OMRAN'S
CERTIFICATIONS
HQ
![]()
B4
THE EXAM
FREE
EXAMS
NT
TIPS, TIPS
NT DRIVERS
NT
TOOLS
ARTICLES
COMPAQ
ASE
CCIE-CISCO
NOVELL EXAMS
A+ CERTIFICATE
DRIVERS
HEAVEN
WIN98
UTILITIES
FREE
BIES
FREE JAVA
FREE
GRAPHICS
FREE
COUNTERS
FREE
GAMES
FREE
BANNERS
JOBS
AND JOBS
POST
UR RESUME
AWARDS
MISC
LINKS
AND LINKS
MAIL
VIEW-GUEST-BOOK
SIGN-GUEST-BOOK
HOME
![]()
|
Implement and Admin Directory Services Infrastructure
Number: 70-216, Questions:
, Passing Score: , Time: .
Testing: Standard
1. You are the administrator of a Windows 2000 Network. Your network's organizational unit (OU) structure is shown in an exhibit. You grant Create Users Objects permission to Anita for the Executive OU, but she is unable to create users objects in the Users OU. Anita is able to create users objects in the Workstation OU.
What should you do to enable Anita to create users objects in the Users OU?
A. Clear the Allow inheritable permissions from parent to propagate to this object check box in the Executive OU properties.
B. Select the Allow inheritable permissions from parent to propagate to this object check box in the Users OU properties.
C. Add Anita to the Server Operators group.
D. Move the Users OU to the same level as the Executive OU.
Answer: B
2. You add a new domain controller named GC01 to your network to take the place of the existing global catalog server. You also enable GC01 as a global catalog. You want to use GC00, the original server, as a domain controller but not as a GC server for the domain. You want to increase disk space on GC00.
What should you do? (Choose all that apply)
A. Use the Active Directory Sites and Services. Select the NTDS settings object for the GC00 Server to clear the Global Catalog check box.
B. On the GC00 server, run the Ntdsutil utility to defragment Active Directory.
C. On the GC00 server, reinstall Windows 2000.
D. On the GC01 server, run the Ntdsutil utility to enable the global catalog server option.
Answer: A, B
The first domain controller (DC) in the root domain of a forest automatically becomes a GC server. Global catalog servers store a complete directory of its domain and partial (read-only) information about the contents of every domain in AD. The Global Catalog is used to find objects located anywhere in the forest without querying DCs responsible for those objects (and that may be located remotely). GCs obtain their info completely through replication and all GC servers store the SAME information. Note that universal group membership is stored in the GC. A user's membership in universal groups must be determined by a GC and this check MUST be done. The two exceptions to this rule are that administrator can still log on without a GC server available so that he/she can troubleshoot GC., otherwise the logon will fail . Finally, if a user has logged on recently then they can still be logged on with their cached account (when no GC is available).
NTDSUTIL.EXE (AD Diagnostic Tool) is a command line utility used to perform maintenance on the Active Directory database, NTDS.DIT. NTDSUTIL.EXE is used for offline defrag of AD in order to reduce the size of the AD database. The size of NTDS.DIT will grow as it is modified. To reduce it's size, you must take the DC offline (in Directory Services Restore mode) and perform an offline defrag.
3. You add three new SCSI hard disk drives to your company's domain controller. The SCSI disks are configured in a hardware RAID-5 array. You have two other physical disks in this domain controller. You want to optimize the speed of the Active Directory database.
What can you do? (Choose two)
A. Move the NTDS.DIT file to the RAID-5 array.
B. Move the log files to a separate physical disk from the OS.
C. Move the log files and the NTDS.DIT file to the RAID-5 array.
D. Move the NETLOGON share to the RAID-5 array.
E. Create a mirror volume and place the log files on the mirror.
Answer: A, B
Note, you must restart the computer in Directory Services Restore mode in order to perform maintenance on AD. Then, start NTDSUTIL.EXE and use the "Move DB" command to move the database to the RAID-5 volume. For optimized performance, you can also perform an offline defrag of the NTDS.DIT Active Directory database file.
4. You are the administrator of the Arbor Shoes company network. There is one domain named arborshoes.com. The domain contains three sites named Geneva, Milwaukee, and Portland. Each site has two domain controllers from the arborshoes.com domain. Geneva and Portland each have 1,000 users. Milwaukee has 500 users.
There are two IP site links:
Geneva--Portland
Milwaukee--Portland
You want to add another domain controller in each site to handle all replication from each site. What should you do?
A. Configure each new domain controller to be the IP preferred bridgehead server for its site.
B. Create a connection object from each domain controller in each site to the new domain controller in each site.
C. Create a new site link that has a lower cost that the existing site links.
D. Delete the existing connection objects in each site and manually start the KCC.
Answer: A
Bridgehead servers are the contact point for exchange of directory information between sites. You can specify a preferred bridgehead servers if you have a computer with appropriate bandwidth to transmit and receive information. If there's typically a high level of directory information exchange, a computer with more bandwidth can ensure these exchanges are handled promptly. Matching the demands of your Active Directory deployment with a domain controller having the capacity to handle those demands will enable efficient updates of directory information. You can specify multiple preferred bridgehead servers, but only one will be the active preferred bridgehead server at any time.
5. You are the LAN admin for Arbor Shoes. You hire Sophie to be a LAN administrator for the Dublin office. Arbor Shoes has one domain named arborshoes.com. Each office has its own OU. Sophie needs to be able to create child OUs under only ou=Dublin, dc=arborshoes, dc=com and verify the existence of the created OUs.
Which permissions should you assign to Sophie on the Dublin OU? (Choose three)
A. Full Control
B. List Contents
C. Create OU objects
D. Create All Child Objects
E. Write
F. Read
Answer: B, C, F
You must have Read, List Contents, and Create Organizational Unit Objects permissions on the parent container (domain or OU) to create OUs within that container. List Contents is not specifically required to create an OU, but you cannot view the newly created OU without it. By default, the Administrators group have permissions to create OUs anywhere.
6. You are the administrator for Trey Research and A. Datum Corporation. You manage a multi-domain Windows 2000 network of 5,000 users for the two companies. The network is configured as shown in an exhibit:
The two companies have a total of six departments. Each department is an OU in AD.
Each Domain and OU has specific Group Policy settings that must be applied to all of its members. Your company is reorganizing all six departments. Some, but not all, of the users in each OU have moved. Many users have changed departments, and some have changed domains. You want to accomplish the following goals in the least possible amount of time:
· Place the users account in the appropriate domains.
· Apply the existing policies for each domain or OU to the moved accounts.
· Do not disrupt user access to shared resources.
What should you do?
A. For all users, create new user accounts in the appropriate OUs. Assign permissions to the accounts to apply the Group Policy settings and then delete the old accounts.
B. For the users moving between domains create new user accounts in the appropriate OUs. Assign permissions to the accounts to apply the Group Policy settings and then delete the old accounts. For the users moving between Ous in the same domain, select the accounts. Then choose MOVE from the Action menu, targeting the new OU.
C. For the users moving between domains, use the Movetree utility, specifying the source and target domains and OUs. For the users moving between OUs in the same domain, select the accounts. Then choose MOVE from the ACTION menu, targeting the new OU.
D. For the users moving between domains, create new user accounts in the appropriate OUs. Assign permissions to the account to apply the Group Policy settings and then delete the old accounts. For the users moving between OUs in the same domain, select the accounts. Then choose Copy from the Action menu, entering the appropriate account information for the new users accounts. Then delete the old accounts.
Answer: C
MoveTree.exe is a command-line utility that enables administrators to move Active Directory objects such as organizational units, users, and so on, BETWEEN domains in a single forest.
Movetree syntax:
movetree [/start, /continue, /check] [/s source server FQDN] [/d destination server FQDN] [/sdn source subtree root DN] [/ddn destination subtree root DN] [/u domain\username] [/p password] [/quiet]
7. You are the administrator of a Windows 2000 network. Your Windows 2000 domain controller has been in operation for one year. During that year, you have deleted numerous objects. However, the NTDS.DIT file is the same size it was before you deleted any objects. You want to reduce the size of the NTDS.DIT file.
What should you do? (Choose two)
A. Delete all the log files from the NTDS folder and restart the server.
B. Use the Ntdsutil utility to perform an authoritive restore.
C. Run the Esentutl utility by using the /d switch.
D. Restart the server in Directory Services restore mode.
E. Use the Ntdsutil utility to compress the database to another drive.
Answer: D, E
By default Windows 2000 servers running directory services will perform a directory online defragmentation every 12 hours (by default) as part of the garbage collection process. This defragmentation only moves data around the database file (NTDS.DIT) and does not reduce its size.
NTDSUTIL.EXE (AD Diagnostic Tool) is a command line utility used to perform maintenance on the Active Directory database, NTDS.DIT. NTDSUTIL.EXE is used for OFFLINE defrag of AD in order to reduce the size of the AD database. The size of NTDS.DIT will grow as it is modified. To reduce it's size, you must take the DC offline (in Directory Services Restore mode) and perform an offline defrag.
8. You are the administrator of the company network for Arbor Shoes. Arbor Shoes has three domains:
arborshoes.com, na.arborshoes.com, sa.arborshoes.com
All the domains are in native mode. You are going to remove the na.arborshoes.com domain in an effort to consolidate domains. There are 300 users in na.arborshoes.com. You want to move all 300 users at the same time to arborshoes.com.
What should you do?
A. At the command prompt, type the following command: Cscript sidhist.vbs /srcdc:dc1 /srcdom:na.arborshoes.com /dstdc:dc1/dstdom:arborshoes.com.
B. At the command prompt, type the following command: Movetree /start /s dc1.na.arborshoes.com /d dc1.arborshoes.com/sdn cn=users,dc=na,dc=arborshoes,dc=com /ddn cn=users, dc=arborshoes, dc=com.
C. In MMC, use the copy command in Active Directory Users and Computers.
D. In MMC, use the move command in Active Directory Users and Computers.
Answer: B
MoveTree.exe is a command-line utility that enables administrators to move Active Directory objects such as organizational units, users, and so on, BETWEEN domains in a single forest.
Movetree syntax:
movetree [/start, /continue, /check] [/s source server FQDN] [/d destination server FQDN] [/sdn source subtree root DN] [/ddn destination subtree root DN] [/u domain\username] [/p password] [/quiet]
9. You are the enterprise administrator of a Windows 2000 domain tree that has five domains. All domains are in native mode. Each domain has one or more users who are help desk staff. Each domain has a global group named Help Desk Members that contains the help desk staff from each domain. There is an OU named Interns in the root domain. You want all help desk staff to be able to reset passwords of the users in the Interns OU.
What should you do?
A. Create a new global security group named Help Desk Staff in the root domain. Place the five Help Desk Members groups in the Help Desk staff group. Place the Help desk staff group in the Reset Interns group. On the reset Interns group, assign the Reset password permission to the Help Desk Staff group.
B. Create a new global security group named Help Desk Staff in the root domain. Place the five help desk staff in the Help Desk Staff group. Create a new local security group named Reset Interns in the root domain. Place all users from the Interns OU in the Reset Interns group. On the Interns OU, assign the reset Password permission to the Reset Interns group.
C. Create a new universal security group named Help Desk Staff in the root domain. Place the five Help Desk Members groups in the Help Desk Staff universal group. Create a new local security group named Reset Interns in the root domain. Place the Help Desk Staff group in the Reset Interns group. On the Interns OU, assign the reset password permission to the Reset Interns group.
D. Create a new universal security group named Help Desk Staff in the root domain. Place the five Help Desk Members groups in the Help Desk Staff group. Create a new local security group named reset Interns in the root domain. Place all users from the Interns OU in the Reset Interns group. On the reset Interns group, assign the Reset Password permission to the Help Desk staff group.
Answer: C
Windows 2000 security groups:
Domain Local - can contain user accounts, global groups and universal groups from any domain in forest, as well as other domain local groups in the same domain. Domain local groups can be used only in its own domain and can be assigned permissions for resources located only in its own domain.
Global - can contain user accounts and global groups from the same domain. Global groups can be used in any domain in the forest and can be assigned permissions for resources located in any domain in the forest.
Universal - can contain user accounts, global groups and universal groups from any domain in the forest. Universal groups can be used in any domain in the forest and can be assigned permissions for resources located in any domain in the forest. Universal group membership is validated at logon by Global Catalog servers.
10. Your company's Windows 2000 network consists of a single domain. You are the enterprise administrator of the domain. Two administrators named Ann and Bill make changes to Active Directory at approximately the same time at two different domain controllers named ServerA and ServerB. Ann deletes an empty OU named Branch1 from ServerA. Before this deletion is replicated to ServerB, Bill move five existing users from the Brach2 OU to the Branch1 OU at ServerB. Ten minutes later, Bill discovers that the Branch1 OU is deleted from Active Directory. You want to reinstate the configuration that Bill attempted to accomplish.
What should you do?
A. Perform an authoritative restore of the Brach1 OU at ServerA.
B. Perform a nonauthoritative restore of the Branch1 OU at ServerA.
C. Perform an authoritative restore of the five users at ServerB
D. At ServerB, move the Branch1 OU from the LostAndFound container to its original location.
E. At ServerA, create a new Branch OU. Move the five users from the Branch2 OU to the new Branch1 OU.
F. At ServerB, create a new Branch1 OU. Move the five users from the LostAndFound container to the new Branch1 OU.
Answer: F
The LostAndFound container stores objects (with properties intact) that have been created in, or moved to, a container that no longer exists after replication.
11. You are the administrator of your company's network. Your company has two domains in six sites as shown in an exhibit. Each site has one or more domain controllers. For fault-tolerance and load-balancing purposes, one domain controller in each site is configured as a global catalog server (GC). Users report that, several times a day, network performance and data transfer for an application located in SiteA are extremely poor. You want to improve network performance.
What should you do?
A. Configure at least two domain controllers in each site as GC servers.
B. Configure the domain controllers in only one site as GC servers.
C. Create site links between all sites and use the default replication schedulers.
D. Create site links between all sites and set the less frequent replication schedules.
E. Create connection object between each domain controller. Use RPC as the transport protocol.
F. Create connection objects between each domain controller. Use SMTP as the transport protocol.
Answer: D
To solve this problem, create additional site links. This allows for more efficient replication so that replication between sites will require less time. You should also set a less frequent replication schedule so that replication isn't taking place when the network is in heavy use. Global Catalog servers can also help because they contain info about all resources on a network (once connected to the network, computers immediately contact the nearest GC server). Note that in this question, each site already has a GC server so adding another will have very little effect.
12. You are the enterprise administrator of a Windows 2000 domain named fabrikam.com. The domain contains three domain controllers named DCA, DCB, and DCC. DCA does not hold any operations master roles. You backed up the System state data of DCA two weeks ago. Without warning, the DCA domain controller's hard disk fails. You decide to replace DCA with a new computer. You install a new Windows 2000 server computer.
What should you do next?
A. Add the server to the domain. Do an authoritative restore of the original backup of the original DCA System State data that you made two weeks ago.
B. Add the server to the domain. Use Windows Backup to create a backup of the DCB System state data, and restore this backup on the new DCA.
C. Use the Active Directory installation wizard to make the new computer a replica in the domain.
D. Use the NTDSUTIL utility to copy the active Directory database from DCB to the new DCA.
Answer: C
You can restore a domain controller by reinstalling Windows 2000 Server on the damaged system, making it a domain controller, and allowing the correct information to be copied to it automatically by Active Directory.
