS
Security Extensions {DNSSEC).
All computers in the London and Madrid offices must install Windows Updates from
the server WSUS1.
A new domain controller for the contoso.com domain must be deployed in the
Madrid office.
Replication traffic must be minimized when the new domain controllers are
deployed.
New WMI filters must not conflict with existing WMI filters.
###EndCaseStudy###
This question consists of two statements: One is named Assertion and the other is named Reason. Both of
these statements may be true; both may be false; or one may be true, while the other may be false.
To answer this question, you must first evaluate whether each statement is true on its own. If both
statements are true, then you must evaluate whether the Reason (the second statement) correctly explains
the Assertion (the first statement). You will then select the answer from the list of answer choices that
matches your evaluation of the two statements.
Assertion:
You must host the DNS zone research.contoso.com on MADSRV1.
Reason:
You must host Domain Name System Security Extensions (DNSSEQ zones on Active Directory Domain
Services-integrated DNS servers.
Evaluate the Assertion and Reason statements and choose the correct answer option.
A.
Both the Assertion and Reason are true, and the Reason is the correct explanation for the Assertion,B. Both the Assertion and Reason are true, but the Reason is not the correct explanation for the Assertion.
C.
The Assertion is true, but the Reason is false.
D.
The Assertion is false, but the Reason is true.
E.
Both the Assertion and the Reason are false.
Why do we need the DNS in a new server? is only because we need the reason?
First of all, there must be something wrong with the statements, the questions, and the answers of this topic. Because for example, I can’t find anything about MADSRV1 in the statement.
So I assume it is the new DC in Madrid office.
Now, given the following statements:
“A new DNS domain zone named research.contoso.com must be deployed for users in the research department.
The research.contoso.com DNS domain zone must be protected by using DNS Security Extensions {DNSSEC).”
DNSSEC doesn’t support dynamic update of AD-integrated zones, neither secure nor non-secure. So you can’t deploy research.contoso.com on DC1 or DC2.
Where can you put it?
I did some researches based on your comment but I found this:
In Windows Server 2012, DNS Security Extensions (DNSSEC) support is extended to include online signing and automated key management.
Other enhancements to DNSSEC include:
Support for Active Directory-integrated DNS scenarios including DNS dynamic updates in DNSSEC signed zones.
I forgot we’re talking about 2008 R2 here, I think you’re completely right.