Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to plan an auditing strategy that meets the following requirements:
– Audits all changes to Active Directory Domain Services (AD DS)
– Stores all auditing data in a central location
What should you include in your plan?
A.
Configure an audit policy for the domain. Configure Event Forwarding.
B.
Configure an audit policy for the domain controllers. Configure Data Collector Sets.
C.
Implement Windows Server Resource Manager (WSRM) in managing mode.
D.
Implement Windows Server Resource Manager (WSRM) in accounting mode.
Explanation:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:The configuration of a subscription filter is more like the configuration of a custom view in that you are able to specify multiple event log sources, rather than just a single Event Log source. In addition, the subscription will be saved whereas you need to re-create a filter each time you use one. By default, all collected Event Log data will be written to the Forwarded Event Event Log. You can forward data to other logs by configuring the properties of the subscription. Even though you use a filter to retrieve only specific events from source computers and place them in the destination log, you can still create and apply a custom view to data that is located in the destination log. You could create a custom view for each source computer, which would allow you to quickly limit events to that computer rather than viewing data from all source computers at the same time.
You configure collector initiated subscriptions through the application of Group Policy. To do this you must configure the collector computer in the same manner as you did in the previous steps. When configuring the subscription type, select Source Computer Initiated rather than Collector Initiated. To set up the source computers, apply a GPO where you have configured the Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding node and configure the Server Address, Refresh Interval, And Issuer Certificate policy with the details of the collector computer, as shown in Figure 7-10.
Auditing enhancements You can use the new Directory Service Changes audit policy subcategory when auditing Windows Server 2008 AD DS. This lets you log old and new values when changes are made to AD DS objects and their attributes. You can also use this new feature when auditing Active Directory Lightweight Directory Services (AD LDS).
Planning AD DS Auditing
In Windows Server 2008, the global audit policy Audit Directory Service Access is enabled by default. This policy controls whether auditing for directory service events is enabled or disabled. If you configure this policy setting by modifying the Default Domain Controllers Policy, you can specify whether to audit successes, audit failures, or not audit at all. You can control what operations to audit by modifying the System Access Control List (SACL) on an object. You can set a SACL on an AD DS object on the Security tab in that objects Properties dialog box.
As an administrator one of your tasks is to configure audit policy. Enabling success or failure auditing is a straightforward procedure. Deciding which objects to audit; whether to audit success, failure or both; and whether to record new and old values if changes are made is much more difficult. Auditing everything is never an optiontoo much information is as bad as too little. You need to be selective. In Windows 2000 Server and Windows Server 2003, you could specify only whether DS access was audited. Windows Server 2008 gives you more granular control. You can audit the following:
DS access
DS changes (old and new values)
DS replication