70-294 QOTD for May 18th

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Cartman is experimenting with a plan to improve profile generation through the corporate firewall of his company using Windows Server 2003 Active Directory domains. He has created a test parent domain called test.local inside the firewall and a child domain called child1.test.local on the other side of the firewall in the demilitarized zone (DMZ). He shows the test network to Phil, the company's sys admin and tells Phil what he has in mind. What sort of answers would Phil give Cartman under these circumstances. Choose all that apply.

A. Phil tells Cartman that the plan should work out but he has to open port 389 for LDAP and port 445 for RPC to make sure that replication will properly occur between the child domain in the DMZ and the root domain inside.

B. Phil tells Cartman that his plan will leave the internal domain vulnerable should someone compromise the child domain in the DMZ. Phil suggests that Cartman instead implement Active Directory Application Mode (ADAM) instead of Active Directory. Phil also recommends creating a separate external forest for the DMZ instead of a child domain.

C. Phil tells Cartman that his plan will leave the internal domain vulnerable should someone compromise the child domain in the DMZ. Phil suggests that Cartman instead implement Microsoft Identity Integration Feature Pack (IIFP) which is specifically designed to integrate identity data between several ADs. Phil also suggests creating a separate external forest for the DMZ instead of a child domain.

D. Phil tells Cartman that creating a child domain in the DMZ is a security risk and that configuring any replication between a child domain and the root domain across a corporate firewall would leave the internal domain structure exposed. Phil reminds Cartman that Windows Server 2003 already handles replication between domains and forests connected by WAN links and that the additional work he has done would not improve performance.

Answer tomorrow.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Ok, I admit...I wanted this one to be a bit challenging. Our resident AD experts Ryan and Phil can blow most normal questions away with hardly a sneeze so I thought I'd present a slightly more interesting puzzle. Please feel free to take a crack at it. Heck, you can post here just to tell me that I'm out of my mind, if you'd like. Anyway, still plenty of time left. Take a shot at it.

 

Alright Trip, I'll pick C.

 

Good lad, nugget! Any other takers?

 

Answer soon! Dive in! Phil? Ryan? Anyone?

 

Guess nugget was the only player today. Time's up. Correct answer is B and C. Setting up a child domain in the DMZ is dangerous but if you need to have an AD forest operating on the parameter, you can set up a separate, external forest outside the firewall. ADAM is a free lightweight directory tool that works with Server 2003. Also, IIFP creates a link between an external and internal directory through port 339 but is still safer than opening the port for AD replication since it's not a direct link. IIFP is also safer because users in the external forest are designated as contacts, not security principals which adds more protection for the internal forest.

Ok, so maybe this one was over the top. I got it from an article by Danielle and Nelson Ruest published in the May 2004 edition of Windows Server System magazine. The Ruests most recently published book is Windows Server 2003 Pocket Administrator so I guess they know what they're talking about (and no, I am not getting any kickbacks for mentioning their book...I don't even know them...honest).

I'll try to be more reasonable tomorrow and return to the regular textbooks.

 

Thanks for that one trip, was a real challenge, I didnt make the deadline but I did spend the afternoon reading about ADAM, IIFP and ISA server and such, the question required me to do some research which i enjoyed alot more than just knowing the answer

thanks for that one mate
*wonders if i will have to know that stuff for the exam* lol
probably not being that the correct answers involve external products not native to 2003 (the exams dont usually reference other programs, even ones in Resource kits and Deployment kits)

 

Ok...so I cheated.