This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
ExamWise For Installing, Configuring, and Administering Microsoft Windows 2000 Directory Services Infrastructure Examination 70-217
Online practice exam provided by BeachFront Quizzer, Inc., Friendswood, Texas www.bfqonline.com
Author Patrick Simpson MCSE, MCT, MCNI, MCNE Published by TotalRecall Publications, Inc. 1103 Middlecreek Friendswood, TX 77546 281-992-3131 NOTE: THIS IS BOOK IS GUARANTEED: See details at www.TotalRecallPress.com
TotalRecall Publications, Inc. This Book is sponsored by BeachFront Quizzer, Inc. Copyright 2003 by TotalRecall Publications, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the United States Copyright Act of 1976, No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic or mechanical or by photocopying, recording, or otherwise without the prior permission of the publisher. The views expressed in this book are solely those of the author, and do not represent the views of any other party or parties. Printed in United States of America Printed and bound by Data Duplicators of Houston Texas Printed and bound by Lightning Source, Inc. in the USA and UK ISBN: 1-59095-618-4 UPC: 6-43977-03217-1 The sponsoring editor is Bruce Moran and the production supervisor is Corby R. Tate.
Worldwide eBook distribution by:
This publication is not sponsored by, endorsed by, or affiliated with Microsoft, Inc. The “Windows® 2000, MCSE™, MCSD™, MCSE+I™, MCT™” Microsoft logos are trademarks or registered trademarks of Microsoft, Inc. in the United States and certain other countries. All other trademarks are trademarks of their respective owners. Throughout this book, trademarked names are used. Rather than put a trademark symbol after every occurrence of a trademarked name, we used names in an editorial fashion only and to the benefit of the trademark owner. No intention of infringement on trademarks is intended.
Disclaimer Notice: Judgments as to the suitability of the information herein for purchaser’s purposes are necessarily the purchaser’s responsibility. BeachFront Quizzer, Inc. and TotalRecall Publications, Inc. extends no warranties, makes no representations, and assumes no responsibility as to the accuracy or suitability of such information for application to the purchaser’s intended purposes or for consequences of its use.
This book is dedicated to my wife Joy,
and my children Lucas, Bethany and
Alexander, for their patience and support.
Thanks also to Bruce for the
encouragement and support. Lastly, but
mostly, thanks be to God, from whom all
gifts proceed
Patrick Simpson
ExamWise™ For Installing, Configuring, and Administering Microsoft® Windows® 2000 Directory Services Infrastructure Examination 70-217
BY Patrick Simpson MCSE, MCT, MCNI, MCNE About the Author Patrick Simpson has been a networking professional for more than a decade. Already an MCSE under Windows NT 4.0, he was an early adopter of Windows 2000, having earned his Windows 2000 MCSE in May 2001. He is also certified as a Microsoft Certified Trainer and teaches other networking professionals around the country. Along with his Microsoft experience, Patrick is a Master CNE and a Master CNI, with expertise in NetWare 3.x to NetWare 6, GroupWise, ZenWorks, BorderManager, etc. Along with teaching and consulting, Patrick has authored numerous certification study aids, and another BFQ Press Book, Designing Security for a Windows 2000 Network. Patrick lives in Green Bay, WI along with his wife, Joy and three children, Lucas, Bethany and Alexander. He enjoys playing guitar, camping and boating with the family and follows the Green Bay Packers with enthusiasm.
About the Contributing Author Travis Kelly has worked in computer repair and helpdesk for over 7 years and is currently CIW Certifiable. His computer background is quite varied and he has an intense interest in the current and future state of technology. Travis is working towards his bachelor’s degree in Houston, TX.
About The Book Part of TotalRecall, The Question Book Series, this new Self Help and Interactive Exam Study Aid with 30-day voucher for online testing is now available for candidate’s preparing to sit the Microsoft 70-217 Windows 2000 Directory Services Infrastructure certification exam. The book covers the information associated with each of the exam topics in detail and includes information found in no other book. Using the book will help readers determine if they are ready for the Microsoft 70-217 Windows 2000 Directory Services Infrastructure certification exam. This book explains the concepts in a clear and easy-to-understand manner to help you not only pass the exam, but to apply the knowledge later in a real-world situation. Helpful tips and time management techniques will alleviate pre-exam jitters and put you in control.
About Online Testing www.bfqonline.com practice tests include SelfStudy sessions with instant feed back, simulative and adaptive testing with detailed explanations. Register at www.TotalRecallPress.com or send an email Located in the back of the book is a 30-day voucher for online testing. NOTE: THIS BOOK IS GUARANTEED: See details at www.TotalRecallPress.com
Table of Contents VII
Table of Contents About the Author ......................................................................................IV
About the Contributing Author..................................................................IV
About The Book ........................................................................................V
About Online Testing ................................................................................V
About 70-217 Certification .....................................................................VIII
About 70-217 Certification Exam 70-217:Installing, Configuring, and Administering Microsoft® Windows 2000 Directory Services Infrastructure http://www.microsoft.com/traincert/exams/70-217.asp Information you will find in their document will include the following.
Credit Toward Certification When you pass the Implementing and Administering a Microsoft® Windows® 2000 Directory Services Infrastructure exam, you achieve Microsoft Certified Professional status. You also earn credit toward the following certifications: Core credit toward Microsoft Certified Systems Engineer on Microsoft Windows 2000 certification
Audience Profile Candidates for this exam operate in medium to very large computing environments that use the Windows 2000 network operating system. They have a minimum of one year's experience implementing and administering network operating systems in environments that have the following characteristics: • Supported users range from 200-26,000+ • Physical locations range from 5-150+ • Typical network services and applications include file and print, database, messaging, proxy server or firewall, dial-in server, desktop management, and Web hosting. • Connectivity needs include connecting individual offices and users at remote locations to the corporate network and connecting corporate networks to the Internet.
About 70-217 Certification IX
Skills Being Measured This certification exam measures your ability to install, configure, and troubleshoot the Windows 2000 Active Directory™ components, DNS for Active Directory, and Active Directory security solutions. In addition, this test measures the skills required to manage, monitor, and optimize the desktop environment by using Group Policy. Before taking the exam, you should be proficient in the job skills listed below. A. Installing and Configuring Active Directory 1. Install forests, trees, and domains. • Automate domain controller installation. 2. Create sites, subnets, site links, and connection objects. 3. Configure server objects. Considerations include site membership and global catalog designation. 4. Transfer operations master roles. 5. Verify and troubleshoot Active Directory installation. 6. Implement an organizational unit (OU) structure. B. Installing, Configuring, Managing, Monitoring, and Troubleshooting DNS for Active Directory 1. Install and configure DNS for Active Directory. • Integrate Active Directory DNS zones with existing DNS infrastructure. • Configure zones for dynamic updates and secure dynamic updates. • Create and configure DNS records. 2. Manage, monitor, and troubleshoot DNS. C. Configuring, Managing, Monitoring, Optimizing, and
Troubleshooting Change and Configuration Management
1. Implement and troubleshoot Group Policy. • Create and modify a Group Policy object (GPO). • Link to an existing GPO. • Delegate administrative control of Group Policy. • Configure Group Policy options. • Filter Group Policy settings by using security groups. • Modify Group Policy prioritization.