13. You are the administrator of a Windows 2000 domain. The domain has two domain controllers named Server1 and Server2. The volume that contains the Active Directory database file on Server1 is running out of disk space. You decide to move the database file to an empty volume on a different disk on Server1.
What should you do?
A. Restart Server1 in Directory Services restore mode. Use the NTDSUTIL utility to move the database file to the empty volume.
B. Use Windows Backup to create a backup of the System State data of Server1. Restart Server2 in Directory Services restore mode. Restore the system State data to the empty volume.
C. Use the Logical Disk Manager console to mount the empty volume in the folder that contains the Active Directory database file.
D. Stop the Netlogon service on Server1. Use Windows Explorer to move NTDS.DIT to the empty volume. Start the NetLogon service again. Force replication from Server2.
Answer: A
The error you'll receive on the domain controller will be Lsass.exe - System Error, Directory Services could not start because of the following error: There is not enough space on the disk. Error Status: 0xc000007f. Please click OK to shutdown this system and reboot into Directory Service Restore Mode, check the event logs for more detailed information. There are two possible resolutions:
Resolution Method #1, clear space on the drive:
- Boot the domain controller into Directory Services Restore mode (Windows 2000 domain controllers only), and log on with the Directory Services Restore mode administrator account and password (this is the password you assigned during the Dcpromo process).
- Locate the drive containing the directory and log files (located in the NTDS folder on the root drive by default).
- Free some space on the drive, then reboot normally. If there is no space to free, use method 2.
Resolution Method #2, move the database or log files (correct answer to this question):
NTDSUTIL.EXE has an option for moving either the database file or the database log file. If all drives are at capacity, it may be necessary to install an additional hard disk in the computer.
- Boot the domain controller in Directory Services Restore mode and log on with the Directory Services Restore mode administrator account and password (this is the password you assigned during the Dcpromo process).
- At a command prompt, type NTDSUTIL.EXE, type "files" to receive the "file maintenance" prompt.
- Type info. Note the path of the database and log files.
- To move the database, type "Move DB" to %s (where %s is the target folder).
- To move the log files, type "Move Logs" to %s (where %s is the target folder).
- Type quit twice to return to the command prompt, reboot the computer normally.
14. You are the enterprise administrator of a Windows 2000 domain. The domain has three domain controllers named DC1, DC2, and DC3. Because of changed hardware requirements, you want to replace the domain controller named DC1 with a newer computer named DC4. You want DC4 to be a domain controller in the domain. You no longer want DC1 to function as a domain controller.
What should you do?
A. Install DC4 as a stand-alone server in a workgroup named WG. Restore a System State data backup of DC1 on DC4. On DC1, use the Active Directory Installation wizard to remove Active Directory from DC1.
B. Install DC4 as a stand-alone server in a workgroup named WG. Disconnect DC1 from the network. Rename DC4 to DC1. On DC2, force replication of AD to all its replication partners.
C. Install DC4 as a member server in the domain. On DC4, use the Active Directory Installation wizard to install Active Directory on DC4. On DC1, use the Active Directory Installation wizard to remove Active Directory from DC1.
D. Install DC4 as a member server in the domain. On DC1, use the Ntdsutil to copy the Active Directory files to DC4. Use the Active Directory Installation wizard to remove Active Directory from DC1.
Answer: C
DCPROMO initiates the Active Directory Installation Wizard. The Active Directory Installation Wizard is used to install Active Directory on a member server in the domain (thus creating a domain controller) and to remove AD.
15. You are the network administrator for your company. Your company's main office is in Seattle. Branch offices are in New York, Rome, and Tokyo. The local administrators at each branch office need to be able to control local resources. You want to prevent the local administrators from controlling resources in the other branch offices. You want only the
administrators from the main office to be allowed to create and manage user accounts. You want to create an active directory structure to accomplish these goals.
What should you do?
A. Create a domain tree that has a top-level domain for the main office and a child domain for each branch office. Grant the local administrators membership in the Domain Admins group in their child domains.
B. Create a domain tree that has a top-level domain for the main office and a child domain for each branch office. Grant the local administrators membership in the Enterprise Admins group in the domain tree.
C. Create a single domain. Create a group named Branch Admins. Grant the local administrators membership in this group. Assign permissions to the local resources to this group.
D. Create a single domain. Create and OU for each branch office and an additional OU named CorpUsers. Delegate authority for resource administration to the local administrators for their own OUs. Delegate authority to the CorpUsers OU only to the Domain Admins group.
Answer: D
When you use a combination of OU nesting and access control lists (ACL), you can delegate the administration of objects in the directory in a very granular manner.
16. You are the administrator of your company's network. Your company has its main office in Seattle and branch offices in London, Paris, and Rio de Janeiro. The local administrator at each branch office must be able to control users and local resources.
You want to prevent the local administrators from controlling resources in branch offices other than their own. You want to create an Active Directory structure to accomplish these goals.
What should you do?
A. Create a top-level OU. Delegate control of this OU to administrators at the main office.
B. Create child OUs for each office. Delegate control of these OUs to administrators at the main office.
C. Create child OUs for each office. Delegate control of each OU to the local administrators at each office.
D. Add the local administrators to the Domain Admins group.
E. Create users groups for each office. Grant the local administrators the appropriate permissions to administer these user groups.
Answer: C
When you use a combination of OU nesting and access control lists (ACL), you can delegate the administration of objects in the directory in a very granular manner.
17. You install a Windows 2000 Server computer on your network. You promote the computer to be a domain controller. This computer also functions as the DNS server for the domain. All client computers are running Windows 2000 Professional. When users attempt to log on they receive an error message sating that a domain controller cannot be located. You verify that Active Directory is installed and functional on the server. You want to ensure that the
domain controller is available for user logons.
What should you do next?
A. Check DNS for the addition of an appropriate SRV record in the zone.
B. Check DNS for the addition of an appropriate A record in the zone.
C. Check for the presence of an NTDS folder on the domain controller.
D. Check for the presence of a Sysvol folder on the domain controller.
E. On the client computers, create a HOSTS file that contains the SRV records for the domain controller.
F. On the client computers, create a HOSTS file that contains the A record for the DC.
Answer: A
DNS service (SRV) resource records are necessary to help clients find Active Directory servers. The SRV resource record allows administrators to use several servers for a single domain, to move services from host to host easily and to designate some hosts as primary servers for a service and others as backups.
18. You are the administrator of a Windows 2000 network for Miller Textiles. The network configuration is shown in an exhibit.
The millertextiles.com domain is hosted on Server1 as an Active Directory integrated zone, and on Server3 as a secondary zone.
All client computers on Segment B are running Windows 2000 Professional. All client computers on Segment A are down level client computers. All client computers are DHCP clients as well. You share some network resources on several of the client computers on Segment A. Several days later you attempt to connect to those shared resources from client computers running on segment B, but you are unable to resolve the host names of client computers on Segment A.
How should you correct this problem?
A. On the DHCP server, set the DNS Domain Name scope option to millertextiles.com.
B. On Server1 for the millertextiles.com zone, change the value of "Allow Dynamic Updates" from the default settings to "Yes".
C. Configure the millertextiles.com domain to allow zone transfers to all the computers on the network.
D. On Server2, enable updates for DNS clients that do not support dynamic updates.
Answer: D
Win2000 DNS supports dynamic update so that clients can auto register address or host (A) records, as well as pointer (PTR) records. Downlevel clients (Win98/NT) can only use dynamic update when they are clients of a Win2000 DHCP server and that DHCP server is configured to "enable updates for DNS clients that do not support dynamic updates".
19. You are the administrator of the Contoso, Ltd., company network. You are designing a Windows 2000 domain. Contoso, Ltd., has an Internet presence and owns contoso.com, a registered domain name. The existing DNS zone is hosted on Windows NT 4.0 Server computers.
You want to accomplish the following goals:
· Internal host names will not be exposed to the Internet.
· Internal users will be able to resolve external names for access to Internet-based resources.
· Complexity and depth of domain names for Active Directory will be minimized.
· To comply with management requirements, the existing DNS servers that host the zone for contoso.com will not be upgraded.
You implement a DNS design as shown in an exhibit. Which results does your implementation produce? (Choose all that apply)
A. Internal host names will not be exposed to the Internet.
B. Internal users will be able to resolve external names for access to Internet-based resources.
C. Complexity and depth of domain names for Active Directory will be minimized.
D. To comply with management requirements, the existing DNS servers that host the zone for Contoso.com will not be upgraded.
Answer: A, B, C
Depends on exhibit. Additional notes on this topic, to avoid confusion and minimize administration, create separate AD domains and DNS zone pairs for BOTH the external network and the intranet. For example, mycompany.com (external) and internal.mycompany.com (for the intranet). In this setup, only part of the network is public, the other internal part is not exposed to the Internet. To further minimize administration in maintaining the DNS namespace be SURE to enable dynamic updates to the zone(s). Finally, to minimize zone transfer traffic, use an Active Directory-integrated zone. Zone transfers are performed during AD replication and this creates less network traffic than standard zone transfers.
20. You are the administrator of your company's network. The network consists of one Windows 2000 domain that spans multiple subnets. You are configuring DNS for host name resolution throughout the network.
You want to accomplish the following goals:
· DNS zone transfer traffic will be minimized on the network.
· Administrative overhead for maintaining DNS zone files will be minimized.
· Unauthorized host computers will not have records created in the zone.
· All zone updates will come only from authorized DNS servers.
· All zone transfer information will be secured as it crosses the network.
You take the following actions:
- Create an Active Directory integrated zone.
- In the Zone Properties dialog box, set the "Allow Dynamic Updates" option to Yes.
- On the Name Servers tab of the Zone Properties dialog box, enter the names and addresses of all DNS servers on the network.
Which results do these actions produce? (Choose all that apply)
A. DNS zone transfer traffic will be minimized on the network.
B. Administrative overhead for maintaining DNS zone files will be minimized.
C. Unauthorized host computers will not have records created in the zone.
D. All zone updates will be sent only to authorized DNS servers
E. All zone transfer information will be secured as it crosses the network.
Answer: A, B, E
Action 1 ensures "DNS zone traffic minimized". Creating an AD-integrated zone involves configuring DC's as DNS servers (which automatically become primary servers for the zone). Zone transfers are performed during AD replication and this creates less network traffic than standard zone transfers.
Action 2 ensures "Admin overhead for maintaining DNS zone files minimized". Enabling dynamic updates minimizes admin overhead for zone maintenance because each host auto registers itself with DNS and updates its records as needed.
Action 3 almost ensures "All zone updates only to authorized DNS servers". This is done by explicitly listing the IP's of those DNS servers (that will receive zone information) on the Properties > Zone Transfers tab for the zone. Alternatively, you can specify authoritative servers for the zone on the Name Servers tab and then select the option to "Allow zone transfers to Only those server that are listed on the Name Servers tab". Selecting "Allow zone transfers...Name Servers tab" was NOT done so "All zone updates only to authorized DNS servers" was NOT met. Be careful on this point.
To ensure "Unauthorized host computers will not have records created in zone", you need "Only Secure Updates" (only available in an AD-integrated zone). Secure updates specify that only users, groups or computers that have been granted the right to write to the zone or record have the ability to update the record. However, this action wasn't taken in this scenario.
21. You are the network administrator for Arbor Shoes. Part of your multi-site Windows 2000 network configuration is show in an exhibit. Server1 is configured with the primary zone for arborshoes.com. Server3 and Server5 are configured with secondary zones for arborshoes.com. You discover an error in several host records that is preventing client computers in Atlanta from accessing some shared resources. You make the necessary corrections on Server1. You want these changes to be propagated to Atlanta immediately.
What should you do?
A. On the Action menu for the arborshoes.com zone, click "Update Server Data Files".
B. At Server5, perform the Transfer from master action for the arborshoes.com zone.
C. At Server1, stop and start the DNS server service.
D. At Server5, select Allow zone transfers on the arborshoes.com zone.
Answer: B
After changes are made to a zone file, the Primary DNS server will not automatically send change notification messages to secondaries on the Notify list. To trigger an immediate update following your edits, select the DNS menu and then select Update Server Data Files.
If you were at a secondary server, you can initiate a zone transfer by opening DNS, in the console tree click the applicable zone, then on the Action menu click "Transfer from master". This question seems to depend on the server at which you are located, the Primary DNS server OR a Secondary DNS server.
22. You are the network administrator for LitWare, Inc. You are implementing Windows 2000 on your network. Part of your network configuration is shown in an exhibit. You have installed Server2 and Server4 as domain controllers for LitWare.com. You have installed Server1 and Server3 as DNS servers for the litware.com domain. Each server has a standard primary zone named litware.com. You configure the domain to run in native mode.
When Server2 attempts to contact Server4 by name, it cannot establish a connection. However, you can ping both Server2 and Server4 from any computer in either site. You need to be able to resolve names of serves in both sites. You want the information to be updated regularly.
What should you do?
A. Configure Server1 and Server3 to allow dynamic updates in DNS.
B. Configure Server1 and Server3 to allow zone transfers to any server. Then configure the DNS notification options to notify each server of updates.
C. Reinstall Server4 as a member server in the same domain as Server2. Create a new site and promote Server4 to a domain controller within the new site.
D. Re-create the litware.com zone on Server3 as a secondary zone. Configure Server3 to replicate DNS data from Server1.
Answer: D
A standard secondary zone creates a replica of an existing zone and stores this data in a read-only, standard text file.
23. You are hired by Fabrikam, Inc., to secure its Windows 2000 network. You use Security Templates to create a custom template and save it as Securefab.inf. You need to use this template on five domain controllers in the fabrikam.com domain.
What should you do? (Choose two)
A. Copy the Securefab.inf file to the Sysvol shared folder on one domain controller.
B. Create a new security database.
C. Import the Securefab.inf file.
D. Rename Securefab.inf to Ntconfig.pol
E. Create a Group Policy object on the Domain Controller Organizational Unit.
Answer: C, E
The Security Configuration and Analysis tool is used to analyze and configure security settings. Preconfigured template files (stored in Systemroot\security\templates) are used for analysis and to customize for specific security needs. These settings can be exported to an .inf file and applied to a Ggroup Ppolicy Object (using the Group Policy Editor or you can apply them directly to a specific computer using the Security Configuration and Analysis snap-in).
24. You are the administrator for a Windows 2000 network. Your network consists of one domain and two Organizational Units (OU). The OUs are named Corporate and Accounting. A user recently reported that she was not able to log on to the domain. You investigate and find out that the user's account has been deleted. You have been auditing all objects in Active Directory since the domain was created. However, you cannot find a record of the user account deletion. You want to find a record that identifies the person who deleted the account.
What should you do?
A. Search the security event logs on each domain controller for account management events.
B. Search the security event logs on each domain controller for object access events.
C. Search the Active Directory Users and Computers console on each domain controller for the user's previous account name.
D. Search the Active Directory Users and Computers console on each domain controller for the user's computer account.
Answer: A
When you audit account management events, you're able to track changes of user account information (including password changes), additions and deletions.
25. You are the administrator of your company's network. The network consists of one Windows NT 4.0 domain. You create and implement a security policy that is applied to all Windows 2000 Professional client computers as they are staged and added to the network. You want this security policy to be in effect at all times on all client computers on the network. However, you find out that administrators periodically change security settings on computers when they are troubleshooting or doing maintenance. You want to automate the security analysis and configuration of client computers on the network so that you can track changes to security policy and reapply the original security policy when it has been changed.
What should you do?
