70-297 Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure Practice Test

Demo Question 3.

Stanford Finance, Scenario Background Stanford Finance is a private company that specializes in the provision of investment and asset management services for its clients. Stanford Finance operates across two continents, namely Europe and North America. Physical Locations The Stanford Finance headquarters are located in New York, USA, and its branch office is in London, Europe. The following table shows the number of employees in these offices: Anticipated growth foreseen for Stanford Finance is estimated at approximately 50 percent in employee numbers over the next five years. Each office has a full complement of IT personnel. Current situation: Business processes 1. All Stanford Finance customers commission their funds for investments to be purchased by Stanford Finance via e-mail. 2. Stanford Finance prepares the necessary documentation and legislative procedures required in investing the customers' funds: the administrative staff records all the necessary details of the customers and the brokers invest the funds on behalf of the customers. 3. All Stanford Finance customers can keep track of their investments and investment accounts by logging on to the Web site. 4. From time to time surveys are conducted to gauge customer satisfaction level. Active Directory services The current network is based on Active Directory and is operative in a Microsoft Windows 2000 environment. Unfortunately the network was set up as an interim measure and as such has not been properly designed to support the business operations. To this end the network has to be redesigned. Network infrastructure and connectivity The Stanford Finance network uses an internal DNS namespace of finance.com and a NetBIOS domain name of FINANCE. All servers on the Stanford Finance network run Microsoft Windows 2000 Server and all client computers run either Microsoft Windows 2000 Professional or Microsoft Windows XP Professional. Some applications, used by the Stanford Finance employees, still require NetBIOS over TCP/IP. The New York and London offices are connected by a dedicated T1 link. The Stanford Finance network is connected to the Internet via a firewall. Web Services When Stanford Finance decided to establish its Web presence, it was brought to their attention that the name finance.com was already taken as it was registered by another company. To this end Stanford Finance then registered the name stanfordfinance.com and outsourced the hosting of its Web site to an Internet Service Provider (ISP). Future situation: Planned Changes 1. The entire network needs to be redesigned. This will enable Stanford Finance to offer its clients better service and to better support business operations. 2. The new network is to be based on Microsoft Windows Server 2003. 3. The Web site is to be redesigned to enable customers to: o submit their information o track the status of their investments o access their billing / administration fees data 1. The Web site is to be hosted by Stanford Finance staff and not the ISP. Problem Statements Chief Executive Officer (CEO) "I have received some feedback from a survey that we ran last month and the results raised some concerns that we need to address. The main concern that surfaced from this survey is that our customers find it extremely inconvenient to exchange important and confidential data by using regular e-mail. We need to provide our customers with secure Internet access to our new Web site which will be used as a front-end interface for accessing all the other relevant services such as tracking the status of customer investments, accessing their billing/administration fee data, etc." Chief Information Officer (CIO) "The redesign of our network is a great opportunity to make a clean start. But although we are going to make a clean start it does not necessarily mean a clean slate: we are not going to register any additional names with Internet Authorities. The internal namespace must be intuitive and should not cause any confusion or conflicts with any registered names on the Internet." "We will implement two distinct networks: one internal and the other external. I suggest that the two networks be administratively independent from each other. As such they will have to be managed separately by two independent groups of IT personnel." "Our employees should be able to access resources on both networks and on the Internet. Our Customers should be able to access only the external network over the Internet. It so happens that some of our customers are also companies in their own right and not just individuals. For these customer companies we should designate an IT team that will support that customer's access to the external network. This will include the creation and management of the necessary user accounts and assigning permissions for the appropriate resources." "Our staff that visit the customers will connect to the internal network through virtual private networks (VPNs). They must be provided with the necessary, appropriate access to the resources anywhere on our network." Chief Security Officer (CSO) "A new phenomenon has surfaced. We have a situation where end users are installing their own software on the Stanford Finance network client computers. This is a practice that should not be allowed to carry over to our new network. We must ensure that our users do not install unauthorized software on the company client computers." "We must ensure that all our servers that provide connections to our network are secure. All connections to these servers must be authenticated." Information Technology (IT) manager "We need the new DNS infrastructure to be secure. I suggest that only authorized computers should be allowed to register with our DNS servers. Absolutely no DNS information regarding the internal network should be exposed to the external network or the Internet. We should also endeavor to keep name resolution traffic through the firewalls to a minimum." "We also need to keep network traffic between New York and London to a minimum. We should therefore configure the firewalls to block all unauthorized traffic to both the internal and external networks." "We should only make use of DHCP-assigned IP addresses for all our client computers on the internal network. Also if we are to maintain the existing line-of-business applications currently in use, we cannot discontinue supporting NetBIOS over TCP/IP on the internal network. To this end all client computers on the internal network will be configured to use DHCP to obtain the addresses of DNS and WINS servers. Furthermore we need to ensure that all network services are implemented in a fault tolerant way. We cannot allow having a situation where one of our servers fails then we do not have access to that service." "I also want to suggest that we enable our internal users to access all the necessary resources by using a single set of logon credentials. For security reasons we cannot extend the single set of credential-access to the customer companies. They will not be allowed access to our internal network. However, they will be provided with a user name and a password to access resources on the external network." End User "The current environment is difficult to use. Information is scattered on the network, making it difficult to find. There does not seem to be any clear definition as to who is responsible for responding to network and computer problems. Because of this confusion, most users manage their own computers." "Also, we want to be able to connect to the network when working remotely. Very often we need to visit customers to service their needs and then we cannot capture their details immediately because we are unable to access an ISP when we are out of office." Envisaged network infrastructure 1. Customers will be able to connect to a secure Web site. 2. The secure Web site will be hosted on the external network. 3. A Web application will provide a Web-based, front-end client interface to all the necessary resources on the external network. 4. Stanford Finance users will log on to the internal network from their client computers. 5. Stanford Finance users will also be allowed to establish VPN connections over the Internet. 6. Stanford Finance users issued with laptop computers to service customers in the customer locations will be allowed to use their laptop workstations to establish VPN connections over the Internet using the local phone numbers of a global ISP. 7. All Stanford Finance VPN users will be provided with the same scope of access to the network as the Stanford Finance users who work from the offices. 8. An Exchange Server 2003 organization will be deployed on the internal network. The envisaged network is shown in the Network Infrastructure exhibit: Topic 1, Stanford Finance (13 Questions) You need to create the Active Directory structure to address the concerns voiced by the Chief Information Officer. What should you do?