X About 70-217 Certification 2. Manage and troubleshoot user environments by using Group Policy. 3. Install, configure, manage, and troubleshoot software by using Group Policy. 4. Manage network configuration by using Group Policy. 5. Configure Active Directory to support Remote Installation Services (RIS). • Configure RIS options to support remote installations. • Configure RIS security. D. Managing, Monitoring, and Optimizing the Components of Active Directory 1. Manage Active Directory objects. • Move Active Directory objects. • Publish resources in Active Directory. • Locate objects in Active Directory. • Create and manage objects manually or by using scripting. • Control access to Active Directory objects. • Delegate administrative control of objects in Active Directory. 2. Monitor, optimize, and troubleshoot Active Directory performance and replication. 3. Back up and restore Active Directory. • Perform an authoritative and a nonauthoritative restore of Active Directory. • Recover from a system failure. • Seize operations master roles. E. Configuring, Managing, Monitoring, and Troubleshooting Security in a Directory Services Infrastructure 1. Apply security policies by using Group Policy. 2. Create, analyze, and modify security configurations by using the Security Configuration and Analysis snap-in and the Security Templates snap-in. 3. Implement an audit policy. 4. Monitor and analyze security events.
Networking Terminology XI F. Networking Terminology There are a lot of different terms and acronyms that you will be learning in this book. It must be assumed that you have a certain amount of networking experience or you may find it necessary to supplement this material with some other books on the subject of networks in general. Before we go very far we will need to define some of the common network terms that we will be using often throughout our text. • Access control entry (ACE) – A single permissions designation that identifies, through the use of a SID, a user or groups rights to a given resource. • Access control list (ACL) – A grouping of different ACEs that is associated with an object. The ACL tells the operating system what permissions are associated with the object. • Active Directory – The directory service architecture that’s included with the Windows 2000 Server operating system. It provides the basis for Microsoft’s new distributed network architecture. It allows users to locate objects more easily while allowing for better network scalability. • Attribute – The basic properties of an object. • Container – A specific type of object that is used to hold other Active Directory objects. Probably the most common container object in Active Directory is the Organizational Unit (OU). • Distinguished name (DN) – A naming convention that consists of the entire path required to get to an object. Every object in Active Directory has a unique DN. • Domain – The primary method of grouping objects in Active Directory. There is always at least one domain in Active Directory. Domains represent a single security boundary in Windows NT and 2000. In Active directory multiple domains that share a common namespace are referred to as a tree. • Domain controller – A Windows 2000 Server that maintains a copy of the Active Directory database. In Windows 2000 all domain controllers are multimaster enabled. Simply put this means that all domain controllers contain a copy of the Active Directory database that is editable. • Domain Name System (DNS) – A hierarchical database used to translate computer names to IP addresses. It is the primary method of name resolution used on the Internet as well as in Active Directory.
XII N etworking Terminology • Forest – A grouping of one or more Active Directory. All domains in a forest share a common schema and global catalog. Trees within a forest trust each other through two-way transitive trusts. • Global Catalog – Contains a partial copy of the Active Directory database. The items found in the Global Catalog are the ones that are most often accessed. • Group – An object that can contain users, computers or other groups. They are used by Active Directory as an easy method to assign permissions to different groupings of objects. In Windows 2000 there are three different types of groups: domain local, global and universal. • Group Policy – A method of applying different configuration settings to Active Directory containers and the objects within them. Collections of policies are referred to as Group Policy objects (GPOs). • Kerberos – The primary method of authenticating users in Windows 2000. • Knowledge Consistency Checker (KCC) – The service that runs on all Active Directory domain controllers that is responsible for intrasite replication objects. • Mixed mode – The default mode that domains are created in. This mode allows for down level compatibility with Windows NT domain controllers. • Native mode – The mode in which all domain controllers in a given domain are running the Windows 2000 Server operating system. This mode allows for additional features that are not available in mixed mode. • Object – A single unit in Active Directory that is defined by a set of attributes. An object might be a user, computer or printer. • Organizational Unit (OU) – An Active Directory container object that can be used to better categorize objects as well as delegate authority to them. • Policy – A given set of rules that are applied to a particular object. • Relative distinguished name (RDN) – The part of the Distinguished Name (DN) that refers to the name of the object itself. • Replication – The process of synchronizing a distributed database. Active Directory uses a method called multi-master replication. • Schema – The component of Active Directory that defines all of the objects and attributes within the Active Directory database. • Site – One or more well-connected subnets that contain Active directory servers. • Tree – A collection of one or more domains that have two-way transitive trusts and are part of a contiguous namespace. Multiple trees that trust each other are called a forest.
Networking Terminology XIII • Trust – Relationships that are established between domains, trees or forests. In Windows 2000 these trusts are transitive by default. This means that they are twoway and that they allow trust to be inherited by others who are trusted. This means that if A trust B and B trusts C then A will trust C. • Well-connected – By Microsoft’s reasoning, a network path that is 10MB/sec or faster
Chapter 1:
Introduction The purpose of this first chapter is to help familiarize you with the basic concepts of Active Directory. How quickly you are able to master these concepts will depend on your background in the computer industry. Those who have an extensive Novell background will find many of the features of Windows 2000 Active Directory familiar. As will those of you who have worked with Microsoft Exchange server. A good fundamental understanding of Windows NT will also be helpful as you strive to learn these topics. Regardless of your background, please make sure to spend as much time in Chapter One as necessary for you to feel comfortable with these ideas. They form the foundation upon which the understanding of all Active Directory concepts are built. While all of the concepts in Chapter One are covered much more in depth throughout the rest of the book, it’s still important to spend the appropriate time in this section. You might have heard the parable about the man who built his house on sand. Likewise, if you simply skim through the first chapter you could be building a foundation for yourself that isn’t solid at all. Now that the ominous warning is out of the way, let’s move on. Without further ado, let’s begin our journey together into the realm of Active Directory.
Active Directory 1
Chapter 1: Active Directory The objective of this chapter is to provide the reader with an understanding of the following: 1.
Install forests, trees, and domains.
2.
Automate domain controller installation.
3.
Create sites, subnets, site links, and connection objects.
4.
Configure server objects. Considerations include site membership and global catalog designation.
5.
Transfer operations master roles.
6.
Verify and troubleshoot Active Directory installation.
7.
Implement an organizational unit (OU) structure.
1. What are two special designations given to domain controllers in Active Directory? (Choose 2) A. PDC B. Global Catalog Server C. Master Catalog Server D. Operations Master
2. What are two important functions that a Global Catalog Server performs for users in Active Directory? (Choose 2) A. A Global Catalog Server enables a user to search the entire forest to find directory information. B. A Global Catalog Server maintains a list of the user's resources. C. A Global Catalog Server enables the logon process by providing universal group membership information to the domain controller. D. A Global Catalog Server allows users to find services anywhere in the world.
Chapter 1: 1. What are two special designations given to domain controllers in Active Directory? (Choose 2) A. PDC *B. Global Catalog Server C. Master Catalog Server *D. Operations Master Explanation: One of the most significant changes in Windows 2000 is the introduction of Active Directory. The installation of Active Directory on a domain controller is invoked by the dcpromo.exe file or choosing the Active Directory Installation Wizard. As you install Active Directory, you can either specify that this domain controller will be a domain controller for a new domain or an additional domain controller for an existing domain. There are no longer PDC and BDC servers in Windows 2000, just domain controllers and member servers. There are two other Windows 2000 Server roles that may be assigned to domain controllers: Global Catalog Server and Operations Master.