A. Use Windows NT System Policy to globally configure the security policy settings on the client computers.
B. Use Windows 2000 Group Policy to globally configure the security policy settings on the client computers.
C. Use the Security and Configuration Analysis tool on the client computers to analyze and configure the security policy.
D. Schedule the Secedit command to run on the client computer, analyze and configure the security policy.
Answer: D
Normally, if the GPOs that define the environment for the user have not changed from the last time Group Policy was applied, the GPO is skipped and not applied again. In either case, specifying "/ENFORCE" on the command line re-applies the policy even if the GPOs that apply to the computer or user have not changed. An example of the command line in this case is: secedit /refreshpolicy machine_policy /enforce
26. You are the administrator of your company's network. The network consists of one Windows 2000 domain. The domain contains four Organizational Units (OU) as shown in an exhibit. You want to centralize security policy in your domain. You create the following three security templates and Group Policy Objects:
- SecPol1 defines Password, Audit, and User Rights Policies.
- SecPol2 defines User Desktop policy, File System security, and register security.
- SecPol3 defines a High Security User Desktop policy for network administrators.
You want the GPOs to apply your security policies to users and computers in the domain. You want to use the fewest assignments possible. Where possible, you want Group Policy to apply at the OU level for more granular administrative control.
How should you apply security policies?
A. Select and drag Secpol1 to all locations.
B. Select and drag Secpol2 to all locations.
C. Select and drag Secpol3 to all locations.
Answer: A
Depends on exhibit. Click the Select & Place button, and drag A, B, and C to the correct locations. Note, the letters can be used more than once. If you want SecPol1 to be effective for the entire network, drag Secpol1 to all locations (domain level). Policies targeted at specific departments might be applied just to the OU that that department is in (OU level). This completely depends on the requirements of the scenario.
27. You edit the default Domain Controllers Group Policy on the arborshoes.com domain to required passwords to be at least eight characters long. However, users are able to create passwords that do not comply with the implemented policy.
What should you do?
A. Initiate replication to make sure the Group Policy containers and the Group Policy template (GPT) are replicated.
B. Configure each client computer to have a local Group Policy that requires password to be at least eight characters long.
C. Edit the default Domain Group Policy to require password to be at least eight characters long.
D. Edit the default Domain Controllers Group Policy to force the password to meet complexity requirements.
Answer: C
To implement strong password requirements for your domain, configure a group policy object linked to your domain using the Group Policy Editor.
28. You are the Windows 2000 network administrator for your company. You are implementing the company's network security model. You network has several servers that contain sensitive or confidential information. You want to configure security auditing on these servers to monitor access to specific folders. You also want to prevent users from gaining access to these servers when the security logs become full.
What should you do?
A. Create a GPO that applies to the servers. Configure the GPO to enable auditing for object access. Set up the individual objects to be audited in Windows Explorer and then customize the Event Viewer logs to limit the size of the security log to 1,024 kb.
B. Create a GPO that applies to the servers. Configure the GPO to enable auditing for Directory Services access. Set up the individual objects to be audited in Windows Explorer and then customize the Event Viewer logs to limit the size of the security log to 1,024 KB. Configure the security event log so that it does not overwrite events.
C. Create a GPO that applies to the servers. Configure the GPO to enable auditing for Directory Service access. Set up the individual objects to be audited in Windows Explorer. Configure the Security Event log so that it does not overwrite events. Then configure the GPO to enable the "Shut down the system immediately if unable to log security audits" setting.
D. Create a GPO that applies to the servers. Configure the GPO to enable auditing for object access. Setup the individual objects to be audited in Windows Explorer. Configure the security event log so that it does not overwrite events. Then configure the GPO to enable the "Shut down the system immediately if unable to log security audits" setting.
Answer: D
The two parts of auditing are to setup an audit policy at either the local or domain level (through a GPO) that defines the types of events to be audited (in this case object access). Secondly, the specific events must be specified (in this case by setting up the objects to be audited using Windows Explorer). To meet the last requirement of preventing users' access when log is full then you must configure the GPO to enable the "Shut down the system if unable to log" setting. This setting is actually called CrashOnAuditFail in the registry and in this case, must be set to 1.
29. You are the security analyst for Duluth Mutual Life. You are assessing the security weaknesses of the company's Windows 2000 network. The network consists of three sites in one domain. The domain contains three OUs and 11,000 users. There are five domain controllers in the domain. You configure one of the domain controllers to meet the security requirements of the company. You need to duplicate those settings on the other four domain controllers. You want to use the least possible amount of administrative effort.
What should you do?
A. Create a GPO for the Domain Controllers OU. Configure the GPO settings to match the settings of the secured domain controller.
B. Open Security Configuration and Analysis on the secured domain controller. Export the secured domain controller's security configuration to a template file. Copy the template file to the Sysvol folder on each domain controller.
C. Create a GPO for the domain. Assign Domain Users Read and Apply Group Policy permissions. Configure the GPO settings to match the settings of the secured domain controller.
D. Open Security Configuration and Analysis on the secured domain controller. Export the secured domain controller's security configuration information to a template file. Open Security Configuration and Analysis on the other domain controllers, import the template file, and then select Analyze Computer Now.
Answer: D
30. You are the administrator of a Windows 2000 network. Recently, your network security was compromised and confidential data was lost. You are now implementing a stricter network security policy. You want to require encrypted TCP/IP communication on your network.
What should you do?
A. Create a GPO for the domain, and configure it to assign the Secure Server IPSec Policy.
B. Create a GPO for the domain, and configure it to assign the Server IPSec Policy and to enable Secure channel: Require strong session key.
C. Implement TCP/IP packet filtering, and open only the ports required for your network services.
D. Edit the local security policies on the servers and client computers and enable Digitally signed client and server communications.
Answer: A
By default, Windows 2000 includes three predefined policies: Client, Secure Server, and Server. The first task is to decide if any of the default policies will apply or if it will be necessary to create a custom policy to meet your needs. None of the preconfigured policies are active by default. The policies are as follows:
Client (Respond Only) - allows the client to respond to other computers requesting security according to the settings in the default response rule. With this policy active, the client will never request security, but will negotiate IPSec based on the connecting host. This would allow you to configure client computers to respond to requests for secure communications, but without initiating the request.
Secure Server (Require Security) - allows the server to require IPSec negotiation prior to allowing a connection. This policy will allow unsecured incoming communications, but outgoing traffic will always be secured. This policy could be implemented in scenarios where data must always be secured.
Server (Request Security) - allows the server to request IPSec negotiation, but will allow unsecured communications if the other computer is not IPSec aware. You could use this policy to implement security between IPSec enabled computers without sacrificing interoperability with non-IPSec-enabled computers.
31. You are the administrator of your company's network, which consists of one Windows 2000 domain. There is a single top-level OU named Main and five child OUs. The child OUs are named after the company's five departments:
Finance
Marketing
Sales
HR
IT
The accounts for all users and computers in each department are defined in the OU for that department. All users and computers in the Finance, Marketing, Sales and HR OUs require the same desktop settings. Users and computers in the IT OU require less restrictive settings.
You want to accomplish the following goals:
· All the assigned Group Policy settings are defined by the administrator in the Main OU will be applied to all users and computers in the Finance, Marketing, Sales, and HR OUs.
· Group Policy from the Main OU will not be applied to the IT OU.
· Administrators in the IT OU will be able to change the Group Policy settings.
· When new child OUs are added to the domain, the Group Policy will be applied to them automatically.
· Users will not be able to change their Group Policy settings.
You take the following actions:
- Create the GPO, configure the appropriate settings, and link the GPO to the Main OU.
- In the Group Policy Options dialog box for the Main OU, select the No Override check box.
- In the Group Policy dialog box for the IT OU, select the Block Policy inheritance check box.
- Assign the Authenticated Users group Full Control permission to the GPO.
Which results do these actions produce?
A. All the assigned Group Policy settings as defined by the administrator in the Main OU are applied to all users and computers in the Finance, Marketing, Sales, and HR OUs.
B. Group Policy from the Main OU will not be applied to the IT OU.
C. Administrators in the IT OU are able to change the Group Policy settings.
D. When new child OUs are added to the domain, the Group Policy is applied to them automatically.
E. Users cannot change their Group Policy settings.
Answer: A, C, D
Full Control to the GPO is given to Authenticated Users so "Admins in the IT OU can change GPO settings" is met. As a matter of fact, any authenticated user will be able to change their GPO settings. It's a top-level OU with "No Override" so it will be applied to the lower-level OUs and new child OUs.
GPOs can be applied to sites, DOMAINS and OUs. If more then one GPO is in effect, then the GPO nearest to that object is applied. If "no override" is used, then the GPOs settings is given higher priority than other GPOs that don't have "no override" configured. If 2 GPOs conflict and both have "no override" set, then the GPO closest to the container applies. In this scenario, within one domain the top-level OU has "No Override". This should have higher priority over the "block policy inheritance" of the IT OU, therefore the requirement "GPO from Main OU will NOT be applied to IT OU" is NOT met.
32. You are using RIS to deploy Windows 2000 Professional on 1,500 computers. Your network configuration is shown in an exhibit. You have four RIS servers. You have deployed 100 computers. RIS server1 and RIS server3 are overworked and respond too slowly for the timely deployment of your computers. You need more consistent performance results before you deploy the remaining computers.
What should you do?
A. Create computer accounts for all the computers. Complete the Managed By properties for each account.
B. Create one OU for each segment. Add users accounts for all the users to the appropriate OUs. Specify the appropriate RIS server in the "Log on to" property for each user's account.
C. Create prestaged computer accounts for all of the computers. Specify which RIS server will control each computer.
D. Create one site for each segment. Move two RIS servers to each site.
Answer: C
Remote install begins when a PXE compliant client is first started up, it gets TCP/IP settings from DHCP and then communicates with a RIS server to get the IP of a PXE boot server and to obtain the initial file needed to start the boot process. If RIS servers are overworked then you can prestage computer accounts. This involves creating computer accounts and assigning EACH computer to a specific RIS server.
33. You are the administrator for Arbor Shoes. Part of your network configuration is shown in an exhibit. All the computers are running Windows 2000 Professional and are members of the arborshoes.com domain in the company LAN. All the users are members of the Power Users group on their computers. Andrew has dial-up access to the Internet for a special project he is working on. You do not want other users to share Andrew's Internet connection and to have unrestricted Internet Access.
What should you do?
A. Create a high security zone in MS IE.
B. Create a Group Policy Object (GPO) that disables the configuration of connection sharing. Grant Andrew Read and Apply group Policy permissions to the GPO.
C. Create a Group Policy Object (GPO) that disables the configuration of connection sharing. Grant Michel, Laura, and Anita Read and Apply Group Policy permissions to the GPO.
D. Remove the Internet connection from the All Users profile on Andrew's computer and then recreate the connection in Andrew's personal profile.
Answer: B
Andrew is the user who needs to have "Read and Apply" to this GPO so that his ICS is disabled.
34. You are the administrator of a Windows 2000 domain. You want to deploy a new application named Finance
that will be used by all users in the domain. The vendor of the Finance application supplied a MS install package for the application. You decide to deploy the Finance application in two phases. During Phase 1, only members of a security group named Finance Pilot will use the Finance application. During Phase 2, all users in the domain will be able to install the Finance Application.
You want to accomplish the following goals:
· During Phase 1, the Finance application will not be installed automatically when users log on.
· During Phase 1, users who are members of the Finance Pilot group will be able to install the Finance application by using a Start menu shortcut.
· During Phase 1, users who are not members of the Finance Pilot group will not be able to install the Finance application by using a Start menu shortcut.
· The Finance application will be installed automatically the first time any user in the domain logs on after phase 2 has begun.
You take the following actions:
- Create a new GPO named Deploy Finance and link the deploy Finance GPO to the domain.
- Configure the Deploy Finance GPO to assign the Finance application to users.
- For Phase 1, create a software category named Finance Pilot. ASSIGN the Finance application to the Finance Pilot software category.
- For Phase 2, remove the Finance application from the Finance Pilot software category.
Which results do these actions produce?
A. During Phase 1, the Finance application will not be installed automatically when users log on.
B. During Phase 1, users who are members of the Finance Pilot group can install the Finance application by using a Start menu shortcut.
C. During Phase 1, users who are not members of the Finance Pilot group cannot install the Finance application by using a Start menu shortcut.
D. The Finance application is installed automatically the first time any user in the domain logs on after Phase 2 has begun.
Answer: A, B
You can assign or publish software packages.
Assigned software:
Software that is assigned to a user has a shortcut appear on a user's Start > Programs menu, but is not installed until the first time they use it. Software assigned to a computer is installed the next time the user logs on regardless of whether or not they run it. When software is assigned to a user, the new program is advertised when a user logs on, but is not installed until the user starts the application from an icon or double-clicks a file-type associated with the icon. Software assigned to a computer is not advertised - the software is installed automatically. When software is assigned to a computer it can only be removed by a local administrator - users can repair software assigned to computers, but not remove it.
Published software:
Published applications are not advertised. They are only installed through Add/Remove Programs in the Control Panel or through invocation (a user double-clicks on an unknown file type). Published applications lack resiliency (do not self-repair or re-install if deleted by the user). Finally, applications can only be published to users, not computers.
35. You are the enterprise administrator of a Windows 2000 network. The network has three domains:
Contoso.com, west.Contoso.com, east.Contoso.com
All three domains are in a site named Boston. All three domains contain OUs. You want to implement new desktop policies for all users on the network. The policies are configured in a Group Policy Object named Gpdesktop. You also want to implement a logon script for users from the W2 OU. The logon script policy is configured in a GPO named Gpscript. The users from the W2 OU always log on to Windows 2000 Professional computers defined in the W3 OU. You do not want to use Group Policy filtering. You want to use the fewest GPO assignments possible.
What should you do?
A. Select and drag Gpdesktop to the middle position of the Contoso.Com domain.
B. Select and drag Gpscript to the second position of the West.Contoso.Com domain.
Answer: A, B
36. You are the administrator of a Windows 2000 network. You are deploying Windows 2000 Professional to 200 client computers. A custom configuration is required for each one of 50 of the client computers. You are using SMS Server to install various applications on all the client computers. You want to use RIS to install Windows 2000 on all of the client computers.
What should you do?
A. Create a CD-based RIS image and different answer files for each custom configuration.
B. Create an RIPrep image for each configuration. Grant Read And Execute permission to users for the image folder.
C. Install a test client computer for each custom configuration. Use the Setup Manager wizard to create an answer file for each configuration.
D. Use the Setup Manager wizard to create a Sysprep answer file. Use third-party imaging software to create a separate image for each configuration.
Answer: A
Unattended installations rely on an "answer file" to provide information during setup process that is usually provided through manual user input. Answer files can be created manually using a text editor or by using the Setup Manager Wizard (SMW) (found in the Windows 2000 Resource Kit Deployment Tools).
37. You are the administrator of a Windows 2000 domain. The domain has 20 users and a Windows 2000 Server computer named Glasgow. Users in the domain frequently work on different Windows 2000 Professional computers. All Windows 2000 Professional computers are in the domain.
You want to accomplish the following goals:
· All users in the domain will be able to work on all Windows 2000 Professional computers and have their own predefined desktop settings available on all computers.
· Users will be allowed to make changes to the desktop settings while they are logged on.
· Changes that users make to the desktop settings will not be saved when they log off.
What should you do?
A. On each Windows 2000 Professional computer, delete the Systemdrive\Documents and Settings\Default User folder.
B. On each Windows 2000 Professional computer, rename the Sytemroot\System32\Config\Stem file to System.man.
C. Configure a roaming profile for each user in the domain. Use \Glasgow\profiles\%username% as the profile path. On the Glasgow server, rename the ntuser.dat file to ntuser.man for each user.
