Questions for Course 6044: Windows Server 2008 Directory Identities and Access

As I mentioned in a previous blog post, I am delivering a private, newsgroup-based, Microsoft-sponsored training for Microsoft MVPs. We are reaching the end of the third of five parts of this training, covering Course 6044: Windows Server 2008 Directory Identities and Access (see course description). At the end of each course I pose some questions to the students for discussion. Here are the questions for Course 6044:

01) Describe two scenarios where AD LDS is a better solution than the full AD DS.
02) What are to two main methods used to programmatically access an AD LDS instance?
03) What change to an AD LDS configuration is required to support the more secure LDAP over SSL?
04) If you have a configuration with three AD LDS servers storing the same directory partition, how many of them can accept updates?
05) If you have three application directory partitions that need to be available in two different locations (even when they get disconnected), what is the minimum number of AD LDS servers you need?
06) If you need to store LDAP-accessible application data with a custom schema but you also need to leverage corporate security, would you use AD DS or AD LDS?
07) What schema changes are required in AD DS to support an application using AD LDS with a custom application partition?
08) If you have an extranet application that provides access to customers and partners using AD LDS, what kind of trust is required with the internal AD DS?
09) If your company’s employees access a partner ordering system using ADFS, how do you establish the trust between the two company’s AD DS domains?
10) Name the WS-* protocols that are leveraged by Windows Server 2008’s ADFS.
11) Assuming you have already implemented DNS, Domain Services and Certificate Services, what additional services are required for ADFS?
12) What Windows Server roles and features are required to implement an ADFS Web Agent?
13) In an ADFS implementation, what is the role of the Security Assertion Markup Language (SAML)?
14) You have an application that uses Windows-integrated authentication today. What changes to the application are required, if any, to start using ADFS instead.
15) If you need your company’s employees to access a partner website via ADFS without providing the specific employee identity to the partner, how would you do it?
16) Company employees access a partner-based system using ADFS. To block access to a terminated employee, what actions are required from the company and the partner?
17) If you implement an AD RMS and a user forwards a rights-protected e-mail to an external unauthorized party, what does that party see in the e-mail?
18) What are requirements for running the AD RMS Server on a Windows Server 2008 server?
19) What versions of Microsoft Windows Client and Microsoft Office support AD RMS as a client?
20) If an authorized user receives a rights-protected document via e-mail while outside the firewall (with no VPN), can that user access the content?

If I have time, I will post answers in September, after the training is completed.