2. What are two important functions that a Global Catalog Server performs for users in Active Directory? (Choose 2) *A. A Global Catalog Server enables a user to search the entire forest to find directory information. B. A Global Catalog Server maintains a list of the user's resources. *C. A Global Catalog Server enables the logon process by providing universal group membership information to the domain controller. D. A Global Catalog Server allows users to find services anywhere in the world. Explanation: There are no longer PDC and BDC servers in Windows 2000, just domain controllers and member servers. There are two other Windows 2000 Server roles that may be assigned to domain controllers: that of Global Catalog Server and that of Operations Master. A Global Catalog Server contains information on all objects in Active Directory, and will respond to queries from clients attempting to locate resources. An Operations Master is a domain controller that has been assigned to fill one of five special roles: Schema Master, Domain Naming Master, RID Master, PDC Emulator and Infrastructure Master.
Active Directory 3 3. What are three of the five Operations Master roles for domain controllers in Active Directory? (Choose 3) A. PDC B. Domain Naming Master C. Schema Master D. DNS Master E. Relative Identifier (RID) Master
Chapter 1: 3. What are three of the five Operations Master roles for domain controllers in Active Directory? (Choose 3) A. PDC *B. Domain Naming Master *C. Schema Master D. DNS Master *E. Relative Identifier (RID) Master Explanation: There are no longer PDC and BDC servers in Windows 2000, just domain controllers and member servers. There are two other Windows 2000 Server roles that may be assigned to domain controllers: that of Global Catalog Server and that of Operations Master. A Global Catalog Server contains information on all objects in Active Directory, and will respond to queries from clients attempting to locate resources. An Operations Master is a domain controller that has been assigned to fill one of five special roles: Schema Master, Domain Naming Master, RID Master, PDC Emulator and Infrastructure Master.
Active Directory 5 4. What type of domain controller in Windows 2000 provides for support of a mixed mode network containing both Windows 2000 and Windows NT servers? A. Schema Master B. Infrastructure Master C. PDC Emulator D. RID Master
Chapter 1: 4. What type of domain controller in Windows 2000 provides for support of a mixed mode network containing both Windows 2000 and Windows NT servers? A. Schema Master B. Infrastructure Master *C. PDC Emulator D. RID Master Explanation: There are no longer PDC and BDC servers in Windows 2000, just domain controllers and member servers. There are two other Windows 2000 Server roles that may be assigned to domain controllers: that of Global Catalog Server and that of Operations Master. A Global Catalog Server contains information on all objects in Active Directory, and will respond to queries from clients attempting to locate resources. An Operations Master is a domain controller that has been assigned to fill one of five special roles: Schema Master, Domain Naming Master, RID Master, PDC Emulator and Infrastructure Master. There can only be one Schema Master in a forest, and it controls all updates to the Active Directory database schema. There can only be one Domain Naming Master and it controls the addition or removal of domains in the forest. There can be one RID Master in each domain and it is responsible for allocating sequences of RIDs to each of the domain controllers in its domain. PDC Emulators are necessary in networks with Windows NT servers or computers not yet running Windows 2000 client software. Each domain also needs an Infrastructure Master to coordinate changes to user accounts and group memberships.
Active Directory 7 5. How is Active Directory installed in Windows 2000? A. Active Directory is installed using the Administrative Tool named Active Directory Manager. B. Active Directory is installed using the Active Directory Installation Wizard. C. Active Directory must be installed during the installation of Windows 2000. D. Active Directory is installed automatically when Windows 2000 is installed.
6. What are three requirements for the installation of Active Directory? (Choose 3) A. The server needs at least 1 Gb of hard drive space available. B. The network must be running TCP/IP and using DNS. C. All workstations must be running Windows 2000 Professional. D. Your network must have a DNS server that supports SRV records and Dynamic DNS (DDNS) updates. E. All servers must be running Windows 2000 Server, Advanced Server or Datacenter Server.
Chapter 1: 5. How is Active Directory installed in Windows 2000? A. Active Directory is installed using the Administrative Tool named Active Directory Manager. *B. Active Directory is installed using the Active Directory Installation Wizard. C. Active Directory must be installed during the installation of Windows 2000. D. Active Directory is installed automatically when Windows 2000 is installed. Explanation: One of the most significant changes in Windows 2000 is the introduction of Active Directory. The installation of Active Directory on a domain controller is invoked by the dcpromo.exe file or choosing the Active Directory Installation Wizard. As you install Active Directory, you can either specify that this domain controller will be a domain controller for a new domain or an additional domain controller for an existing domain.
6. What are three requirements for the installation of Active Directory? (Choose 3) *A. The server needs at least 1 Gb of hard drive space available. *B. The network must be running TCP/IP and using DNS. C. All workstations must be running Windows 2000 Professional. *D. Your network must have a DNS server that supports SRV records and Dynamic DNS (DDNS) updates. E. All servers must be running Windows 2000 Server, Advanced Server or Datacenter Server. Explanation: One of the most significant changes in Windows 2000 is the introduction of Active Directory. The installation of Active Directory on a domain controller is invoked by the dcpromo.exe file or choosing the Active Directory Installation Wizard. As you install Active Directory, you can either specify that this domain controller will be a domain controller for a new domain or an additional domain controller for an existing domain. Before you install Active Directory, you must have a server running Windows 2000 Server, Advanced Server or Datacenter Server, an NTFS volume with 1Gb of space, TCP/IP installed with DNS and a DNS server that supports SRV records and the Dynamic DNS (DDNS) update protocol. The answer "All servers must be running Windows 2000 Server, Advanced Server or Datacenter Server. " would not be correct because not all servers need be Windows 2000.
Active Directory 9 7. What happens when you install Active Directory for the first time in your network? A. You create the first domain controller and three Active Directory consoles are added to the Administrative Tools menu. B. You create the PDC and three Active Directory consoles are added to the Administrative Tools menu. C. You create the first domain controller and three Active Directory consoles are added to the MMC menu. D. You create the PDC and three Active Directory consoles are added to the MMC menu.
8. What are the two options presented to you by the Active Directory Installation Wizard when it is first launched? (Choose 2) A. Create a new domain tree B. Add a domain controller in an existing domain C. Join existing forest D. Create a domain controller for new domain E. Create a new forest
Chapter 1: 7. What happens when you install Active Directory for the first time in your network? *A. You create the first domain controller and three Active Directory consoles are added to the Administrative Tools menu. B. You create the PDC and three Active Directory consoles are added to the Administrative Tools menu. C. You create the first domain controller and three Active Directory consoles are added to the MMC menu. D. You create the PDC and three Active Directory consoles are added to the MMC menu. Explanation: As you install Active Directory, you can either specify that this domain controller will be a domain controller for a new domain or an additional domain controller for an existing domain. If you are installing Active Directory for the first time on your network, then you will create the first domain controller in the forest and establish the root domain. At the same time, three new consoles are added to your Windows 2000 Server to aid in Active Directory management: Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Sites and Services.
8. What are the two options presented to you by the Active Directory Installation Wizard when it is first launched? (Choose 2) A. Create a new domain tree *B. Add a domain controller in an existing domain C. Join existing forest *D. Create a domain controller for new domain E. Create a new forest Explanation: As you install Active Directory, you can either specify that this domain controller will be a domain controller for a new domain or an additional domain controller for an existing domain. If you are installing Active Directory for the first time on your network you will create the first domain controller in the forest and establish the root domain. At the same time, three new consoles are added to your Windows 2000 Server to aid in Active Directory management: Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Sites and Services.