D. Create a GPO named Delprofile. Assign the Delprofile GPO to the domain. Configure the Delprofile GPO to delete the local copy of a user's profile when the user logs off.
Answer: C
A mandatory roaming user profile will make user's desktop setting available to them on all computers. Users will be able to change those desktop settings but since this is a mandatory (.man) profile, those changes will not be saved.
38. You are the network administrator for Just Togs. Your Windows 2000 network consists of 15,000 users. Users have recently reported that documents are missing from the servers. You need to track the actions of the users to find out who has been deleting the files. You create a GPO on the justtogs.com domain and assign the appropriate permissions to the GPO.
What actions should you audit? (Choose two)
A. Directory Services access
B. Object access
C. Process tracking
D. Privileged use
E. Delete and Delete subfolders and files
Answer: B, E
The two parts of auditing are to setup an audit policy at either the local or domain level (through a GPO) that defines the types of events to be audited (in this case object access). Secondly, the specific events must be specified (in this case by setting up the objects to be audited using Windows Explorer). To audit files and folders, you must be logged on as a member of the Administrators group or have been granted the "Manage auditing and security log" right in Group Policy. Administrators can also monitor access to Active Directory, causing successful and failed audit attempts to be logged in the Directory Service event log. This isn't what the question is asking here, though.
39. You are the administrator of a Windows 2000 domain. To control the desktop environment of users in the domain, you use a script file named Desktop.vbs to change settings in the current user profile. This script file is deployed as a login script for all users in the domain. The Desktop.vbs script usually takes 15 seconds to complete its work. You want to ensure that each user's desktop appears only aft the Desktop.vbs script is completed.
What should you do?
A. For all users in the domain, set the logon script in the user profile to Desktop.vbs.
B. Create a new GPO; Assign the GPO to the domain. Add Desktop.vbs to the GPO as a logon script. Configure the GPO to run logon scripts synchronously.
C. Create a new GPO; Assign the GPO to the domain. Add Desktop.vbs to the GPO as a logon script. Configure the GPO to set a maximum wait time of 15 seconds for Group Policy scripts.
D. Create a new GPO; Assign the GPO to the domain. Add Desktop.vbs to the GPO as a logon script. Configure the GPO to set a timeout of 15 seconds for logon dialog boxes.
Answer: B
When you configure logon scripts, there are settings that allow an administrator to control the maximum time the logon script is allowed to run, and whether to run the logon script synchronously. When a logon script is run synchronously, the user does not have access to the desktop until the logon script terminates.
40. You are the administrator of a Windows 2000 domain named arborshoes.com. You install RIS on the server. You are using RIS to install 35 new client computers. When you start a test client computer, the Client Installation wizard does not appear. You are using network adapter cards that are not PXE compliant. You want to connect to the RIS server.
What should you do?
A. From a command prompt, run Rbfg.exe to create RIS a boot disk.
B. Identify the GUID of each client computer.
C. Set up a DHCP Relay Agent.
D. Install Windows 2000 on the test client computer. Run RIPrep.exe from a network share on the RIS server.
Answer: A
The Remote Installation Boot disk allows the RIS server to be used by clients that do not have a PXE-enabled network adapter. The boot disk creates a PXE emulator that works on supported PCI network adapters that allow them to connect to the RIS server. Since one disk works for all network adapters, a specific network boot disk is no longer required. The supported network adapters are listed in the utility that creates the boot disk. This utility is named Rbfg.exe and can be found in the network folder: reminst\admin\i386.
41. You are installing a new Windows 2000 Server computer on your existing Windows NT network. You run DCPromo.exe to promote the server to a domain controller in a domain named domain.local. You receive the following error message:
"The domain name specified is already in use on the network".
There are no other Windows 2000 domains on your network. What should you do?
A. Place an entry in your DNS server host table for the domain.local domain name.
B. Place an entry in your WINS database for the domain.local domain name.
C. Change the domain name to domain.com.
D. Change the down level domain name to domain1.
Answer: D
This is the NetBios-compatible name.
42. You are the administrator of your company's network. The company has two native-mode domains in six sites as shown in an exhibit. Each site has one or more domain controllers. Users report that at times of high network usage, authentication and directory searches are extremely slow. You want to improve network performance.
What should you do?
A. Move all domain controllers into one site.
B. Promote more Windows 2000 Server computers in each site to be domain controllers.
C. Install a DNS server in each site and configure it to use Active Directory integration.
D. Designate a domain controller in only one site as a global catalog server (GC).
E. Designate a domain controller in each site as a global catalog server (GC).
Answer: E
A global catalog servers (GC) at each site can help because GC servers contain info about all resources on a network (once connected to the network, computers immediately contact the nearest GC server). Also, GC servers must be contacted at logon to verify universal security group membership.
43. You are deploying Windows 2000 Professional on your network. You recently installed a RIS server to expedite the deployment process. Your network is now configured as shown in an exhibit. When you attempt to use the RIS server to deploy Windows 2000 on Julia's and Carlos's computers, you cannot establish the initial connection. Anita and Peter installed Windows 2000 from CD-ROM and did not have any problems with the installation.
What should you do to correct the problem?
A. Integrate the DNS server´s zones into Active Directory.
B. Install a DHCP server and authorize it in Active Directory.
C. Install a WINS server and configure the DNS server to use it for name resolution.
D. Create computer accounts in Active Directory for Julia and Carlos, and specify the name of the RIS server on the Remote Install tab of the Computer Accounts property sheet.
Answer: B
The DHCP service must assign TCP/IP config info to RIS clients or the clients won't be able to access the RIS server.
44. You are the enterprise administrator of a Windows 2000 domain. The domain is in native mode. You want to implement a policy to disable the ShutDown command for all users in the domain except for the members of the Domain Admins security group. You create a new Group Policy object (GPO) named Shutdown. You configure the Shutdown GPO to disable the Shutdown option. You assign the Shutdown GPO to the domain. You want to ensure that the policy does not apply to the members of the Domain Admins group.
What should you do?
A. On the Shutdown GPO, deny the Apply Group Policy permission to the Domain Admins group.
B. On the Shutdown GPO, remove the Apply Group Policy permission from the Authenticated Users group. Grant the Apply Group Policy permission to the Users group.
C. Add the Domain Admins group to the Group Policy Owners group.
D. Create a new OU named No Shutdown. Move the Domain Admins group to the No Shutdown OU. Configure the No Shutdown OU to block policy inheritance.
E. On the computers that the members of the Domain Admins group use to log on, configure the local GPO to enable the Shutdown option.
Answer: A
The GPO should be assigned to the domain so that it applies to all users. If needed, you can then further "filter" the GPO.
45. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 Server computer named Toronto. Users in the domain frequently work on different Windows 2000 Professional computers. All Windows 2000 Professional computers are in the domain. You want to enable roaming profiles for all users.
You want to accomplish the following goals:
· All users in the domain will be able to work on all Windows 2000 Professional computers and have their own desktop settings available on all computers.
· All users in the domain will be able to make changes to their desktop settings. All users in the domain will be able to access their documents in the My Documents folder from any Windows 2000 Professional computer.
· The amount of data that is copied between the Toronto server and the Windows 2000 Professional computers each time a user logs on or off will be minimized.
What should you do? (Choose two)
A. Configure a roaming profile for each user in the domain. Use \\Toronto\Profiles\%Username% as the profile path.
B. Configure a roaming profile for each user in the domain. Use \\Toronto\Profiles\%Username%\Ntuser.man as the profile path.
C. Create a new Group Policy object (GPO) named Profilescript. Assign the Profilescript GPO to the domain. Configure the Profilescript GPO to assign a logon script to all users. Include the runas/profile explorer.exe command in the logon script.
D. Create a new Group Policy object (GPO) named Docs. Assign the Docs GPO to the domain. Configure the Docs GPO to redirect the My Documents folder to the \\Toronto\Docs\%Username% location.
E. Create a new Group Policy object (GPO) named Profiledocs. Assign the Profiledocs GPO to the domain. Configure the Profiledocs GPO to exclude the My Documents folder from each user's roaming profile.
Answer: A, D
A roaming profile will make all users' desktop settings available on all computers and since it isn't mandatory, the users will be able to change their settings. The GPO to redirect My Documents will enable users to access their documents from any Windows 2000 Professional computer.
46. You are deploying Windows 2000 Professional on your network of 1,000 users. Part of your network is shown in an exhibit. You have recently installed a RIS server to assist in the deployment process. You confirm that the client computers meet the requirements for RIS deployment. However, you still cannot connect the RIS client computers to the RIS server.
Existing client computers are able to connect to all servers for network resources.
What can be causing the problem? (Choose all that apply)
A. The RIS server has no client-side tools installed.
B. The RIS server is not trusted for delegation.
C. The RIS server is not authorized in Active Directory.
D. The client computers are not configured to use DHCP.
E. The RIS server is not configured to respond to client computers requesting service.
Answer: C, E
Remote Installation Services (RIS) is used to lower the Total Cost of Ownership (TCO) of Windows by simplifying the process of installing new client workstations. Currently, only Windows 2000 Professional clients can be installed using RIS. RIS Server requirements include DHCP, AD, DNS and at least 2 GB of disk space on the RIS server. RIS must be authorized in AD and must be configured to respond to client computers requesting service (on the Server > Properties > Remote Install tab).
47. You are the administrator of your company's network. The network consists of two Windows 2000 domains named contoso.com and mktg.contoso.com. You create separate zones for each domain on your DNS server. Later, you add a second DNS server to the network. This server also functions as a domain controller. You convert the contoso.com zone to an Active Directory integrated zone and set the zone to allow only secure updates to the zone database. You discover that unauthorized computers are registering themselves in the mktg.contoso.com domain. You check the zone's properties and discover that the zone is allowing unsecured dynamic updates. You also discover that the option to select Secure Dynamic Updates is not available.
What should you do to correct this problem?
A. Initiate a zone transfer between the mktg.contoso.com zone and the contoso.com zone.
B. Reinstall mktg.contoso.com as a standard secondary zone.
C. Reinstall contoso.com as a standard primary zone.
D. Convert mktg.contoso.com to an Active Directory integrated zone.
Answer: D
"Only Secure Updates" is only available in an Active Directory integrated zone.
48. You are the network administrator for Enchantment Lakes Corporation. Enchantment Lakes Corporation and Five Lakes Publishing are planning a merger. The planned Windows 2000 network configuration is shown in an exhibit. You want to host the fivelakespublishing.com domain on the enchantmentlakes.com DNS server. The fivelakespublishing.com domain uses an Active Directory integrated zone on its DNS server. Five Lakes Publishing will retain its domain structure after the merger is complete. You want to set up the enchantmentlakes.com DNS server to host the fivelakespublishing.com domain.
What should you do?
A. On Server1, create an Active Directory integrated zone named fivelakespubliching.com. Enable WINS lookup, and specify Server7 as the IP address for the WINS server.
B. On Server5, create a secondary zone named fivelakespublishing.com. Configure DNS zone transfers to allow Server1 to replicate data.
C. On Server5, configure DNS zone transfers to allow Server1 to replicate data. On Server1, create a secondary zone named fivelakespublishing.com.
D. On Server1, create an Active Directory integrated zone named fivelakespublishing.com. Configure DNS zone transfers to allow Server5 to replicate data.
Answer: C
Primary zones hold the master copy of a zone and can replicate it to secondary zones. All changes to a zone are made on the primary zone. Secondary zones contain a read-only copy (replica) of zone information that can provide increased performance and resilience. Information in a primary zone is replicated to the secondary by use of the zone transfer mechanism. Active Directory integrated zone is a MS proprietary zone type, where the zone info is held in the Windows 2000 Active Directory (AD) and replicated using AD replication.
Traditionally, the master copy of each zone is held in a primary zone on a single DNS server. On that server, the zone has a Start Of Authority (SOA) record that specifies it to be the primary zone. To improve performance and redundancy, a primary zone can be automatically distributed to one or more secondary zones held on other DNS servers.
49. You create a new Windows 2000 Active Directory network. Five months after deployment of the network, you receive a report that the Active Directory database file takes too much disk space on the ServerA domain controller. You want to reduce the size of the Active Directory database file.
What should you do? (Choose three)
A. Restart ServerA in Directory Services restore mode.
B. Stop the Net Logon service on ServerA.
C. Run Windows Backup to back up the System State data. Immediately run Windows Backup again to restore the System State data from the backup.
D. Use the NTDSUTIL utility to compact the database to a folder. Move the compacted database file to the original location.
E. Restart ServerA and boot normally.
F. Start the Net Logon service on ServerA.
Answer: A, D, E
NTDSUTIL.EXE is a command line utility used to perform maintenance on the AD database, specifically it is used for offline defrag of AD in order to reduce the size of the AD database. The size of NTDS.DIT will grow as it is modified. To reduce it's size, take the DC offline (Dir Services Restore mode) and perform an offline defrag. Then, restart the server.
50. You are the administrator of a Windows 2000 network. The network is composed of four domains:
arborshoes.com (the root of the forest), na.arborshoes.com, sa.arborshoes.com, fabrikam.com
There are two Windows NT 4.0 BDCs in each domain. Graphic artists place finished artwork for Fabrikam, Inc. in a shared folder located on a domain controller named bna01.fabrikam.com. Read and Write permissions are granted to the Artists Domain local group in the fabrikam.com domain. Sharon is a member of the Graphic Artists global distribution group in the na.arborshoes.com domain. She is unable to gain access to the shared folder. You want to allow Sharon access to the shared folder.
What should you do?
A. Change the Graphic Artists group type to "Security" and add it to the Artists Domain local group.
B. Change the Artists Domain local group to a universal group and add it to the Graphic Artists group.
C. Change the Graphic Artists group to a Domain local group and add it to the Artists Domain local group.
D. Change the mode of the domain controller in na.arborshoes.com to native mode. Add the Graphic Artists group to the Artists Domain local group.
Answer: A
Domain local groups can contain user accounts, global groups and universal groups from any domain in forest, as well as other domain local groups in same domain. So, change Graphic Artists type to "Security" and add it to the Artists Domain local group. A final note, you can't change Graphic Artists to a "universal" security group because of mixed mode.
51. You are the network administrator of a Windows 2000 network. The network domain name is Litware.com. The distinguished name for the Sales OU is:
ou=sales ou=north america dc=litware dc=com
You want to assign Andrew the ability to manage all the objects in the Sales OU. What should you do?
A. Add Andrew to the Domain Admins group.
B. Grant Andrew Full Control permission to the North America OU and disable inheritance at the Sales OU.
C. Grant Andrew Read and Write permissions to the Sales OU.
D. Grant Andrew Full Control permissions to the Sales OU.
E. Move Andrew's user account to the Sales OU.
Answer: D
52. You are the network administrator of a Windows 2000 domain. The domain has a Windows 2000 Server computer named MainApps. The MainApps server is not a domain controller. Members of the Domain Users group have the right to logon locally at the MainApps server. When these members logs on locally, you want a script named Setperms.vbs to be executed. This script defines environment variables settings in the current user profile that are needed for the MainApps server.
What should you do?
A. Copy the Setperms.vbs script to the Netlogon share of the MainApps server.
B. Place the Setperms.vbs script in the Sysvol share on the MainApps server.
C. Add the Setperms.vbs script to the local group policies as a logon script.
D. Add the Setperms.vbs script to the local group policies as a startup script.
Answer: C
To deploy a .vbs script, create (or use local group policies) a GPO that specifies the .vbs as a logon script. Logon/logoff scripts are assigned under User Configuration and Computer Configuration of the GPO. Logon/logoff scripts are applied to specific users at logon/logoff.