A. Create one forest with two domains.
B. Create one forest with a single domain.
C. Create two forests, each with a single domain.
D. Create three forests, each with a single domain.
E. Implement a workgroup environment on both networks.


Display Answer

Answer: C

Explanation: You need to implement two forests: One for the internal network and the other for the external network. The internal forest must be a single domain because the amount of internal users, in both the Stanford Finance offices, is relatively low. And there is no mention made of creating a separate domain for each location. Typically with a T1 connection between geographically dispersed offices, a single domain is considered appropriate, even if there are more than 100,000 users and only 1 % of WAN bandwidth is available for Active Directory replication. 1. We will implement two distinct networks: one internal and the other external. I suggest that the two networks be administratively independent from each other. As such they will have to be managed separately by two independent groups of IT personnel 2. We enable our internal users to access all the necessary resources by using a single set of logon credentials. 1. An Exchange Server 2003 organization will be deployed on the internal network. Incorrect answers: A. A single forest for both these networks will not work because then you cannot have two complete separate networks as is required because then all domains in the same forest must trust each other. B. A single forest for both these networks will not work because then you cannot have two complete separate networks as is required because then all domains in the same forest must trust each other. Also the Enterprise Admins group members will have authority over both domains in the forests which violate the one requirement of independent management of the networks. D. If you were to create three forests, then you will not be able grant all users on the internal network access to all appropriate resources, regardless of their physical location since an Exchange server will be deployed on the internal network, and an Exchange Server organization cannot span forests. E. If you were to implement a workgroup environment on each of the networks, then you will fail to meet the single sign-on requirements for the Stanford Finance users. Reference: Walter Glenn, and Michael T. Simpson, MCSE Training Kit - Designing a Windows server 2003 Active Directory and Network Infrastructure, Chapter 4, pp. 4-10. Microsoft Windows Server 2003 Deployment Kit: Designing Active Directory - designing the Active Directory Logical Structure: Creating a Forest Design