Active Directory 11 9. What must you configure when creating a new Active Directory domain so that preWindows 2000 workstations can find the domain? A. DNS B. New Domain Name C. Domain NetBIOS Name D. Domain WINS Name
10. W hat are the three consoles automatically added to Administrative Tools on the domain controller during the installation of Active Directory? (Choose 3) A. Active Directory Users and Groups B. Active Directory Users and Computers C. Active Directory Domains and Trusts D. Active Directory Sites and Services E. Active Directory Computers and Servers
Chapter 1: 9. What must you configure when creating a new Active Directory domain so that preWindows 2000 workstations can find the domain? A. DNS B. New Domain Name *C. Domain NetBIOS Name D. Domain WINS Name Explanation: As you install Active Directory, you can either specify that this domain controller will be a domain controller for a new domain or an additional domain controller for an existing domain. If you are installing Active Directory for the first time on your network you will create the first domain controller in the forest and establish the root domain. To make this domain visible to pre-Windows 2000 clients and servers, you need to specify a Domain NetBIOS Name. At the same time, three new consoles are added to your Windows 2000 Server to aid in Active Directory management: Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Sites and Services.
10. W hat are the three consoles automatically added to Administrative Tools on the domain controller during the installation of Active Directory? (Choose 3) A. Active Directory Users and Groups *B. Active Directory Users and Computers *C. Active Directory Domains and Trusts *D. Active Directory Sites and Services E. Active Directory Computers and Servers Explanation: As you install Active Directory, you can either specify that this domain controller will be a domain controller for a new domain or an additional domain controller for an existing domain. If you are installing Active Directory for the first time on your network you will create the first domain controller in the forest and establish the root domain. To make this domain visible to pre-Windows 2000 clients and servers, you need to specify a Domain NetBIOS Name. At the same time, three new consoles are added to your Windows 2000 Server to aid in Active Directory management: Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Sites and Services.
Active Directory 13 11. In relation to BFQ.COM, what is SALES.BFQ.COM called? A. A sub-domain B. A secondary zone C. A child domain D. A parent domain
12. What object is used to centralize control of traffic generated by Active Directory in networks with multiple subnets connected with links of varying capacity? A. Replication Manager Object B. Connection Objects C. Site Object D. Site Link Bridge Object
Chapter 1: 11. In relation to BFQ.COM, what is SALES.BFQ.COM called? A. A sub-domain B. A secondary zone *C. A child domain D. A parent domain Explanation: As you install Active Directory, you can either specify that this domain controller will be a domain controller for a new domain or an additional domain controller for an existing domain. If you are installing Active Directory for the first time on your network you will create the first domain controller in the forest and establish the root domain. To make this domain visible to pre-Windows 2000 clients and servers, you need to specify a Domain NetBIOS Name. As you create new domains, they join the forest as child domains of either the root domain or another pre-existing domain. In this example the SALES domain has been added beneath the domain BFQ.COM, thus SALES is said to be a child domain of BFQ.COM.
12. What object is used to centralize control of traffic generated by Active Directory in networks with multiple subnets connected with links of varying capacity? A. Replication Manager Object B. Connection Objects *C. Site Object D. Site Link Bridge Object Explanation: The process of updating from one domain controller to another is called replication. The physical structure of the network, especially the capacity between subnetworks, has a great impact on this process. To control replication more effectively, Active Directory provides sites. A site is defined as one or more wellconnected IP subnets. The term well-connected is relative to the speed of the link and the traffic on the link. When you create the first domain controller in Active Directory, the Active Directory Installation Wizard creates the Default-First-SiteName and assigns the domain controller to the site. This default site will contain all IP subnets by default, unless you specify otherwise in the creation process.
Active Directory 15 13. What name is given to the Site object created when you install Active Directory for the first time in your network? A. Default-First-Site-Name B. Default-Site C. First-Site D. Default-Site-Name
14. What are three objects used by the Knowledge Consistency Checker to configure the connections between domain controllers? (Choose 3) A. Server Object B. KCC Settings Object C. NTDS Settings Object D. Connection Object E. NTDS Link Object
Chapter 1: 13. What name is given to the Site object created when you install Active Directory for the first time in your network? *A. Default-First-Site-Name B. Default-Site C. First-Site D. Default-Site-Name Explanation: The process of updating from one domain controller to another is called replication. The physical structure of the network, especially the capacity between subnetworks, has a great impact on this process. To control replication more effectively, Active Directory provides sites. A site is defined as one or more wellconnected IP subnets. The term well-connected is relative to the speed of the link and the traffic on the link. When you create the first domain controller in Active Directory the Active Directory Installation Wizard creates the Default-First-SiteName and assigns the domain controller to the site. This default site will contain all IP subnets by default, unless you specify otherwise in the creation process.
14. What are three objects used by the Knowledge Consistency Checker to configure the connections between domain controllers? (Choose 3) *A. Server Object B. KCC Settings Object *C. NTDS Settings Object *D. Connection Object E. NTDS Link Object Explanation: A site is defined as one or more well-connected IP subnets. The term wellconnected is relative to the speed of the link and the traffic on the link. When you create the first domain controller in Active Directory the Active Directory Installation Wizard creates the Default-First-Site-Name and assigns the domain controller to the site. This default site will contain all IP subnets by default, unless you specify otherwise in the creation process. When you add domain controllers to a site, a process called the Knowledge Consistency Checker (KCC) automatically configures connections between controllers for replication. The KCC creates connection objects to represent a one-way replication path between domain controllers. The connection objects are children of NTDS Settings objects, which are children of server objects, which represent the actual domain controller.
Active Directory 17 15. What are two situations for which Connection objects need to exist and be configured? (Choose 2) A. For workstations to be able to connect for authentication B. For domain controllers within a site to be able to maintain replication C. For BDCs to be able to replicate with PDCs D. For domain controllers in different sites to be able to maintain replication
16. What service is not available when you configure replication between two sites? A. Change Notification B. Compressed Traffic C. Urgent Replication D. Replication Scheduling
Chapter 1: 15. What are two situations for which Connection objects need to exist and be configured? (Choose 2) A. For workstations to be able to connect for authentication *B. For domain controllers within a site to be able to maintain replication C. For BDCs to be able to replicate with PDCs *D. For domain controllers in different sites to be able to maintain replication Explanation: When you add domain controllers to a site, a process called the Knowledge Consistency Checker (KCC) automatically configures connections between controllers for replication. The KCC creates connection objects to represent a oneway replication path between domain controllers. The connection objects are children of NTDS Settings objects, which are children of server objects, which represent the actual domain controller. The connection objects are necessary for domain controllers within a site or domain controllers between different sites to maintain replication.
16. What service is not available when you configure replication between two sites? A. Change Notification B. Compressed Traffic *C. Urgent Replication D. Replication Scheduling Explanation: When you add domain controllers to a site, a process called the Knowledge Consistency Checker (KCC) automatically configures connections between controllers for replication. The KCC creates connection objects to represent a oneway replication path between domain controllers. The connection objects are children of NTDS Settings objects, which are children of server objects, which represent the actual domain controller. The connection objects are necessary for domain controllers within a site or domain controllers between different sites to maintain replication. Replication within a site occurs through a change notification process, whereby a domain controller waits for a configurable interval (by default 5 minutes) and then informs replication partners of changes. Within a site replication traffic is uncompressed and urgent replication, consisting of security-sensitive updates, is available. Between sites, replication is defined based on a schedule and an interval and traffic is always compressed. Urgent replication is not available for replication between sites.
Active Directory 19 17. What is the name of the process that waits a configurable amount of time after a change has been made to an object and then sends a notification message to its replication partners? A. Replication Scheduling B. Urgent Replication C. Change Notification D. Replication Between Sites
18. What protocol does Active Directory use for replication within a site? A. TCP/IP B. RPC over IP C. SMTP D. SNMP
Chapter 1: 17. What is the name of the process that waits a configurable amount of time after a change has been made to an object and then sends a notification message to its replication partners? A. Replication Scheduling B. Urgent Replication *C. Change Notification D. Replication Between Sites Explanation: Replication within a site occurs through a change notification process, whereby a domain controller waits for a configurable interval (by default 5 minutes) and then informs replication partners of changes. Within a site replication traffic is uncompressed and urgent replication, consisting of security-sensitive updates, is available. Between sites, replication is defined based on a schedule and an interval and traffic is always compressed. Urgent replication is not available for replication between sites.