53. You are the administrator of a Windows 2000 domain. The domain is in native mode. The domain contains 15 Windows 2000 Server computers that are functioning as domain controllers and 1,500 Windows NT Workstation client computers. During a power outage, the first domain controller that you installed suffers a catastrophic hardware failure and will not restart. After the power outage, users report that password changes do not take effect for several hours. In addition, users are not able to log on or connect to resources by using their new passwords.
What should you do to correct this problem?
A. Using the Ntdsutil utility, connect to another domain controller and transfer the PDC emulator role.
B. Using the Ntdsutil utility, connect to another domain controller and seize the PDC emulator role.
C. Using the Ntdsutil utility, connect to another domain controller and transfer the domain naming master role.
D. Using the Ntdsutil utility, connect to another domain controller and seize the domain naming master role.
Answer: B
The PDC emulator role is assigned to a Win2000 DC in a mixed or native mode domain. In mixed mode domains, the PDC emulator allows replication between Win2000 and NT 4.0 servers, as well as allowing NT 4.0 clients to write to the directory database. The failed DC (that was acting as the PDC emulator) is the cause of the problems in this scenario, so hop on a functional DC and seize the PDC emulator role.
54. When you run DCPromo.exe to install the new domain, you receive an error message stating that the existing domain cannot be contacted. Installation of the new child domain will not proceed.
What should you do to correct this problem?
A. Create an Active Directory integrated zone for the child domain on the new domain controller.
B. Install WINS on the new domain controller.
C. Configure the new domain controller with the address of an authoritative DNS server for the existing domain.
D. Configure the new domain controller with the address of an existing WINS server.
E. Add SRV (service) records for the domain naming master to a Hosts file on the new domain controller.
Answer: C
55. Your name is Avi Gaspan and you are the administrator of your company's WAN. Your company has four locations connected by dedicated 256-Kbps leased lines. You install and configure a Windows 2000 domain controller at each location. For network performance reasons, you want to control the bandwidth usage and replication schedule of directory information to each domain controller in each location.
What should you do? (Choose two)
A. Create a site for each location.
B. Create a site that spans all the locations.
C. Create server objects for each domain controller in every site.
D. Create server objects for each domain controller in its own site.
E. Copy all server objects from Default-First-Site-Name to each site.
F. Move each server object from Default-First-Site-Name to the appropriate site.
Answer: A, F
A site is a collection of one/more IP subnets that contain one/more DCs. Everything (subnets, DCs) within a site should be connected by high-speed, reliable connections. DCs located in the same site perform replication as needed. Replication between sites is controlled and scheduled rather than as needed.
56. You are the administrator of your company's network. Your company has its main office in North America and has branch offices in Asia and Europe. The locations are connected by dedicated 256-Kbps lines. The network consists of one Windows 2000 domain. To minimize logon authentication traffic across the slow links, you create a site for each office and configure the site links between the sites. Users in the branch offices report that it takes a long time to log on to the domain. You monitor the network and discover that all authentication traffic is still being sent to the domain controllers in the North America site.
What should you do to correct this problem?
A. Schedule replication to occur more frequently between the sites.
B. Schedule replication to occur less frequently between the sites.
C. Create a subnet for each physical location, associate the subnets with the North America site and move server objects to the North America site.
D. Create a subnet for each physical location, associate each subnet with its respective site and move each server object to its respective site.
Answer: D
This is a matter of making sure the DC's in each respective site are being used for authentication, instead of just the North America DC's. A GC server in each site would also help.
57. You are the administrator of your company's network. Your company's main office is in Seattle. Large regional offices are located in the following locations:
Chicago
Los Angeles
New York
Three smaller branch offices are located within each region. The regional offices are connected to the main office by T1 lines. The branch offices are connected to the regional offices by ISDN lines. Branch offices in Boston, Dallas, and San Diego also have direct ISDN connections with Seattle. The network consists of one Windows 2000 domain. For fault tolerance and load balancing purposes, each office has its own Windows 2000 domain controller. Each office is configured as its own site. All site links have been created.
You want to create a replication topology that allows only the regional offices to communicate with the main office. You want to ensure that each branch office communicates only with the closest regional office.
What should you do?
A. Manually create connection objects between the domain controllers in the main office and the regional offices Use SMTP as the transport protocol.
B. Manually create connection objects between each branch office and the closest regional office. Use SMTP as the transport protocol.
C. Allow the Knowledge Consistency Checker (KCC) to automatically create the connection objects between the main office and all other offices.
D. Allow the Knowledge Consistency Checker (KCC) to automatically create the connection objects between the branch offices and the regional offices.
Answer: C
The domain controllers must be in different domains and in different sites (inter-site) for you to use SMTP. In most cases, choose RPC over IP for replication within a site (replication within a site should take place over reliable, high-speed connections). "Create connections between the branch and regional offices" is out because there is no mention of the main office, which is a requirement. That leaves the answer that's chosen.
58. You are the administrator of your company's network. Your company's main office is in Chicago. Company operations are divided into two regions, East and West.
The East region has an office in Miami and in New York, the West region has an office in Denver and in Seattle
The offices in the East region contain the Human Resources (HR) and Marketing (Mktg) departments. The offices in the West region contain the sales and finance departments. Company IT policy states that Group Policy must be applied only at the organizational unit (OU) level and that user groups must correspond to departments.
You want to accomplish the following goals:
· Control of users and resources can be delegated to local and departmental administrators.
· The IT department can control Group Policy for the entire enterprise.
· A single Group Policy object (GPO) can be applied to the sales and marketing departments.
· User environments can be customized by city.
You implement an OU structure as shown in an exhibit. Which result or results does your implementation produce? (Choose all that apply)
A. Control of users and resources can be delegated to local and departmental administrators.
B. The IT department can control Group Policy for the entire enterprise.
C. A single GPO can be applied to the sales and marketing departments.
D. User environments can be customized by city.
E. This question depends on the exhibit (choose this answer).
Answer: E
Depends on the exhibit.
59. You are the network administrator for the Lucerne Real Estate Company. The network consists of one Windows 2000 domain named lucernerealestate.local. The network is not currently connected to the Internet. You are installing a new domain named lucernerealestate1.local. During the promotion process, you receive the following error message:
"The domain name specified is already in use on the network"
What is the most likely cause of the problem?
A. The default-generated DNS domain name is already in use.
B. DNS domain names cannot be named interactively.
C. The default-generated NetBios domain name is already in use.
D. NetBios domain names cannot be named interactively.
Answer: C
This is otherwise known as the down-level domain name.
60. You are the administrator of your company's network. The Network consists of one Windows 2000 domain. Your company has two locations, which are connected by a dedicated T1 line. Users frequently report that logons to the network, file transfers, and directory searches are extremely slow. When you monitor the network, you discover that replication between domain controllers is generating excessive network traffic between the locations.
You want to accomplish the following goals:
· Replication traffic between locations will be reduced.
· Logon response time for users will be improved.
· Average file transfer rates for users will be improved.
· Directory search response times will be improved.
· All domain controllers will have up-to-date replicas of the directory.
· Fault tolerance for domain logons and directory searches will be maintained.
You take the following actions:
- Configure a domain controller in each location to be a global catalog server (GC).
- Create a new subnet in Active Directory for each location.
- Modify the location attribute of each domain controller's server object.
Which result or results do these actions produce? (Choose all that apply)
A. Replication traffic between locations is reduced.
B. Logon response time for users is improved.
C. Average file transfer rates for users are improved.
D. Directory search response times are improved.
E. All domain controllers have up-to-date replicas of the directory.
F. Fault tolerance for domain logons and directory searches is maintained.
Answer: A, B, D, E, F
A site is a collection of DC's that contains at least ONE subnet and has high-speed connections between computers within the site. GC servers (for AD searching) and a DNS server (for quickly locating DC's) are recommended for each site.
61. You are the administrator of a newly installed Windows 2000 network for a call center. You need to rename the Administrator account on all computers on your network. You do not want to manually edit each account. Because of a recent security breach, you must implement this policy immediately.
What should you do? (Choose all that apply)
A. Use Group Policy to rename the Administrator account at the Default Domain Group policy.
B. Use Group Policy to implement a user logon script.
C. Send a network message to all users to restart their computers.
D. Use Group Policy to force all users to log off within 30 minutes.
Answer: A, D
You can rename the Administrator account through a GPO linked to the domain. "Rename administrator account" is located at Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options in the group policy. The computers will have their Admin account renamed when they startup or log on (or a refresh occurs, which occurs every 90 minutes for GPO's).
62. You are the administrator of a DNS server that runs on a Windows 2000 Server computer. You receive a report that the Windows 2000 Server computer constantly uses more than 80 percent of the CPU. You want to monitor the number of DNS queries that are handled by the DNS server.
What should you do?
A. Run the Nslookup command-line utility.
B. Use the Event Viewer and monitor the DNS server log.
C. Use the monitoring function of the server properties in the DNS console.
D. Use the DNS counters in System Monitor.
E. Check the contents of the Netlogon.dns file.
Answer: D
System Monitor has DNS counters that monitor performance. Some DNS related counters include:
Total Query Received - total number of lookup queries received
Total Query Received/Sec - total number of queries received per second
Failed DNS Resolutions - failed resolutions
Pending DNS Resolutions - pending resolutions
Successful DNS Resolutions - successful resolutions
63. You are the administrator of your company's network. You have been auditing security events on the network since it was installed. A user on your network named JOHN THORSON recently reported that he was no longer able to change his password. Because there have been no recent changes to account policies, you suspect that someone has been modifying the properties of user accounts in Active Directory. There are thousands of entries in the event logs, and you need to isolate and review the events pertaining to this problem in the least possible amount of time.
What should you do?
A. In the security log, create a filter for events matching the following criteria:
Event source: Security Category: Account Management User: JTHORSON.
B. In the directory service log, create a filter for events matching the following criteria:
Event source: NTDS Security Category: Security. Search the remaining items for events referencing John Thorson's account.
C. In the directory service log, create a filter for events matching the following criteria:
Event source: NTDS Security Category: Global Catalog User: JTHORSON.
D. In the security log, create a filter for events matching the following criteria:
Event source: Security Category: Account Management. Search the remaining items for events referencing John Thorson's account.
Answer: D
To view a subset of events that have specific characteristics, click Filter Events on the View menu of Event Viewer. Filtering has no effect on the actual contents of the log, it changes only the view. If you archive a log from a filtered view, all records are saved, even if you select a text format or comma-delimited text format file.
64. You are the administrator for a Windows 2000 network. Your network consists of one domain and two organizational units (OUs). The OUs are named Corporate and Accounting. A user recently reported that she was not able to log on to the domain. You investigate and find out that the user's account has been deleted. You have been auditing all objects in Active Directory since the domain was created, but you cannot find a record of the user account deletion. You want to find a record that identifies the person who deleted the account.
What should you do?
A. Search the security event logs on each domain controller for account management events.
B. Search the security event logs on each domain controller for object access events.
C. Search the Active Directory Users and Computers console on each domain controller for the user's previous account name.
D. Search the Active Directory Users and Computers console on each domain controller for the user's computer account.
Answer: A
Using Event Viewer, you can filter and search the security logs for specific events.
65. You are the administrator of your company's network. The network is configured in a Windows 2000 domain as shown in an exhibit. You want to strengthen the security of communications between client computers and servers in the Reps organizational unit (OU). You do not want to decrease overall productivity of the domain.
What should you do?
A. Create one Group Policy object (GPO) in the Sales OU. Increase maximum service ticket lifetime in the GPO, and decrease maximum lifetime that a user ticket can be renewed in the GPO.
B. Create one Group Policy object (GPO) in the Sales OU. Decrease maximum service ticket lifetime in the GPO, and decrease maximum lifetime that a user ticket can be renewed in the GPO.
C. Create one Group Policy object (GPO) in the Reps OU. Decrease maximum service ticket lifetime in the GPO, and increase maximum lifetime that a user ticket can be renewed in the GPO.
D. Create one Group Policy object (GPO) in the Reps OU. Decrease maximum service ticket lifetime in the GPO, and decrease maximum lifetime that a user ticket can be renewed in the GPO.
Answer: C
Kerberos policies are for domain user accounts and determine Kerberos-related settings, such as ticket lifetimes and enforcement. The Kerberos policies are:
Enforce User Logon Restrictions
When this option is enabled, the KDC validates every request for a session ticket by examining the user rights policy on the target computer to verify that the user has the right either to log on locally or to access the computer from the network. It is also a check to ensure the requesting account is still valid. Verification is optional because the extra step takes time and may slow network access to services. Default value: Enabled.
Maximum Lifetime That a User Ticket Can Be Renewed (in this scenario, increase this setting)
This is the maximum lifetime of a ticket, either a Ticket Granting Ticket (TGT) or a session ticket, although the policy specifies this is for a "user ticket". No ticket can be renewed after this time. Default value: 7 days.
Maximum Service Ticket Lifetime (in this scenario, decrease this setting)
A "service ticket" is a session ticket. Settings are in minutes. The setting must be more than ten minutes and less than the setting for "Maximum user ticket lifetime." Default value: 10 hours.
Maximum Tolerance for Synchronization of Computer Clocks
When the KDC clock is this many minutes different from the Kerberos client's clock, tickets are not issued for the client. This is a deterrent in Replay attacks. Settings are in minutes. Default value: 5 minutes.
Maximum User Ticket Lifetime
A "user ticket" is a TGT and must be renewed after this time. Default value: 10 hours.
66. You are the administrator of your company's network. Your event log shows that hackers are using brute force attacks to attempt to gain access to your network. You do not want user accounts to be easily accessible. You want to strengthen security to protect against brute force attacks.
What should you do? (Choose two)
A. Enable the "Users must log on to change the password" setting.
B. Enable the "Store password using reversible encryption for all users in the domain" setting.
C. Enable the "Password must meet complexity requirements" setting.
D. Increase minimum password length.
E. Increase minimum password age.
Answer: C, D
All the above settings are available in the Security Configuration and Analysis console. The best two choices here are "password must meet complexity requirements" and "minimum password length", which will create a "strong password". A third choice could be setting the "minimum password age", which prevents users from changing their password, then immediately changing it back to their original password. However, the question only asks for two answers.
67. You are the administrator for Arbor Shoes. Administrative control of Active Directory has been delegated to several people in the company. You need to track changes made to the arborshoescom domain. To ensure accountability of the other administrators' actions, you want to monitor user and computer account creation and deletion.
What should you do?
A. Modify the default Group Policy object (GPO) on the arborshoes.com domain. Configure the local audit policy to audit account management and directory services access for success and failure. Monitor the security logs for activity on the domain controllers.
B. Modify the default Group Policy object (GPO) on the Domain Controllers organizational unit (OU). Configure the local audit policy to audit account management and directory services access for success and failure. Monitor the security logs for activity on the domain controllers.
C. Modify the default Group Policy object (GPO) on the Domain Controllers organizational unit (OU). Configure the local audit policy to audit account logon events and object access for success and failure. Monitor the security logs for activity on the domain controllers.
D. Modify the default Group Policy object (GPO) on the arborshoes.com domain. Configure the local audit policy to audit account logon events and object access for success and failure. Monitor the security logs for activity on the domain controllers.
Answer: B
Account Management and Directory Services access will track changes in user/computer account creation and deletion.
