###BeginCaseStudy###
Topic 3: Northwind Traders
No. of Questions: 10
Overview
Northwind Traders is an IT services and hosting provider.
Northwind Traders has two main data centers in North America. The data centers are located in the same city. The data centers
connect to each other by using high-bandwidth, low-latency WAN links. Each data center connects directly to the Internet.
Northwind Traders also has a remote office in Asia that connects to both of the North American data centers by using a WAN link. The
Asian office has 30 multipurpose servers.
Each North American data center contains two separate network segments. One network segment is used to host the internal servers
of Northwind Traders. The other network segment is used for the hosted customer environments.
Existing Enviornment
Active Directory:
The network contains an Active Directory forest named northwindtraders.com. The forest contains a single domain. All servers run
Windows Server 2012 R2.
Server Enviornment:
The network has the following technologies deployed:
Service Provider Foundation
Windows Azure Pack for Windows Server
System Center 2012 R2 Virtual Machine Manager (VMM)
An Active Directory Rights Management Services (AD RMS) cluster
An Active Directory Certificate Services (AD CS) enterprise certification authority (CA)
All newly deployed servers will include the following components:
Dual 10-GbE Remote Direct Memory Access (RDMA)-capable network adapters
Dual 1-GbE network adapters

128 GB of RAM
Requirments
Business Goals:
Northwind Traders will provide hosting services to two customers named Customer1 andCustomer2.
The network of each customer is configured as shown in the following table.

Planned Changes:
Northwind Traders plans to implement the following changes:
Deploy System Center 2012 R2 Operations Manager.
Deploy Windows Server 2012 R2 iSCSI and SMB-based storage.
Implement Hyper-V Recovery Manager to protect virtual machines.
Deploy a certificate revocation list (CRL) distribution point (CDP) on the internal network.
For Customer 1, install server authentication certificates issued by the CA of Northwind Traders on the virtual machine in the hosting
networks.
General Requirements:
Northwind Traders identifies the following requirements:
Storage traffic must use dedicated adapters.
All storage and network traffic must be load balanced.
The amount of network traffic between the internal network and the hosting network must be minimized.
The publication of CRLs to CDPs must be automatic.

Each customer must use dedicated Hyper-V hosts.
Administrative effort must be minimized, whenever possible.
All servers and networks must be monitored by using Operations Manager.
Anonymous access to internal file shares from the hosting network must be prohibited.
All Hyper-V hosts must use Cluster Shared Volume (CSV) shared storage to host virtual machines.
All Hyper-V storage and network traffic must remain available if single network adapter fails.
The Hyper-V hosts connected to the SMB-based storage must be able to make use of the RDMA technology.
The number of servers and ports in the hosting environment to which the customer has access must be minimized.
Customer1 Requirements:
Northwind Traders identifies the following requirements for Customer1:
Customer1 must use SMB-based storage exclusively.
Customer1 must use App Controller to manage hosted virtual machines.
The virtual machines of Customer1 must be recoverable if a single data center fails.
Customer1 must be able to delegate self-service roles in its hosted environment to its users.
Customer1 must be able to check for the revocation of certificates issued by the CA of Northwind Traders.
The users of Customer1 must be able to obtain use licenses for documents protected by the AD RMS of Northwind Traders.
Certificates issued to the virtual machines of Customer1 that reside on the hosted networks must be renewed automatically.
Customer2 Requirements:
Northwind Traders identifies the following requirements for Customer2:
Customer2 must use iSCSI-based storage exclusively.
All of the virtual machines of Customer2 must be migrated by using a SAN transfer.
None of the metadata from the virtual machines of Customer2 must be stored in Windows Azure.
The network configuration of the Hyper-V hosts for Customer2 must be controlled by using logical switches.
The only VMM network port profiles and classifications allowed by Customer2 must be low-bandwidth, medium-bandwidth, or highbandwidth.
The users at Northwind Traders must be able to obtain use licenses for documents protected by the AD RMS cluster of Customer2.
Customer2 plans to decommission its AD RMS cluster during the next year.

###EndCaseStudy###

You need to recommend a solution that meets the AD RMS requirements of Customer1 and Customer2.
Which actions should you recommend performing for each customer? To answer, select the appropriate customer for each action in the answer area.
Hot Area:

Answer:

Explanation:
with certbase

https://technet.microsoft.com/en-us/library/cc755156.aspx
In the section requirements of Customer1 states:
The user of Customer1 must be able to obtain operating licenses for documents that are protected by the AD RMS cluster the Northwind Traders.
In the section requirements of Customer2 states:
The user of the Northwind Traders must be able to obtain operating licenses for documents that are protected by the AD RMS cluster of Customer2.
Customer2 plans to take his AD RMS cluster in the course of next year out of order. You can AD RMS Trust Policies create so that AD RMS can process licensing
requests for content that has been protected by another AD RMS cluster by rights. Trust Policies can be defined as follows:
Trusted User Domains
The addition of a trusted user domain allows the AD RMS root cluster to process requests for client licensor certificates or use licenses from users whose rights
account certificates (RACs) were issued by a different AD RMS root cluster. You add a trusted user domain by importing the server licensor certificate of the AD
RMS cluster to trust

https://technet.microsoft.com/en-us/library/dd983944(v=ws.10).aspx
Trusted Publishing Domains

The addition of a trusted publishing domain allows one AD RMS cluster to issue use licenses against publishing licenses that were issued by a different AD RMS
cluster. You add a trusted publishing domain by importing the server licensor certificate and private key of the server to trust.

https://technet.microsoft.com/en-us/library/dd996639(v=ws.10).aspx

Windows Live ID Setting up a trust with Microsoft’s online RMS service allows an AD RMS user to send rights-protected content to a user with a Windows Live ID.
The Windows Live ID user will be able to consume rights-protected content from the AD RMS cluster that has trusted Microsoft’s online RMS service, but the
Windows Live ID user will not be able to create content that is rights-protected by the AD RMS cluster.
Microsoft Federation Gateway . Establishing a trust through the Microsoft Federation Gateway enables an AD RMS cluster to accept certification and licensing
requests from external organizations by accepting claims-based authentication tokens from the Microsoft Federation Gateway. In effect, the Microsoft Federation
Gateway acts as a trusted broker between the two organizations by verifying the identity of the two organizations in the transaction. Unlike a federated trust,
establishing a trust relationship through Microsoft Federation Gateway does not require a forest in one organization to explicitly federate with a forest in the other
organization. Instead, you can use filter lists to determine which domains can receive certificates or licenses from the AD RMS cluster.
The following diagram illustrates the flow of data between a remote user and an AD RMS cluster that is federated to the remote user’s forest.