18. What protocol does Active Directory use for replication within a site? A. TCP/IP *B. RPC over IP C. SMTP D. SNMP Explanation: Replication within a site occurs through a change notification process, whereby a domain controller waits for a configurable interval (by default 5 minutes) and then informs replication partners of changes. Within a site replication traffic is uncompressed and urgent replication, consisting of security-sensitive updates, is available. Active Directory uses remote procedure calls (RPC) over IP for replication within a site. Between sites, replication is defined based on a schedule and an interval and traffic is always compressed. Urgent replication is not available for replication between sites. Active directory replication between sites can be accomplished either through RPC over IP or SMTP (Simple Mail Transfer Protocol).
Active Directory 21 19. What are the two protocols used for replication between sites by Active Directory? (Choose 2) A. NetBIOS B. RPC over IP C. SMTP D. SNMP
20. What are two additional objects in Active Directory for use in configuring replication between sites? (Choose 2) A. Site Links B. Site Bridges C. Link Bridges D. Site Link Bridges
Chapter 1: 19. What are the two protocols used for replication between sites by Active Directory? (Choose 2) A. NetBIOS *B. RPC over IP *C. SMTP D. SNMP Explanation: Replication within a site occurs through a change notification process, whereby a domain controller waits for a configurable interval (by default 5 minutes) and then informs replication partners of changes. Within a site replication traffic is uncompressed and urgent replication, consisting of security-sensitive updates, is available. Active Directory uses remote procedure calls (RPC) over IP for replication within a site. Between sites, replication is defined based on a schedule and an interval and traffic is always compressed. Urgent replication is not available for replication between sites. Active directory replication between sites can be accomplished either through RPC over IP or SMTP (Simple Mail Transfer Protocol).
20. What are two additional objects in Active Directory for use in configuring replication between sites? (Choose 2) *A. Site Links B. Site Bridges C. Link Bridges *D. Site Link Bridges Explanation: When you add domain controllers to a site, a process called the Knowledge Consistency Checker (KCC) automatically configures connections between controllers for replication. The KCC creates connection objects to represent a oneway replication path between domain controllers. The connection objects are children of NTDS Settings objects, which are children of server objects, which represent the actual domain controller. The connection objects are necessary for domain controllers within a site or domain controllers between different sites to maintain replication. Between sites, replication is defined based on a schedule and an interval and traffic is always compressed. Urgent replication is not available for replication between sites. Active directory replication between sites can be accomplished either through RPC over IP or SMTP (Simple Mail Transfer Protocol). For configuration of replication between sites there are two additional objects: site link objects and site link bridge objects.
Active Directory 23 21. What are three values that you can configure in the Site Link Properties box? (Choose 3) A. Protocol (RPC over IP or SMTP) B. Replication Cost C. Replication Interval D. Replication Schedule E. Replication Compression
22. What two setting are required to create a new site in Active Directory? (Choose 2) A. Site Name B. Site Cost C. Association with a Site Link D. Association with a Domain Controller
Chapter 1: 21. What are three values that you can configure in the Site Link Properties box? (Choose 3) A. Protocol (RPC over IP or SMTP) *B. Replication Cost *C. Replication Interval *D. Replication Schedule E. Replication Compression Explanation: Between sites, replication is defined based on a schedule and an interval and traffic is always compressed. Urgent replication is not available for replication between sites. Active directory replication between sites can be accomplished either through RPC over IP or SMTP (Simple Mail Transfer Protocol). For configuration of replication between sites there are two additional objects: site link objects and site link bridge objects. Site links contain three values that can be used to configure replication: cost, interval and schedule. Cost is an arbitrary value, interval defines how frequently replication should occur and schedule says when the site link is available for replication to occur at all.
22. What two setting are required to create a new site in Active Directory? (Choose 2) *A. Site Name B. Site Cost *C. Association with a Site Link D. Association with a Domain Controller Explanation: A site is defined as one or more well-connected IP subnets, where the term well-connected is relative to the speed of the link and the traffic on the link. When you create the first domain controller in Active Directory the Active Directory Installation Wizard creates the Default-First-Site-Name and assigns the domain controller to the site. This default site will contain all IP subnets by default, unless you specify otherwise in the creation process. To manually create a site, simply open Active Directory Sites and Services, click create new site, then name the site and associate it with a site link.
Active Directory 25 23. After creating sites in Active Directory, what is the next step in implementing the physical structure? A. The next step involves creating Site Links. B. The next step involves setting replication configuration. C. The next step involves creating IP subnets. D. The next step involves creating a Global Catalog.
Chapter 1: 23. After creating sites in Active Directory, what is the next step in implementing the physical structure? A. The next step involves creating Site Links. B. The next step involves setting replication configuration. *C. The next step involves creating IP subnets. D. The next step involves creating a Global Catalog. Explanation: A site is defined as one or more well-connected IP subnets, where the term well-connected is relative to the speed of the link and the traffic on the link. When you create the first domain controller in Active Directory the Active Directory Installation Wizard creates the Default-First-Site-Name and assigns the domain controller to the site. This default site will contain all IP subnets by default, unless you specify otherwise in the creation process. To manually create a site, simply open Active Directory Sites and Services, click create new site, then name the site and associate it with a site link. After you have created sites, the next step in creating the physical structure in Active Directory is creating subnets.
Active Directory 27 24. You are the administrator of BFQ, Inc., and have just installed Active Directory and 8 additional Domain Controllers. After you create sites and subnets, where will the server objects corresponding to the Domain Controllers reside in Active Directory? A. The server objects for the Domain Controllers will reside in their respective subnets. B. The server objects for the Domain Controllers will reside in the sites you specify when you create the site object. C. The server objects for the Domain Controllers will reside in the Default-First-SiteName site and will need to be moved to the correct site using Active Directory Sites and Services. D. The server objects for the Domain Controllers will not yet exist and can now be created in the appropriate site.
Chapter 1: 24. You are the administrator of BFQ, Inc., and have just installed Active Directory and 8 additional Domain Controllers. After you create sites and subnets, where will the server objects corresponding to the Domain Controllers reside in Active Directory? A. The server objects for the Domain Controllers will reside in their respective subnets. B. The server objects for the Domain Controllers will reside in the sites you specify when you create the site object. *C. The server objects for the Domain Controllers will reside in the Default-FirstSite-Name site and will need to be moved to the correct site using Active Directory Sites and Services. D. The server objects for the Domain Controllers will not yet exist and can now be created in the appropriate site. Explanation: A site is defined as one or more well-connected IP subnets, where the term well-connected is relative to the speed of the link and the traffic on the link. When you create the first domain controller in Active Directory the Active Directory Installation Wizard creates the Default-First-Site-Name and assigns the domain controller to the site. This default site will contain all IP subnets by default, unless you specify otherwise in the creation process. Additionally, the Default-First-SiteName will be associated with all domain controller server objects unless you specify otherwise. If you have created your domain controllers before defining sites, you will need to use Active Directory Sites and Services console to move the domain controller server objects to the appropriate site.
Active Directory 29 25. What must you do to move a server object in Active Directory? A. Server objects cannot be moved. You must delete the object and re-create it. B. Server objects cannot be moved. You must reinstall Active Directory on the Domain Controller. C. In Active Directory Sites and Services, right click the server object and choose move, then drag and drop it. D. You can move the server object from within the Site object by browsing in Active Directory and choosing the server object.