68. You are the network administrator of your company's Windows 2000 domain. Your company wants to deploy a custom application named Drawing. To configure the Drawing application, you need to get a custom policy setting in the HKCU\Software\Policies location in the registry for every user in the domain.
What should you do?
A. Create a GPO named Draw Settings. Assign the Draw Settings GPO to the domain. Configure the Draw Settings GPO to run a startup script that changes the application HKCU\Software\Policies in the registry.
B. Create a GPO named Draw Settings. Assign the Draw Settings GPO to the domain. Configure the Draw Settings GPO to run a logon script that changes the application HKCU\Software\Policies in the registry.
C. Create a GPO named Draw Settings. Assign the Draw Settings GPO to the domain. Create a new Administrative template that defines the custom policy setting. Add the new Administrative template to the Draw Settings GPO. Configure the Draw Settings GPO to set the appropriate policy.
D. Create a registry file that has the .REG filename extension. Edit the registry file to change the appropriate HKCU\Software\Policies location in the registry.
Answer: C
Administrative (ADM) Templates are files that define settings the administrator can configure through the Group Policy utility. By default, two ADM files are loaded when a new GPO is created. One for the User and one for the computer. These two ADM files are named Inetres.adm (Internet Explorer Settings) and System.adm (Windows 2000 operating system component settings). The ADM templates are included in Windows 2000 and are located in the %SystemRoot%\Inf folder.
69. There are two domains named Treyresearch.com and na.Treyresearch.com. Blake's user account is in Treyresearch.com. Blake needs to use support documents located in na.Treyresearch.com. You create a global group named NASupport in na.Treyresearch.com. NASupport is a member of the domain local group named Support. Support has Read permission to the Support shared folder in the na.Treyresearch.com. Your network contains only Windows 2000 domain controllers. Domains are in native mode. You want to grant Blake Read permission to the Support shared folder.
What should you do?
A. Create a universal group in Treyresearch.com. Make Blake a member of this universal group. Add the universal group to NASupport.
B. Create a new user account in na.Treyresearch.com. Use the same name and password that Blake uses for his user account in Treyresearch.com.
C. Create a global group in Treyresearch.com. Make Blake a member of this global group. Add the global group to NASupport.
D. Create a universal group in na.Treyresearch.com. Make Blake a member of this universal group. Add the universal group to the Support group.
E. Create a new global group named Global Support in Treyresearch.com. Add Blake to the new global group. Add the Global Support group to the Support group.
Answer: E
Windows 2000 security groups:
Domain Local - can contain user accounts, global groups and universal groups from any domain in forest, as well as other domain local groups in the same domain. Domain local groups can be used only in its own domain and can be assigned permissions for resources located only in its own domain.
Global - can contain user accounts and global groups from the same domain. Global groups can be used in any domain in the forest and can be assigned permissions for resources located in any domain in the forest.
Universal - can contain user accounts, global groups and universal groups from any domain in the forest. Universal groups can be used in any domain in the forest and can be assigned permissions for resources located in any domain in the forest. Universal group membership is validated at logon by Global Catalog servers.
70. You want to implement a password policy for all users in an organizational unit (OU) named Sales in a Windows 2000 network. All the users in the Sales OU are in a group named Sales Users. You create a Group Policy object (GPO) named PassB to enforce a minimum password length of six characters. You assign the PassB GPO to the Sales OU. There are no other GPOs assigned that specify a minimum password length. However, the week after you assign the PassB GPO to the Sales OU, users from the Sales OU report that they can still change their passwords to consist of fewer than six characters.
How should you correct this problem?
A. Ensure that the Sales Users group has Read and Apply Group Policy permissions on the PassB GPO.
B. Apply the PassB GPO to the domain instead of to the Sales OU. Filter the policy for the Sales Users group.
C. For the Sales OU, block policy inheritance.
D. For the Sales OU, enforce policy inheritance on the PassB GPO.
Answer: B
To implement strong password requirements for your domain, configure a group policy object linked to your domain. You can further filter the policy using the "Read and Apply Group Policy" permission.
71. You are the administrator of a Windows 2000 network for Lucerne Real Estate. The network has 1,200 users. You are delegating part of the administration of the domain to three users. You delegate the authority to create and delete computer accounts to Carlos. You delegate the authority to change user account information to Julia. You delegate the ability to add client computers to the domain to Peter. You want to track the changes made to the directory by these three users.
What should you do?
A. Create a Group Policy object (GPO) for the domain controllers. Assign Read and Apply Group Policy permissions to only Carlos, Julia, and Peter. Configure the GPO to audit directory services access and account management.
B. Create a Group Policy object (GPO) for the domain. Assign Read and Apply Group Policy permissions to only Carlos, Julia, and Peter. Configure the GPO to audit directory services access and audit object access.
C. Create a Group Policy object (GPO) for the domain controllers. Assign Read and Apply Group Policy permissions to only Carlos, Julia, and Peter. Configure the GPO to audit directory services access and audit object access.
D. Create a Group Policy object (GPO) for the domain. Assign Read and Apply Group Policy permissions to only Carlos, Julia, and Peter. Configure the GPO to audit object access and process tracking.
Answer: A
Account Management and Directory Services access will track changes in user/computer account creation and deletion, as well as user account changes. By assigning Read and Apply Group Policy permissions to just these users, you filter the GPO.
72. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 server computer named Central. Users in the domain frequently work on different Windows 2000 Professional desktop and portable computers. They use the Windows 2000 Professional portable computers to dial in to the network when they are traveling. All Windows 2000 Professional computers are in the domain.
You want to accomplish the following goals:
*All users in the domain will be able to work on all Windows 2000 Professional desktop and portable computers and have their own desktop settings available on all computers.
*All users in the domain will be able to access their documents in the My Documents folder from any computer, including the portable computers when users dial in to the network.
*When users dial in to the network, the logon and logoff times will not be delayed because of the transfer of the contents of the My Documents folder.
What should you do? (Choose two)
A. Configure a roaming profile for each user in the domain. Use \\Central\Profiles\%Username% as the profile path.
B. Configure a home folder for each user in the domain. Use \\Central\Home\%Username% as the home folder path.
C. Create a new Group Policy object (GPO) named Offdocs. Assign the Offdocs GPO to the domain. Configure the Offdocs GPO to prevent the use of the Offline Files folder.
D. Create a new Group Policy object (GPO) named Redocs. Assign the Redocs GPO to the domain. Configure the Redocs GPO to redirect the My Documents folder to the \\Central\Docs\%Username% location.
E. Create a new Group Policy object (GPO) named Async. Assign the Async GPO to the domain. Configure the Async GPO to apply Group Policy settings for users asynchronously when they log on.
Answer: A, D
A roaming profile will make all users' desktop settings available on all computers. The GPO to redirect My Documents will enable users to access their documents from any computer.
73. You are the administrator of your company's network. The network consists of one Windows 2000 domain that has organizational units (OUs) as shown below:
OU1 - all domain controllers
OU2 and OU3 - resources for two separate office buildings
OU4 and OU5 - Non-administrative users, groups, and computers
OU6 - Administrative users, computers, and resources
You are designing a domain-wide security policy.
You want to accomplish the following goals:
· The same password and account lockout policies will be applied to all users.
· Different security settings will be applied to administrative and nonadministrative computers.
· Strict audit policies will be enforced for only domain controllers and servers.
· The number of Group Policy object (GPO) links will be minimized.
You take the following actions:
- Create a single GPO
- Create one security template that has all required settings.
- Import the security template into the GPO.
- Link the GPO to the domain.
Which results do these actions produce? (Choose all that apply)
A. The same password and account lockout policies are applied to all users.
B. Different security settings are applied to administrative and non-administrative computers.
C. Strict audit policies are enforced for only domain controllers and servers.
D. The number of GPO links is minimized.
Answer: A, D
The same password and lockout policies are applied to all users. GPO links are minimized since no links can be minimized further from 1.
74. You are the administrator of a Windows 2000 network. Your network has one domain named parnellaerospace.com. The parnellaerospace.com domain supports 8,000 users at three locations. The network has three sites connected by T1 lines, as shown below:
The West site has 2,500 users
The East site has 3,000 users
The Central site has 2,500 users
Each site contains a global catalog server.
The global catalog server in the West site is named LAX01-GC. The global catalog server in the Central site is named TUL01-GC. The global catalog server in the East site is named NYC01-GC. You want users located in the West site to query TUL01-GC if the West site global catalog server is offline.
What should you do?
A. Create a new subnet, assign it to the West site, and move TULO 1-GC to the West site.
B. Configure the site link between the Central site and the West site to have a lower cost than the site link between the West site and the East site.
C. Add a global catalog server to the Central site that has an IP address in the West site subnet.
D. Configure TUL01-GC as a preferred bridgehead server.
E. Set the query policy on LAXO 1-GC to the default query policy.
Answer: B
A lower cost site link is used first.
75. You are the administrator of a Windows 2000 network named contoso.com. Your network is configured as shown in an exhibit. Your company plans to open a new office in Dallas. Members of your IT staff will be on-site in Dallas next week to install the new 10.1.3.0/24 network. You want to prepare the network in advance so that when the IT staff installs a new domain controller, it will automatically join the appropriate site.
What should you do?
A. Delete the Default-First-Site-Name object in Active Directory Sites and Services.
B. Create a new subnet for the Dallas network. Create a new site and associate the new subnet with the new site.
C. In the Domain Controller OU, create a computer account that has the name of the new domain controller.
D. Use RIS to prestage the new domain controller.
E. Copy the installation source files to the new domain controller. Create an unattended install file with an automated DCPromo.bat file.
Answer: B
You can use the sites portion of Sites and Services snap-in to display subnets. Subnets allow the administrator to associate ranges of IP addresses with sites.
76. You are the administrator of a large Windows 2000 network. You have three domains named:
adatum.com, us.adatum.com, eur.adatum.com
Eric has recently been hired to assist you with network administration. You want him to be able to manage user accounts, back up servers, and configure services on all workstations and servers only in the eur.adatum.com.
What should you do?
A. Add Eric to the Enterprise Admins group and delegate control only at the adatum.com domain.
B. Move Eric's user account to the Domain Controllers organizational unit (OU) in eur.adatum.com.
C. Add Eric's user account to the Domain Admins group in eur.adatum.com
D. Add Eric's user account to the Server Operators and Account Operators group in eur.adatum.com.
Answer: C
This roles will give Eric what he needs to configure services on workstations and servers in his domain.
77. You create an organizational unit (OU) structure for the blueskyairlines.com domain. You want to delegate administrative control of user objects on your Windows 2000 network. The User OU is a child of the Research OU. You create a group named Research User Admin that includes users who have permissions to create and manage the workstations in the Workstation OU. The Research User Admin group has Full Control permission on the Research OU. You want user accounts to be created only in the User OU.
Which three actions should you take? (Choose three)
A. Grant Full Control permission to the Research User Admin group on the User OU for computer objects.
B. Remove the Research User Admin group from the Research OU ACL.
C. Grant Create Contact objects permission on the User OU.
D. Disable inheritance of permissions from the Research OU to the User OU.
E. Deny Create User objects permission on the Research OU.
F. Grant Read and Write permissions to the blueskyairlines.com domain.
Answer: A, D, E
With these actions, you can create users under the User OU but you cannot create users under the Research OU (but the Research User Admin group retains all other previous permissions).
78. You are administrator of a Windows 2000 domain. The domain has an OU named Trading. You define a logon script for all the users in the Trading OU. The logon script is located at \\server2\docs\tradescript.vbs. You want to use a GPO to assign the logon to the users in the Trading OU.
What should you do? (Choose three)
A. Create a new GPO named script and assign the script GPO to the Trading OU.
B. Create a new GPO named script and assign the script GPO to the domain. Configure the permissions on the script GPO to grant READ permissions to all users in the Trading OU.
C. Copy the tradescript.vbs file to the appropriate folder in Group Policy Template (GPT) of the script GPO.
D. Copy the tradescript.vbs file to the folder that shared as netlogon script on the PDC emulator.
E. For each user in the trading OU, set the logon script in the user profile to tradescript.vbs.
F. Add tradescript.vbs as a logon script to the script GPO.
Answer: A, C, F
To deploy a .vbs script, create (or use local group policies) a GPO that specifies the .vbs as a logon script. Logon/logoff scripts are assigned under User Configuration and Computer Configuration of the GPO. Logon/logoff scripts are applied to specific users at logon/logoff.
79. You are administrator of a Windows 2000 domain. The domain has an OU named North. You want to standardize the start menu for the users in the North OU. Some members of the Domain Admins group are in the North OU. Folders and shortcuts that form the standardized start menu are on the network at \\server2\menu. The Everyone group has Change permission on the menu share.
You want to accomplish the following goals:
· Each member of the domain admin group will have a separate start menu that the member can change.
· All users in the North OU, except members of the Domain Admins Group, will use the \\server2\menu start menu.
· Users who use \\server2\menu start menu will not be able to change the contents of the start menu.
· Each user who is not a member in the North OU will have a separate start menu that the user can change.
You take the following actions:
- Create a new GPO named Menu.
- Assign the Menu GPO to the NORTH OU.
- Configure the Menu GPO to redirect the start menu folder for the Domain Users Group to \\server2\menu.
- Change the permissions on the Menu GPO to deny Apply Group policy permission to the Domain Admins.
Which results do these actions produce? (Choose all that apply)
A. Each member of the Domain Admin Group will have a separate start menu that the member can change.
B. All users in the North OU, except members of the Domain Admins Group, will use the \\server2\menu start menu.
C. Users who use \\server2\menu start menu will not be able to change the contents of the start menu.
D. Each user who is not an member in the North OU will have a seperate start menu that the user can change.
Answer: A, B, D
Users will NOT be able to change the contents of the start menu is NOT met. Why? Because the Everyone group has Change permission on the menu share.
80. You are administrator of a Windows 2000 network. You are configuring RIS to deploy Windows 2000 Professional on new client computers. New users report that when they attempt to install their computers, they are unable to get an IP address.
What should you do?
A. Authorize the DHCP server in the DHCP console.
B. Configure each computer to boot from a remote installation boot disk.
C. Create a reservation in DHCP for each client.
D. Start the Boot Information Negotiation Layer (BINL) service on the RIS server.
Answer: A
A DHCP server authorized in AD is a requirement of RIS.
81. You want to use RIS to deploy Windows 2000 Professional to your computers. You need to find out the GUIDs of the computers in your network.
What should you do?
A. Use Network Monitor to capture and view the DHCPDiscover packets. Then search for GUID.
B. Use Network Monitor to capture and view the DHCPOffer packets. Then search for GUID.
C. Use Network Monitor to capture and view the DNS query packets. Then search for GUID.
Answer: A
A RIS client with a PXE remote boot ROM has to use a unique identifier (the globally unique identifier or GUID) so that it can be distinguished from other PXE systems on the network. The client's GUID is placed in DHCPDiscover packets during client startup. So, capture these packets and search for the GUID.
82. You are the network administrator of a Windows 2000 domain. The domain has an Organizational Unit (OU) named Sales. All users in the Sales OU use an application named Planning. The Planning application is deployed by using a Group Policy object (GPO) named Planning App on the Sales OU. The Planning App GPO is configured to assign the Planning application to users by using a Microsoft Windows Installer Package for the application. The Planning application will be replaced by another application in the next month.
You want to accomplish the following goals:
· Users who have not yet installed the Planning application will be prevented from installing the application.
· Users who have already installed the Planning application will be able to continue to use it.
· If key application files are missing when the Planning application starts, the missing files will be reinstalled automatically.
