Your network has a single Active Directory domain. All servers run Windows Server 2003 Service Pack 2, and auditing for failed logon attempts is enabled on all domain controllers. You want to ensure that a record of failed logon attempts is retained for 90 days on all domain controllers. Which Group Policy setting should you modify to achieve this?

Introduction / Context:
In an Active Directory environment, failed logon attempts on domain controllers are written to the Security event log. To support security investigations and compliance, administrators may need to ensure that security events are retained for a minimum period, such as 90 days. This question tests your understanding of where to configure event log retention settings for domain controllers and which policy specifically controls the Security log retention behavior.

Given Data / Assumptions:

• There is a single Active Directory domain.
• All domain controllers run Windows Server 2003 Service Pack 2.
• Auditing of failed logon attempts is already enabled.
• The requirement is to retain failed logon records for 90 days.
• Changes should apply to all domain controllers consistently.

Concept / Approach:
Event log retention settings such as maximum log size and retention period are configured through Group Policy under the Event Log settings. For domain controllers, the appropriate place to configure security related settings is the Default Domain Controller Policy, which targets the Domain Controllers organizational unit. Within that policy, you adjust settings for the Security log retention. You do not use the System log settings because failed logon events are stored in the Security log, not the System log.

Step-by-Step Solution:
Step 1: Identify that failed logon attempts are written to the Security event log.Step 2: Determine that the policy must apply specifically to all domain controllers.Step 3: Recall that the Default Domain Controller Policy is linked to the Domain Controllers OU and affects all domain controllers.Step 4: Open the Group Policy Management console and edit the Default Domain Controller Policy.Step 5: Navigate to the Event Log section and modify the retention settings for the Security log so that records are kept for 90 days, adjusting maximum log size and retention options as needed.
Verification / Alternative check:
After changing the policy, run a Group Policy update on the domain controllers and then inspect the Security log properties on one domain controller. Confirm that the settings for retention method and maximum log size match the desired configuration that will allow 90 days of logs. Over time, verify that events older than 90 days are not present and that newer events continue to be logged successfully, showing that the policy is effective.

Why Other Options Are Wrong:
Option A and B involve using security templates such as hisecdc or securedc, which are baseline templates and not directly the best place for controlling current retention policy for all controllers. Option C modifies the Default Domain Policy and the System log, which affects domain wide settings but not specifically the Security log on domain controllers. The requirement is targeted at Security log retention on domain controllers, which is best handled by editing the Default Domain Controller Policy and adjusting the Retain Security Log setting.

Common Pitfalls:
Administrators sometimes confuse the Default Domain Policy with the Default Domain Controller Policy, or they modify System log settings instead of Security log settings. Another common mistake is relying on default log sizes without calculating how much data is generated over 90 days. It is important to adjust both log size and retention strategy so that logs are not overwritten too early. Understanding which policy applies to which machines is essential for correct configuration.

Final Answer:
You should open the Default Domain Controller Policy and modify the Retain Security Log setting.