26. What are two properties that need to be identified when creating a Site Link? (Choose 2) A. Site Link Name B. Site Link Subnet C. Site Link Protocol D. Site Link Sites
Chapter 1: 25. What must you do to move a server object in Active Directory? A. Server objects cannot be moved. You must delete the object and re-create it. B. Server objects cannot be moved. You must reinstall Active Directory on the Domain Controller. *C. In Active Directory Sites and Services, right click the server object and choose move, then drag and drop it. D. You can move the server object from within the Site object by browsing in Active Directory and choosing the server object. Explanation: A site is defined as one or more well-connected IP subnets, where the term well-connected is relative to the speed of the link and the traffic on the link. When you create the first domain controller in Active Directory the Active Directory Installation Wizard creates the Default-First-Site-Name and assigns the domain controller to the site. This default site will contain all IP subnets by default, unless you specify otherwise in the creation process. Additionally, the Default-First-SiteName will be associated with all domain controller server objects unless you specify otherwise. If you have created your domain controllers before defining sites, you will need to use Active Directory Sites and Services console to move the domain controller server objects to the appropriate site.
26. What are two properties that need to be identified when creating a Site Link? (Choose 2) *A. Site Link Name B. Site Link Subnet C. Site Link Protocol *D. Site Link Sites Explanation: For configuration of replication between sites there are two additional objects: site link objects and site link bridge objects. Site links contain three values that can be used to configure replication: cost, interval and schedule. Cost is an arbitrary value, Interval defines how frequently replication should occur and schedule says when the site link is available for replication to occur at all. The creation of a site link in Active Directory Sites and Services requires a name and two or more sites to be linked. Configuration of the site link then consists of specifying the replication protocol and setting the cost, interval and schedule values.
Active Directory 31 27. What must you do if your network is not fully routed and you need to create site link bridges? A. You must first enable routing across your network. B. You must disable the default bridging of site links. C. You must enable routing in the protocol section of the site links. D. You must first disable the default routing of all site links.
Chapter 1: 27. What must you do if your network is not fully routed and you need to create site link bridges? A. You must first enable routing across your network. *B. You must disable the default bridging of site links. C. You must enable routing in the protocol section of the site links. D. You must first disable the default routing of all site links. Explanation: For configuration of replication between sites there are two additional objects: site link objects and site link bridge objects. Site links contain three values that can be used to configure replication: cost, interval and schedule. Cost is an arbitrary value, Interval defines how frequently replication should occur and schedule says when the site link is available for replication to occur at all. The creation of a site link in Active Directory Sites and Services requires a name and two or more sites to be linked. Configuration of the site link then consists of specifying the replication protocol and setting the cost, interval and schedule values. Site link bridges represent sets of site links that all use the same replication protocol. If your network is routed, then site links are bridged by default and you need not create site link bridges. Otherwise, to create a site link bridge, you must open Site in Active Directory Sites and Services and choose Inter-Site Transports - New Site Link Bridge. Then you simply name the bridge and assign two or more site links and click Add.
Active Directory 33 28. As the administrator for BFQ, Inc. what can you do to decrease the traffic created by queries to the Global Catalog across sites? A. You can limit Global Catalog searches to the local site only. B. You can create separate forests so that searches will remain local. C. You can create additional Global Catalog Servers so that the catalog is available locally. D. You can create a local catalog, and then searches will not cross WAN links.
Chapter 1: 28. As the administrator for BFQ, Inc. what can you do to decrease the traffic created by queries to the Global Catalog across sites? A. You can limit Global Catalog searches to the local site only. B. You can create separate forests so that searches will remain local. *C. You can create additional Global Catalog Servers so that the catalog is available locally. D. You can create a local catalog, and then searches will not cross WAN links. Explanation: For configuration of replication between sites there are two additional objects: site link objects and site link bridge objects. Site links contain three values that can be used to configure replication: cost, interval and schedule. Cost is an arbitrary value, Interval defines how frequently replication should occur and schedule says when the site link is available for replication to occur at all. The creation of a site link in Active Directory Sites and Services requires a name and two or more sites to be linked. Configuration of the site link then consists of specifying the replication protocol and setting the cost, interval and schedule values. To reduce traffic further between sites, you can create a separate Global Catalog Server at each site, so that queries will not cross slow network links. This is done in the NTDS Settings tab under Sites in Active Directory Sites and Services.
Active Directory 35 29. What are the two main types of network traffic affected by the existence of sites? (Choose 2) A. Routing traffic B. Logon traffic C. Replication traffic D. IP broadcast traffic
30. You are the administrator of BFQ, Inc., a company with offices in Dallas, London and New York City. New York City has T-1 lines to both of the other locations, while they have only a 56KBps between them. How many sites will need to be created for this network? A. 2 sites B. 3 sites C. 4 sites D. None E. 6 sites
Chapter 1: 29. What are the two main types of network traffic affected by the existence of sites? (Choose 2) A. Routing traffic *B. Logon traffic *C. Replication traffic D. IP broadcast traffic Explanation: Clearly, of the answers presented, only replication and logon traffic are reasonable. Routing traffic on large IP internetworks is already well optimized through the use of OSPF, and IP broadcasts are not forwarded across routers by default.
30. You are the administrator of BFQ, Inc., a company with offices in Dallas, London and New York City. New York City has T-1 lines to both of the other locations, while they have only a 56KBps between them. How many sites will need to be created for this network? A. 2 sites *B. 3 sites C. 4 sites D. None E. 6 sites Explanation: 3 Sites will need to be created for this network. One for Dallas, one for London, and one for New York City.
Active Directory 37 31. What do you use to create Organizational Unit objects in Active Directory? A. Active Directory Users and Computers B. Active Directory Sites and Services C. Active Directory Domains and Forests D. Active Directory Tree
32. What are the three scopes available for groups in Active Directory? (Choose 3) A. Domain Local B. Global C. Security D. Distribution E. Universal
Chapter 1: 31. What do you use to create Organizational Unit objects in Active Directory? *A. Active Directory Users and Computers B. Active Directory Sites and Services C. Active Directory Domains and Forests D. Active Directory Tree Explanation: Organizational Unit objects are container objects in Active Directory, and can contain other AD objects such as user, computer, and group objects. To create an Organizational Unit object below another OU, the user must have the Read, List Contents and Create Organizational Unit Objects permissions. Certainly, members of the Administrators group can create OUs anywhere in the forest by default. To create an OU, open Active Directory Users and Computers, then right-click the container in which you wish to create an OU, select New, and name the new OU.
32. What are the three scopes available for groups in Active Directory? (Choose 3) *A. Domain Local *B. Global C. Security D. Distribution *E. Universal Explanation: Organizational Unit objects are container objects in Active Directory and can contain other AD objects such as user, computer, and group objects. In Active Directory there are two basic group types: Security groups and Distribution groups. Security groups are used to grant or deny rights or permissions while Distribution groups are used for sending e-mails with e-mail applications. Both types of groups have an attribute called scope, which determines who can be a member and where the group can be used. The three scopes are domain local, global and universal. Domain Local groups (in a native mode domain) can contain user accounts, Global groups and Universal groups from any domain in the forest, and other domain Local groups from the same domain. In a mixed mode domain, domain Local groups can contain user accounts and Global groups from any domain. Global groups, in a native domain, can contain user accounts and Global groups from the domain in which the Global group exists. In mixed mode the Global group can contain only user accounts from the domain in which it exists. Universal groups can only be created in domains operating in native mode. They can contain user accounts, Global groups and other Universal groups from any domain in the forest.