· If the vendor of the Planning App releases a software patch by using a Windows Installer package, you will be able to assign the patch to only the users who have already installed the application.
You take the following actions:
- Create a new software category named Optional Apps.
- Configure the Planning App GPO to add the Planning application to the Optional Apps software category.
- Configure the Planning App GPO to remove the Planning application, but select the option to allow users to continue to use the software.
Which results do these actions produce? (Choose all that apply)
A. Users who have not yet installed the Planning application will be prevented from installing the application.
B. Users who have already installed the Planning application will be able to continue to use it.
C. If key application files are missing when the Planning application starts, the missing files will be reinstalled automatically.
D. If the vendor of the Planning App releases a software patch by using a Windows Installer package, you will be able to assign the patch to only the users who have already installed the application.
Answer: A, B
83. Your are the network administrator of a Windows 2000 network. The network consists of 500 Windows 2000 Professional computers. You recently discovered that users of these computers have been using the same passwords since their accounts were created. You need to correct this problem to maintain security in the network. You create a Group Policy object (GPO) and filter it to the users. You want to configure the GPO to require users to create a different password periodically.
Which two should you enable?
A. Minimum password length
B. User must log on to change the password
C. Enforcement of password history
D. Minimum password age
E. Maximum password age
Answer: C, E
"Enforce Password History" sets how frequently old passwords can be reused. "Maximum Password Age" determines how long users can keep a password before they have to change it (note that a value of zero specifies that passwords don't expire). The aim is to periodically force users to change their passwords.
84. You are the administrator of a Windows 2000 network that has only one domain. You are configuring the network security settings for the domain's Windows 2000 Professional users. Your Sales team uses portable computers and Routing and Remote Access to connect to the company's network. Sales users need local Administrator rights to their computers so that they can run a third party application. You want to configure the computers to prevent the users from modifying their existing network connections.
What should you do?
A. On each portable computer, create only the permitted LAN and Remote and Routing Access connection. At the server, configure the Sales user accounts to permit connect to only the specific computers.
B. Create a system policy to hide Network Neightborhood and disable registry editing tools. Apply this policty to all the Sales users.
C. Create a Group Policy object (GPO) for the domain. Filter the GPO for the Sales users. Configure the GPO to deny the Sales users access to the properties of the LAN or Remote and Routing Access connection.
D. Create a Group Policy object (GPO) for the domain controllers container. Filter the GPO for the Sales users. Configure the GPO to deny the sales users access to the Network Connection Wizard.
Answer: C
This filtered GPO will prevent the Sales users access to the properties of the LAN or their RRAS connection.
85. You are the network administrator of a Windows 2000 network. Users in an Organizational Unit (OU) named PROCS need to have a drive mapped to a network location. These users log on from Windows 2000 Professional computers. You want to use a logon script named USERLOG.CMD to implement this drive mapping for all current and future users in the PROCS OU.
What should you do?
A. Copy USERLOG.CMD to the NETLOGON share on each domain controller in the domain. Select each user in the PROCS OU and set the logon script to USERLOG.CMD.
B. Copy USERLOG.CMD to the SYSVOL share on each domain controller. Assign read permission to the file for all users in the PROCS OU.
C. Create a Group Policy object (GPO) that enforces USERLOG.CMD as a logon script. Assign the GPO to the PROCS OU.
D. Create a Group Policy object (GPO) that enforces USERLOG.CMD as a startup script. Assign the GPO to the PROCS OU.
Answer: C
To deploy a .cmd script, create (or use local group policies) a GPO that specifies the .cmd as a logon script. Logon/logoff scripts are assigned under User Configuration and Computer Configuration of the GPO. Logon/logoff scripts are applied to specific users at logon/logoff.
86. You are the network administrator of a Windows 2000 network. Your company has 3 locations in North America and 3 locations in Europe. Your network includes 6 sites as shown below:
- The root of the forest is bluesskyairlines.com.
- England, France and Italy sites are in the eur.blueskyairlines.com domain
- NorthWestUS, CentralUS, and NorthEastUS sites are in the na.blueskyairlines.com domain
The connection between the NorthEastUS site and the England site is unreliable. You want to configure replication between the NorthEastUS site and the England site.
What should you do?
A. Create an SMTP site link between the NorthEastUS site and the England site.
B. Create an IP site link between the NorthEastUS site and the England site.
C. Create an SMTP site link bridge between the NorthEastUS site and the England site.
D. Create an IP site like bridge between the NorthEastUS site and the England site.
Answer: A
A site is a collection of one or more subnets that are defined by the administrator. When you define subnets, they should be "well-connected" with high-bandwidth local area network (LAN) connections. Sites can contain multiple domains, and a domain can span more than one site. If a domain spans more than one site, it must replicate by using the Internet Protocol (IP) inter-site transport. You can use the Simple Mail Transfer Protocol (SMTP) inter-site transport only for global catalog replication and replication of non-domain naming contexts, such as the configuration and schema. You define and administer a site in the "Active Directory Sites and Services Manager" snap-in.
The site link allows the administrator to assign the cost and transport for replication. This procedure defines parameters for replication. The cost is an arbitrary value that is selected by the administrator to reflect the speed and reliability of the physical connection between the sites. When you lower the cost value on the link, the priority is increased. Site links
have a replication interval and a schedule that are independent of the cost. The cost is used by the KCC to prefer one site link path over another.
A site-link bridge is a collection of two or more site links that provides a structure to build transitive links between sites and evaluate the least-cost path. For example, you may have three sites, A, B, and C, and you may create the following site links: A---(3)---B---(4)---C. If site B is unavailable (if every domain controller in the site is unavailable), site A cannot replicate to site C because there is no site-A-to-site-C link. To resolve this problem, either create a site link from site A to site C with some cost, or create a site-link bridge that consists of links between site A and site B, and between site B and site C. The bridge infers a transitive link between site A and site C with a cost of 7.
87. You are the network administrator for your company. You are deploying Windows 2000 Professional on your network by RIS. Your company has several departments. To expedite the deployment of Windows 2000 and other third party applications, you have created a group named Department Managers. You want to allow members of the Department Managers group access to create custom images and post them to the RIS servers for deployment. In addition, you want to allow members of the group to install client computers from the RIS server.
What should you do?
A. Grant the department managers group Read and Write permissions to the Remoteinstall folder.
B. Grant the department managers group Read and Write permissions to the Oschooser folder.
C. Grant the department managers group Full Control permissions to the RIPrep.exe.
D. Grant the department managers group Full Control permissions to the SysPrep utility.
E. Grant the department managers group Read and Write permissions to the admin folder.
Answer: A
RIPrep images are kept in subfolders under the RemoteInstall folder.
88. Your company is deploying Windows 2000 Professional on a network of 300 computers. The network has two Windows 2000 server computers. You have just enough Windows 2000 Professional licenses. You need to restrict the department so that Windows 2000 Professional can be installed on the right client computers. You will need to minimize the user intervention during the deployment and centralize the installation files.
What should you do?
A. Create a shared folder on one of the servers. Copy the source files from the Windows 2000 Professional CD-ROM to the shared folder. Allow users to perform unattended installation from the shared folder on the licensed computers.
B. Install RIS on one of the servers. Create user accounts for all licensed users. Configure the server to accept the connection from only known computers. Perform unattended installation for all connecting computers.
C. Create a shared folder on one of the servers. Restrict access to the share so that only 250 users can connect. Copy the source files from the Windows 2000 Professional CD-ROM to the shared folder. Allow users to perform unattended installation from the shared folder on the licensed computers.
D. Install RIS on one of the servers. Create computer accounts to the domain for only the licensed computers. Configure the RIS server to accept connections from only known computers. Allow users to perform unattended installation from the shared folder on the licensed computers.
Answer: D
89. Your company Windows 2000 domain controller contains an Organization Unit (OU) named Shipping. The domain is in the native mode. You want to delegate the control of the Group Policy setting for the Shipping OU to a global group named Help Desk. Members of the Help Desk group need to able to create and edit new GPOs and assign those GPOs to the Shipping OU. You do not want these members to assign GPOs to other OUs.
What should you do? (Choose two)
A. Add the Help Desk group to the Group Policy Creator Owners security group.
B. Create a new security group named Group Policy administrator in the Shipping OU. Add the Help Desk group to this new group.
C. On the existing GPO, assign Read and Write permission to the Help Desk group.
D. On the Shipping OU, assign the apply group policy permission in the Help Desk group.
E. On the Shipping OU, delegate the predefined task named "Manage Group policy" links to the Help Desk group.
F. On all the OUs in the domain accept the Shipping OU, deny write permissions to the Help Desk group.
Answer: C, E
Administrators can delegate the authority to create and manage Group Policy Objects (GPOs). Create an organizational unit (OU) and create a new GPO directly linked to this OU. This can be done by clicking Properties on the context menu of the OU, clicking the Group Policy tab in the Properties dialog box, and clicking the New button. Once the GPO has been created, launch the Delegation Wizard. The Delegation Wizard provides a step-by-step process in which specific functionality may be delegated easily, with a high degree of detail. Note, to start the Delegation Wizard, select the OU and right-click it. Then select Delegate Control. This starts the Delegation of Control Wizard.
90. You are the network administrator of a Windows 2000 domain. The domain has an OU named Help Desk. A Group Policy (GPO) name Disable Regedit is assigned to the Help Desk OU. The only policy setting defined in the Disable Regedit GPO, which is the policy setting that disables use of registry editing tools. For performance reasons, your company wants to minimize the number of GPOs that are processed at logon. The company also decided that the restriction on the registry editing tools must no longer apply to the users of Help Desk OU.
What should you do?
A. Remove the Disable Regedit GPO from the Help Desk OU.
B. Assign a new GPO in the Help Desk OU that enables the use of registry editing tools.
C. On the computers used by users in the Help Desk OU, edit the registry to allow the use of registry editing tools.
D. On the computers used by users in the Help Desk OU, configure the local GPO to allow the use of registry editing tools.
E. On the computers used by users in the Help Desk OU, delete the registry POL file from \systemroot\System32GroupPolicy folder.
Answer: A
91. You are the administrator of a domain named contonso.com. The domain contains an OU named Sales that has 20 users. It is stored on a domain controller named DC1. You inadvertently delete the Sales OU. You want to reinstate the Sales OU.
What should you do?
A. Move the tombstoned sales OU from the LostAndFound containers to the original location.
B. Copy the sales OU from another domain controller in the contoso.com domain to DC1.
C. Perform authoritative restore of the Sales OU from the last backup.
D. In Active Directory sites and service console. Force replication from another domain controller in the contsco.com domain.
Answer: C
An authoritative restore should be used when human error is involved such as when an administrator has accidentally deleted a number of objects. When that accidental change has replicated to all the DCs, existence of those objects is removed from the domain and the administrator is unable to easily recreate these objects.
An authoritative restore will not overwrite new objects that have been created after the backup was taken. It can only be carried out on objects from the configuration and domain contexts. Authoritative restores of schema naming contexts are not supported. An authoritative restore requires the use of a separate tool (ntdsutil.exe) to make it work. No backup utilities, including the native Windows 2000 utility, can perform an authoritative restore.
92. You are the network administrator of a Windows 2000 domain. Your current domain controller's hard disk drive is failing. You want to set up a new server as a domain controller to replace the failing domain controller. You run DCPromo.exe on the failing domain controller in your domain to remove Active Directory. While you are running DCPromo.exe, the hard disk drive fails. The server will not reboot. However, the objects of the failed server are still appearing in Active Directory. You are using the Ntdsutil utility. You want to remove the old server from Active Directory.
What option should you use?
A. Metadata cleanup
B. Semantic database analysis
C. Security account management
D. Domain management
E. Authoritative restore
Answer: A
Orphaned objects can be removed from AD by using the NTDSUTIL command line utility, then typing the "metadata cleanup" command. Replication then copies the deletion of the objects out to the other DC's.
93. You are the network administrator of a Windows 2000 domain. All of the domain resources are defined in two top levels OUs. The OUs are named West and East. William is the administrator of the West OU. Evert is the administrator of resources in the East OU. You move Printer1 from the West OU to the East OU. After you move the printer, Evert can administer it. However, William reports that he can still remove print jobs from Printer1. You want Evert to be the only one to administer Printer1.
What should you do?
A. Use the delegation of control wizard on the east OU to assign printer1 permission to Evert.
B. Configure the security properties for printer1 to disallow inheritable permissions to propagate.
C. Remove the permissions for William from Printer1.
D. Configure the printer permission on the west OU to apply to only the west OU.
Answer: C
Removing William's permissions to Printer1 will remove his ability to remove print jobs from Printer1, makes sense!
94. You are configuring a Windows 2000 DNS Server on your company network. DNS is installed on an NT 4.0 Server on your NT 4.0 domain. You want to use dynamic updates on a DNS database, but company management won't allow an upgrade or the decommissioning of its DNS server. All DNS information must be synchronized between these two DNS servers.
What should you do? (Choose three)
A. Create a primary zone on a Windows 2000 DNS Server and import the existing zone file.
B. Create a secondary zone on a Windows 2000 DNS Server.
C. Delete and recreate a primary zone on an NT DNS Server.
D. Delete the existing zone and create a new secondary zone on the NT 4.0 DNS Server.
E. Configure a primary zone on the NT DNS Server as the master zone for the secondary zone on the Windows 2000 DNS Server.
F. Configure a secondary zone on the NT 4.0 DNS Server to use the Windows 2000 Standard primary zone as its master zone.
Answer: A, D, F
95. You are backup operator of a Windows 2000 domain. The domain has 2 domain controllers. You want the Active Directory database file of both domain controllers to be automatically backed up once a week.
What should you do?
A. Schedule a backup job that will backup the System State data once a week.
B. Schedule a backup job and select Schema.ini file in the System32 folder and all files in the NTDS folder to be backed up once a week.
C. Schedule a task that will run the NTDUTIL once a week.
D. Schedule a task that will copy the Ntds.dit file and the SYSVOL folder once a week.
Answer: A
When you choose to back up the system state on a domain controller, the items included are:
Active Directory (NTDS)
The boot files
The COM+ class registration database
The registry
The system volume (SYSVOL)
When you back up the system state on a non-domain controller, the items included are:
The Boot file
The COM+ class registration database
The registry
When you back up a member server or dc with Certificate Server installed, additional item are:
Certificate Server
96. You are the administrator of your company's network. The network consists of one Windows 2000 domain that spans multiple subnets. You are configuring DNS for host name resolution throughout the network.
You want to accomplish the following goals:
· DNS zone transfer traffic will be minimized on the network.
· Administrative overhead for maintaining DNS zone files will be minimized.
· Unauthorized host computers will not have records created in the zone.
· All zone updates will come only from authorized DNS servers.
· All zone transfer information will be secured as it crosses the network.
You take the following actions:
1- Create an Active Directory intergraded zone.
2- In the Zone Properties dialog box, set the Allow Dynamic Updates option to "Only Secure Updates".
3- On the Name Servers tab of the Zone Properties dialog box, enter the names and addresses of all DNS servers on the network.
4- Select Allow zone transfers only to servers listed on the network in the Name Servers tab on the Zone Transfers tab of the Zone Properties dialog box.
Which results do these actions produce? (Choose all that apply)
A. DNS zone transfer traffic will be minimized on the network.
B. Administrative overhead for maintaining DNS zone files will be minimized.
C. Unauthorized host computers will not have records created in the zone.
D. All zone updates will come only from authorized DNS servers.
E. All zone transfer information will be secured as it crosses the network.
Answer: A, B, C, D, E
Action 1 ensures "DNS zone traffic minimized". Creating an AD-integrated zone involves configuring DC's as DNS servers (which automatically become primary servers for the zone). Zone transfers are performed during AD replication and this creates less network traffic than standard zone transfers.
