Improving the Security of Authentication in an AD DS Domain
In the following case scenarios, you apply what you’ve learned about fine-grained password policies and RODCs. You can find answers to these questions in the “Answers” section at the end of this book.
Case Scenario 1: Increasing the Security of Administrative Accounts
You are an administrator at Contoso, Ltd., which recently won a contract to deliver an important and secret new product. The contract requires that you increase the security of your Active Directory domain. You must ensure that accounts used by domain administrators are at least 25 characters long and are changed every 30 days. You believe it would not be reasonable to enforce such strict requirements on all users, so you wish to limit the scope of the new password requirements to only domain administrators. Additionally, your contract requires that you monitor attempts by potential intruders to gain access to the network by using an administrative account.
Your domain currently contains four Windows Server 2003 domain controllers and eight Windows Server 2008 domain controllers. What must you do before you can implement fine-grained password policies that meet the requirements of the new contract?
Which tool do you use to configure fine-grained password and lockout policies?
You return from a vacation and discover that other administrators have created several new PSOs with precedence values ranging from 10 through 50. You want to ensure that the PSO you created for domain administrators has the highest precedence so that it always takes effect for those users. What value should you assign to the precedence of your PSO?
How should you configure the domain to monitor attempts by potential intruders to gain access to the network by using an administrative account? Which GPO should you modify? Which settings should you define?
Case Scenario 2: Increasing the Security and Reliability of Branch Office Authentication
You are an administrator at Contoso, Ltd. You maintain the domain’s directory service on four domain controllers at a data center in your main site. The domain controllers run Windows Server 2003. Contoso has decided to open a new office overseas. Initially, the office will have 10 salespeople. You are concerned about the speed, expense, and reliability of the connection from the branch office to the data center, so you decide to place a read-only domain controller in the branch office.
What must you do to your existing domain controllers and to functional levels before you can install an RODC?
Because of customs regulations, you decide to ask one of the employees in the branch office to purchase a server locally. Can you allow the employee to create an RODC without giving the user domain administrative credentials?
You want the same user to be able to log on to the RODC to perform regular maintenance. Which command should you use to configure administrator role separation?