Active Directory 39 33. As the administrator in your domain you are trying to troubleshoot your domain's replication topology. The first step in the troubleshooting process is to determine the number of replication topologies that exist within your single Windows 2000 Active Directory domain structure. Which of the following represent a replication topology naming context? (Choose three.) A. Schema naming context B. Domain naming context C. Configuration naming context D. Site naming context E. Global Catalog naming context
Chapter 1: 33. As the administrator in your domain you are trying to troubleshoot your domain's replication topology. The first step in the troubleshooting process is to determine the number of replication topologies that exist within your single Windows 2000 Active Directory domain structure. Which of the following represent a replication topology naming context? (Choose three.) *A. Schema naming context *B. Domain naming context *C. Configuration naming context D. Site naming context E. Global Catalog naming context Explanation: The Configuration naming context is an enterprise-wide naming context that includes information about all the sites, domain and domain controllers in the forest and the domain controller replication connections. The Schema naming context is also an enterprise-wide naming context that contains the definitions of the objects and attributes that can be created within the Active Directory namespace. The Domain naming context is only replicated within the domain to other domain controllers in that domain. A naming context is a specific region within the Active directory namespace and defines the boundary of replication. There are no site or global catalog naming contexts.
Active Directory 41 34. As the domain administrator you are responsible for the creation of multiple user accounts. You have established the naming convention of the first letter of the user's first name, and first six characters of the last name. As you begin to add users, you get an error message indicating that an object with that username already exists. What is responsible for preventing user objects with the same name from being created in the Active Directory? A. Active Directory Users and Computers prevent the creation of user objects with identical object names within the same domain. B. Active Directory Sites and Services prevent the creation of user objects with identical object names within the same domain. C. The Active Directory polices itself, preventing the creation of user objects with identical object names within the same domain. D. The Schema prevents the creation of user objects with identical object names within the same domain.
Chapter 1: 34. As the domain administrator you are responsible for the creation of multiple user accounts. You have established the naming convention of the first letter of the user's first name, and first six characters of the last name. As you begin to add users, you get an error message indicating that an object with that username already exists. What is responsible for preventing user objects with the same name from being created in the Active Directory? *A. Active Directory Users and Computers prevent the creation of user objects with identical object names within the same domain. B. Active Directory Sites and Services prevent the creation of user objects with identical object names within the same domain. C. The Active Directory polices itself, preventing the creation of user objects with identical object names within the same domain. D. The Schema prevents the creation of user objects with identical object names within the same domain. Explanation: Active Directory Users and Computers prevent the creation of user objects with identical object names. If you use an alternative method of adding users to the domain, such as scripting, you should incorporate duplication checking into your script. Active Directory Sites and Services are used to add sites and replication connections. The Active Directory does not police itself. The schema defines the object classes and object attributes that can be created within the Active Directory but does not prevent against object duplication.
Active Directory 43 35. Y ou are the administrator responsible for the implementation of the AD logical structure. What tools can you use to add objects to the Active Directory? (Choose four.) A. Active Directory Users and Computers B. Active Directory Sites and Services C. ADSI D. Movetree E. LDIFDE.exe
36. As the administrator you have been asked to move users from one domain to another domain within the same forest. What tool would you use to accomplish this? A. Movetree B. Cloneprincipal C. Active Directory Users and Computers D. Active Directory Sites and Services
Chapter 1: 35. Y ou are the administrator responsible for the implementation of the AD logical structure. What tools can you use to add objects to the Active Directory? (Choose four.) *A. Active Directory Users and Computers B. Active Directory Sites and Services *C. ADSI *D. Movetree *E. LDIFDE.exe Explanation: Active Directory Users and Computers, ADSI scripts, Movetree, and LDIFDE.exe can all be used to add objects to the Active Directory. Active Directory Users and Computers is one of the default Administrative tools included with the operating system. It is also possible to write an Active Directory Scripting Interface (ADSI) script to add objects. Movetree is a Resource Kit utility that can be used to move users from one domain to another within the same forest. LDIFDE.exe is a Resource Kit utility that can be used perform bulk imports or exports of users into the Active Directory. Xcopy is a DOS utility that is used for copying files, not Active Directory objects. Usrmgr is the Windows NT 4 User Manager utility and can not be used to add objects to the Active Directory.
36. As the administrator you have been asked to move users from one domain to another domain within the same forest. What tool would you use to accomplish this? *A. Movetree B. Cloneprincipal C. Active Directory Users and Computers D. Active Directory Sites and Services Explanation: Movetree is a utility found on the Windows 2000 Resource Kit that allows you to move users between different domains in the same forest. Cloneprincipal is also a utility found on the Windows 2000 Resource Kit but it is used to move users and groups between domains in different forests and only works between different domains in different forests. Active Directory Users and Computers can be used to create, modify and delete users in a domain but not move them. Active Directory Sites and Services does not allow you to manage users and groups.
Active Directory 45 37. As the administrator you have been asked to move users from one domain in one forest to another domain in a second forest. What tool would you use to accomplish this? A. Movetree B. Cloneprincipal C. Active Directory Users and Computers D. Active Directory Sites and Services
38. NASA spent millions of dollars on a space program project that involved trying to design a pen that works in a zero gravity environment. At the same time the Russian space program decided to use a pencil in zero gravity environments. Which of the following planning guidelines best represents the Russians' methodology? A. Keep it simple B. Aim for the ideal design C. Evaluate multiple alternatives D. Anticipate change
Chapter 1: 37. As the administrator you have been asked to move users from one domain in one forest to another domain in a second forest. What tool would you use to accomplish this? A. Movetree *B. Cloneprincipal C. Active Directory Users and Computers D. Active Directory Sites and Services Explanation: Cloneprincipal is a utility found on the Windows 2000 Resource Kit and is used to move users and groups between domains in different forests but only works between different domains in different forests. Movetree is also a utility found on the Windows 2000 Resource Kit that allows you to move users between different domains in the same forest. Active Directory Users and Computers can be used to create, modify and delete users in a domain but not move them. Active Directory Sites and Services does not allow you to manage users and groups.
38. NASA spent millions of dollars on a space program project that involved trying to design a pen that works in a zero gravity environment. At the same time the Russian space program decided to use a pencil in zero gravity environments. Which of the following planning guidelines best represents the Russians' methodology? *A. Keep it simple B. Aim for the ideal design C. Evaluate multiple alternatives D. Anticipate change Explanation: Keeping it simple best represents the Russians' methodology. Aiming for the ideal design would be the methodology used by the Americans. Evaluating multiple alternatives could have applied to both countries in this example but not enough information was given to make that assumption. Anticipate change too could have applied to both countries but again not enough information was given to make that assumption.