Action 2 ensures "Admin overhead for maintaining DNS zone files minimized". Enabling dynamic updates minimizes admin overhead for zone maintenance because each host auto registers itself with DNS and updates its records as needed.
Action 2 also ensures "Unauthorized host computers will not have records created in zone" because you chose "Only Secure Updates" (only available in an AD-integrated zone). Secure updates specify that only users, groups or computers that have been granted the right to write to the zone or record have the ability to update the record.
Action 3 ensures "All zone updates only to authorized DNS servers". This is done by explicitly listing the IP's of those DNS servers (that will receive zone information) on the Properties > Zone Transfers tab for the zone. Alternatively, you can specify authoritative servers for the zone on the Name Servers tab and then select the option to "Allow zone transfers to Only those server that are listed on the Name Servers tab". Selecting "Allow zone transfers...Name Servers tab" was done so "All zone updates only to authorized DNS servers" is met. Be careful on this point.
97. You are the administrator for your company. You are deploying Windows 2000 on your network of 10,500 users. There are 15 departments in your company. Each department needs to use specific features of Windows 2000 and custom third party applications. You want to minimize the administrative time required to set up the client computers. You also want to provide customized software installations to the users.
What should you do?
A. Install and configure a RIS server on your network. Use RIPrep.exe to create multiple images for each department. connect the client computers to the RIS server and deploy the custom images.
B. Install and configure a RIS server on your network. Create different installation script files for each department. Deploy the computers by using RIS.
C. Create a shared folder on one of the servers. Copy the source files from the Windows 2000 Professional CD-ROM to the shared folder. Perform unattended installations from the shared folder by using script files, and then install the third-party applications.
D. Create a shared folder on one of the servers. Copy the source files from the Windows 2000 Professional CD-ROM to the shared folder. Perform attended installations from the shared folder, and then select only the components you need for each department.
Answer: A
98. You are the administrator of a Windows 2000 network. The network's domain structure is shown a graph. The us.litware.com and the eur.litware.com domains are in mixed mode. The litware.com and the treyresearch.com domains are in native mode. The us.litware.com domain has two Windows NT 4.0 BDCs that support legacy applications. When users from the us.litware.com domain attempt to access a shared folder in the litware.com domain, they receive an error message stating that access is denied. There is a universal group that has Read permission to the Sales folder. Sales is assigned Read permission for the shared folder. When you log on as a member of the Sales group from the litware.com domain, you are able to access the shared folder.
What should you do to correct this problem?
A. Switch the us.litware.com domain to native mode.
B. Add a global catalog server to the us.litware.com domain.
C. Create a global group in the us.litware.com domain. Add the user accounts that need access to the shared folder to the global group. Add the global group to the universal group.
D. Create a universal group in the us.litware.com domain. Add the user accounts that need access to the shared folder to the universal group. Grant Read permission to the universal group for the shared folder in the litware.com domain.
E. Create a global group in the us.litware.com domain. Add the user accounts from the us.litware.com domain to the global group. Grant Read permission to the global group for the shared folder.
Answer: E
99. You are the administrator of a Windows 2000 domain. The domain has an organizational unit (OU) named Help Desk. All users in the Help Desk OU use an application named PhoneID. The PhoneID application is deployed by using a Group Policy object (GPO) named Phone App on the Help Desk OU. The Phone App GPO is configured to publish the PhoneID application to users by using a Microsoft Windows Installer package for the application. Currently, only the users in the Help Desk OU can start the PhoneID application. You want all users in the domain to be able to install the PhoneID application by using a Start menu shortcut.
What should you do?
A. Remove the Phone App GPO link to the Help Desk OU. Assign the Phone App GPO to the domain. Change the configuration of the Phone App GPO to assign the PhoneID application to users.
B. Create a new GPO named Phone For All. Assign the Phone For All GPO to the domain. Configure the Phone For All GPO to assign the PhoneID application to computers.
C. Configure the Phone App GPO to assign the PhoneID application to users. Configure the permissions on the Phone App GPO to assign Apply Group Policy permission to the Authenticated Users group.
D. Configure the Phone App GPO to assign the PhoneID application to computers. Configure the PhoneID Windows Installer package to upgrade the installed PhoneID application. Set the Windows Installer policy to disable rollback.
Answer: A
Software assigned to a user has a shortcut appear on a user's Start menu, but is not installed until the first time they use it.
100. You are the administrator of a network that consists of 500 computers. Your network is configured as shown in a graph. You are deploying Windows 2000 Professional on the computers in the Tech and Sales organizational units (OUs). There is one Windows 2000 Server computer that is running RIS. You create a group named RIS Installers that consists of users from the Tech OU. Only members of the RIS Installers group will use RIS to deploy Windows 2000.
You want to accomplish the following goals:
*Members of the RIS Installers group will be able to choose client computer names during client computer installation.
*New computer accounts will be organized into their corresponding OUs.
*The company naming convention will be applied to all new computer accounts.
*Computers that are not in either the Tech OU or the Sales OU will not be able to download images during RIS deployment.
You take the following actions:
- Create an OU, then specify the client account location in the RIS properties sheet.
- Enter a custom Client computer naming format in the RIS properties sheet.
- Place the Mktg computers in a different IP subnet from the Tech and Sales users.
Which results do these actions produce? (Choose all that apply)
A. Members of the RIS Installers group can choose client computer names during client computer installation.
B. New computer accounts are organized into their corresponding OUs.
C. The company naming convention is applied to all new computer accounts.
D. Computers that are not in either the Tech OU or the Sales OU cannot download images during RIS deployment
Answer: A, C
101. You are the network administrator for Blue Sky Airlines. You are implementing a Windows 2000 network consisting of five sites in the blueskyaIrlines.com domain, which are shown below:
15,000 users in Chicago
5,000 users in Los Angeles
2,000 users in Miami
10,000 users in New York
2,000 users in Seattle
You are designing the structure of the DNS servers. You want to allow secure dynamic updates to DNS in Chicago, Los Angeles, and New York. You want full DNS replication to occur in all the sites. You do not want the Miami site to have an editable copy of the DNS zone.
What should you do?
A. Drag "AD integrated" to Chicago, L.A. and New York since "Only Secure Updates" is a requirement.
B. Drag "Cache Only" to Miami since you don't want to have an editable copy of the DNS zone.
C. Drag "Secondary" to Seattle.
Answer: A, B, C
102. You are the administrator of a Windows 2000 network. You create global groups and Domain Local groups for the accounts payable and accounts receivable departments. The Domain Local group named AP has Change permission for the Accounts Payable folder. The Accounts Payable folder is a subfolder of the Accounting folder. The Accounts Payable global group is a member of the AP Domain Local group. Fred's user account is a member of the Accounts Payable global group. Fred moves from the accounts payable department to the accounts receivable department. Fred now needs to access only accounts receivable information. You remove Fred's user account from the Accounts Payable global group, but Fred is still able to access documents in the Accounts Payable folder.
What are two possible causes of this problem? (Choose two)
A. Fred's user account has explicit permissions on the Accounting folder.
B. Fred's user account belongs to another group that gives him permissions on the Accounts Payable folder.
C. The Accounting folder is not published in Active Directory.
D. The Accounts Payable folder is on a FAT32 partition.
E. The AP Domain Local group is not a member of the Accounts Payable global group.
Answer: A, B
103. You are the administrator of a Windows 2000 domain. The domain has an organizational unit (OU) named Support. Users in the Support OU frequently use their portable computers when they are not connected to the network. The portable computers are Windows 2000 Professional computers in the Support OU. The domain also has a Windows 2000 Server computer named Data3. The \\Data3\SupFiles share contains files that are needed by the users in the Support OU.
You want to accomplish the following goals:
*Users in the Support OU will be able to access files at \\Data3\SupFiles if they use their portable computers while they are not connected to the network.
*The total disk space used on the portable computers to automatically store files from the \\Data3\SupFiles share and other server locations will not exceed 5 percent of the hard disk space.
What should you do? (Choose all that apply)
A. Configure the SupFiles share on the Data3 server to cache documents automatically.
B. Create a new Group Policy object (GPO) named Exfolder. Assign the Exfolder GPO to the Support OU. Configure the Exfolder GPO to exclude the \\Data3\SupFiles folder from roaming profiles.
C. Create a new Group Policy object (GPO) named Maxdisk. Assign the Maxdisk GPO to the Support OU. Configure the Maxdisk GPO to limit the automatically cached off line files to 5 percent of the hard disk space.
D. Create a new Group Policy object (GPO) named Maxsize. Assign the Maxsize GPO to the Support OU. Configure the Maxsize GPO to limit the size of each user profile to 5 percent of the hard disk space.
Answer: A, C
104. How do you change the registry key for all users?
A. Use an Administrative Template
B. Use a change to the Sysvol partition
C. Use a Security Template
D. Use a change to the Netlogon
Answer: A
105. Which of the following partitions get replicated as part of AD replication? (Choose three)
A. The DNS partition
B. The domain partition
C. The schema partition
D. The Sysvol partition
E. The configuration partition
Answer: B, C, E
106. Which of the following is true of AD replication? (Choose two)
A. Replication messages between sites are uncompressed and replication messages within a site are compressed.
B. Replication messages between sites are compressed and replication messages within a site are uncompressed.
C. Replication between sites always uses RPC over IP. Replication within a site can use either RPC over IP or SMTP over IP.
D. Replication within a site always uses RPC over IP. Replication between sites can use either RPC over IP or SMTP over IP.
Answer: B, D
107. An AD tree and an AD forest share many things. Which of the following do they NOT share?
A. The same namespace
B. The same schema
C. The same global catalog
D. Two-way transitive trust relationships
Answer: A
108.Your network is divided into three sites: New York, Texas and Washington. You have created two site links:
1 Site link NT connects the New York site and the Texas site over IP with cost = 4.
2 Site link WT connects theWashington site and the Texas site over IP with cost = 3.
There is no site link between the New York site and the Washington site.
What will be the cost of NT-WT site link bridge, which connects site link NT and site link WT?
A.Seven
B.Four
C.Three
D.One
E.Thirty-five
Answer: A
109.What does the Global Catalog server store?
A.A Global Catalog server is a domain controller that stores a writeable copy of the domain directory, the schema directory and the configuration directory partition.
B.A Global Catalog server is a domain controller that stores a partial Read Only copy of all the other domain directory partitions in the forest.
C.A Global Catalog server is a domain controller that stores a writeable copy of all the other domain directory partitions in the forest.
D.A Global Catalog server is a domain controller that stores a partial Read Only copy of the domain directory, the schema directory and the configuration directory partition.
Answer: A,B
110.Rick works as a Network Administrator for a Windows 2000 Active Directory based network.
His company's network consists of two sites namely New York and Seattle. Both sites are connected with high-speed T1 lines.
Rick is configuring Active Directory replication between the sites. He creates a site link for the T1 line and one for dial-up connection. He wants the Active Directory to always choose the T1 site link first, to replicate the data. He wants the dial-up connection to be chosen only in case the T1 line is not available.
How will Rick configure the site links to meet this requirement?
A.He will configure a lower cost for the T1 line and a higher cost for the dial-up network.
B.He will configure a higher cost for the T1 line and a lower cost for the dial-up network.
C.He will set the replication frequency of the T1 line higher than that of the dial-up network.
D.He will set the replication frequency of the T1 line lower than that of the dial-up network.
Answer: A
111.You work as a Network Administrator of a Windows 2000 Active Directory based network.
Your company's network consists of two sites namely Miami and Los Angeles. These sites are connected with a high-speed T1 line. The Miami site is highly protected and a firewall has been configured for security reasons.
You create a site link to replicate the Active Directory data between the two sites. You find that the replication is not working properly.
You know that a firewall is preventing data from being replicated between the two sites. Whatwill you do to troubleshoot the problem?
A.Increase the cost of the site link.
B.Make the proxy server of the Miami site a preferred bridgehead server.
C.Schedule a site link to replicate the Active Directory data for twenty four hours a day.
D.Remove the firewall, as replication is not possible if the firewall is configured in a site.
Answer: B
112.You work as a Network Administrator for Subway Inc., which has multiple domain controllers in its network based on Windows 4.0. A few months ago, all the systems were upgraded to Windows 2000. No backup has been taken since the upgrade. Recently, one of the domain controllers crashed. How will you restore the Active Directory data of the crashed system?
Required result: Repair Windows 2000 installation.
Optional result 1: Restore the Active Directory to the current state.
Suggested solution: First, use the Sites and Services snap-in on an existing domain controller to delete any references to the old domain controller. Then, restore a domain controller by reinstalling the Windows 2000 Server on the damaged system, making it a domain controller.
Which results does the suggested solution produce?
A.The suggested solution produces the required result and the optional result.
B.The suggested solution produces only the optional result.
C.The suggested solution produces only the required result.
D.The suggested solution does not produce the required result.
Answer: A
113.Rick works as a Network Administrator of a Windows 2000 Active Directory based network.
One day he discovers that the volume that contains the Active Directory database file on ADServer is running out of disk space.
What should Rick do to move NTDS.DIT database file to an empty volume on a different disk on the ADServer?
A.Restart the ADServer in the Directory Services Restore Mode.
B.Demote the server from a domain controller to a member server.
C.Use the NTDSUTIL utility to move the database file to an empty volume.
D.Use the MOVEDATABASE utility to move the database file to an empty volume.
Answer: A,C
114.You work as athea Network Administrator of a Windows 2000 Active Directory based network. You are puzzled that although you have deleted so many objects from your Active Directory, thefile size of the NTDS.DIT file remains the same.
What is the most likely cause for this?
A.Deletion of the objects in the Active Directory make no change in the actual database file as active directory keeps object in separate database.
B.The Active Directory keeps the database in the compressed mode hence deletion of objects, of Active Directory, makes no change in the file size of the database.
C.The database is fragmented and requires defragmentation, to reduce the size of the database file.
D.The database got corrupted.
Answer: C
115.All your domain controllers are configured for DHCP. Each time the system is booted, it gets a new IP address from the DHCP server. You have also configured Active Directory on the domain controller. You want to configure your DNS setting so that it will dynamically update the DNS data, only if the zone type is Active Directory integrated, whenever the IP address of the domain controller changes. How will you configure for dynamic updates?
A.Update none, the zone for Active Directory integrated will always be updated.
B.Allow Updates
C.Allow Only Secure Updates
D.Allow Only Active Directory Updates
Answer: C
116.You want to install Active Directory on your Windows 2000 system. You have already installed DNS and want to check it using the DNS console. Which options will be available?
A.Run the loopback test.
B.Use the Test Now button on the client computer's TCP/IP properties.
C.Run the PING utility from the DNS console.
D.Use the Test Now button on the Monitoring tab of the Properties dialog box for the server.
Answer: D
117.You work as a Network Administrator of a Windows 2000 Active Directory based network. Your network is a single domain multiple site network. These sites are connected with high-speed T1 lines. A DNS server is used for host name resolution.
Changes are frequent and you want that the name server should return the current domain namespace across the network.
What should you do to ensure that the data about the domain namespace is more current across the network?
A.Specify longer TTL values for each DNS name server in the domain.
B.Remove all cache-only servers in the domain.
C.Specify shorter TTL values for each DNS name server in the domain.
D.Install a preferred bridgehead server in each site.
Answer: C
|