Home » Microsoft » 70-647 » What should you do?
Your network consists of one Active Directory domain. The functional level of the domain is Windows Server 2008.
The domain has 30 domain controllers. Twenty administrators manage the domain.
You plan to implement an audit and compliance policy.
You need to ensure that all changes made to Active Directory objects are recorded.
What should you do?
A. On all domain controllers, run the Security Configuration Wizard (SCW).
B. In the Default Domain Controller Policy, configure a Directory Services Auditing policy.
C. In the Default Domain Controller Policy, configure and implement a file-level audit policy for the SYSVOL volume.
D. Create a Group Policy object (GPO) linked to the Domain Controllers OU. Configure the GPO to install the Microsoft Baseline Security Analyzer
(MBSA).
Correct Answer: B
Explanation/Reference:
Explanation:
To implement an audit and compliance policy and ensure that all changes made to Active Directory objects are recorded, you need to configure a Directory Services Auditing policy in the Default Domain Controller Policy
In Windows Server 2008, you can enable Audit Directory Service Access policy to log events in the Security event log whenever certain operations are performed on objects stored in Active Directory.
Enabling the global audit policy, Audit directory service access, enables all directory service policy subcategories. You can set this global audit policy in the Default Domain Controllers Group Policy (under Security SettingsLocal PoliciesAudit Policy).
Reference: Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide
http://technet2.microsoft.com/windowsserver2008/en/library/a9c25483-89e2-4202-881c- ea8e02b4b2a51033.mspx?mfr=true