Active Directory 47 39. NASA spent millions of dollars to do with a space program project that involved trying to design a pen that works in a zero gravity environment. At the same time the Russian space program decided to use a pencil in a zero gravity environment. Which of the following planning guidelines best represents the Americans' methodology? A. Keep it simple B. Aim for the ideal design C. Evaluate multiple alternatives D. Anticipate change
40. As the administrator of the mcsejobs.net Windows 2000 directory service you are responsible for the creation, management and deletion of all the objects in the directory. You have recently hired a summer student named Chloe Ward to assist you in your responsibilities, and are trying to explain the concept of a distinguished name to help Chloe locate the correct object in the directory service. To demonstrate this, you open Active Directory Users and Computers and create an account for Chloe with a username of "cward" in the Users container. What is the distinguished name of Chloe's user object? A. CN=Chloe Ward,CN=Users,DC=mcsejobs,DC=net B. CN=Cward,CN=Users,DC=mcsejobs, DC=net C. CN=Chloe Ward,OU=Users,DC=mcsejobs,DC=net D. CN=Cward,CN=Users,DC=mcsejobs.net
Chapter 1: 39. NASA spent millions of dollars to do with a space program project that involved trying to design a pen that works in a zero gravity environment. At the same time the Russian space program decided to use a pencil in a zero gravity environment. Which of the following planning guidelines best represents the Americans' methodology? A. Keep it simple *B. Aim for the ideal design C. Evaluate multiple alternatives D. Anticipate change Explanation: Aiming for the ideal design represents the Americans' methodology in this case. Obviously one of the problems with aiming for the ideal design is that it is possible that you can get caught up in the pursuit of excellence and lose sight of other important decision criteria. Keeping it simple best represents the Russians' methodology. Evaluating multiple alternatives could have applied to both countries in this example but not enough information was given to make that assumption. Anticipate change too could have applied to both countries but again not enough information was given to make that assumption.
40. As the administrator of the mcsejobs.net Windows 2000 directory service you are responsible for the creation, management and deletion of all the objects in the directory. You have recently hired a summer student named Chloe Ward to assist you in your responsibilities, and are trying to explain the concept of a distinguished name to help Chloe locate the correct object in the directory service. To demonstrate this, you open Active Directory Users and Computers and create an account for Chloe with a username of "cward" in the Users container. What is the distinguished name of Chloe's user object? *A. CN=Chloe Ward,CN=Users,DC=mcsejobs,DC=net B. CN=Cward,CN=Users,DC=mcsejobs, DC=net C. CN=Chloe Ward,OU=Users,DC=mcsejobs,DC=net D. CN=Cward,CN=Users,DC=mcsejobs.net Explanation: Every object in the Active Directory has a distinguished name that identifies the domain in which the object is located and the complete path by which the object is reached. The path consists of common names (CN), organizational units (OU) and domain components (DC). The correct distinguished name in this example points to the common name Chloe Ward, followed by the common name Users, the container where the Chloe Ward object resides. Next are the domain components mcsejobs and net which indicate the correct domain that the object is located in.
Active Directory 49 41. As the administrator you have been asked to move computers from one domain in one forest to another domain in a different forest. What tool would you use to accomplish this? A. Movetree B. Cloneprincipal C. Active Directory Users and Computers D. Netdom
42. As the administrator of your organization's Active Directory domain, you have learned through working with the directory service that certain names and identifiers are required to be unique in the Active Directory. Which of the following names and identifiers are required to be unique within a forest? (Choose four.) A. Distinguished name B. Relative distinguished name C. Globally Unique Identifier (GUID) D. User Principal Name E. Object Identifier (OID)
Chapter 1: 41. As the administrator you have been asked to move computers from one domain in one forest to another domain in a different forest. What tool would you use to accomplish this? A. Movetree B. Cloneprincipal C. Active Directory Users and Computers *D. Netdom Explanation: Netdom.exe is a Resource Kit utility that can be used to move computers from one domain in one forest to another domain in another forest. Cloneprincipal is a Resource Kit utility that can be used to move users and groups between domains, but only if the domains are in different forests. Movetree is a Resource Kit utility that can be used to move users and groups between domains in the same forest. Active Directory Users and Computers can not be used to move computers between domains, only between OUs within the same domain.
42. As the administrator of your organization's Active Directory domain, you have learned through working with the directory service that certain names and identifiers are required to be unique in the Active Directory. Which of the following names and identifiers are required to be unique within a forest? (Choose four.) *A. Distinguished name B. Relative distinguished name *C. Globally Unique Identifier (GUID)
*D. User Principal Name
*E. Object Identifier (OID)
Explanation: A distinguished name is guaranteed to be unique in a forest as the Active
Directory does not allow two objects with the same relative distinguished name within the same container. The Relative Distinguished Name only has to be unique within its parent container, not within the forest. An example of this would be two users named Jane Smith existing in the forest but in different containers. The first Jane Smith could be created in the Users container and the second Jane Smith could be created within an OU named Sales. A GUID is a 128-bit hexadecimal representation that Windows 2000 assigns to an object when created and is required to be unique. An OID is also required to be unique. An OID is required when adding object classes or object attributes to the schema.
Active Directory 51 43. As the administrator of your organization's Active Directory domain, you have learned through working with the directory service that certain names and identifiers are required to be unique in the Active Directory. Of the following names and identifiers which two could be duplicated within a forest even though they are required to be unique? (Choose two.) A. Distinguished name B. Relative distinguished name C. Globally Unique Identifier (GUID) D. User Principal Name E. Object Identifier (OID)
44. In designing your Active Directory structure, you have decided to replace some existing NT 4.0 domains with organizational units in Windows 2000. Within which of the following logical and physical components can an organizational unit be created? (Choose two.) A. Domain B. Organizational Unit C. Schema D. Site
Chapter 1: 43. As the administrator of your organization's Active Directory domain, you have learned through working with the directory service that certain names and identifiers are required to be unique in the Active Directory. Of the following names and identifiers which two could be duplicated within a forest even though they are required to be unique? (Choose two.) A. Distinguished name *B. Relative distinguished name C. Globally Unique Identifier (GUID) *D. User Principal Name E. Object Identifier (OID) Explanation: A Relative Distinguished Name only has to be unique within its parent container, not within the forest. The creation of users simultaneously on different domain controllers could allow for two users with identical Relative Distinguished names to be created. The same is true of User Principal Names. If two users were created simultaneously, two identical UPNs could be created. A distinguished name is guaranteed to be unique in a forest as the Active Directory does not allow two objects with the same relative distinguished name within the same container. A GUID is a 128-bit hexadecimal representation that Windows 2000 assigns to an object when created and is required to be unique. An OID is also required to be unique. An OID is required when adding object classes or object attributes to the schema.
44. In designing your Active Directory structure, you have decided to replace some existing NT 4.0 domains with organizational units in Windows 2000. Within which of the following logical and physical components can an organizational unit be created? (Choose two.) *A. Domain *B. Organizational Unit C. Schema D. Site Explanation: An organizational unit can be created in both a domain and in another organizational unit. An organizational unit cannot be created within the schema or at the site level. The schema allows for organizational units to be created but the schema is an object itself within the Active Directory. A domain can be a member of a site, and an organizational unit can be created within a domain, but an OU can not be created directly within a site.
Active Directory 53 45. There are two modes that the Active Directory service can be set to run in. What mode is the domain in after you install Active Directory and establish a domain? A. native mode B. mixed mode C. primary mode D. default mode
46. You have just been hired by mcsejobs.net to work as an administrator of the company's Windows 2000 network. One of the first questions you have upon joining is whether the domain is in mixed or native mode. Before asking, you decide to open Active Directory Users and Computers and create a group to determine what mode the domain is in. What type of group will you be unable to create if the domain is in mixed mode? A. Universal Security B. Universal Distribution C. Global Security D. Global Distribution E. Domain Local Security
Chapter 1: 45. There are two modes that the Active Directory service can be set to run in. What mode is the domain in after you install Active Directory and establish a domain? A. native mode *B. mixed mode C. primary mode D. default mode Explanation: Mixed mode is the default mode that all domains are in after the installation of Active Directory. Mixed mode allows for both Windows 2000 domain controllers and Windows NT 4.0 domain controllers to exist and participate in the domain. An Administrator must convert the domain to native mode. Switching to native mode allows the administrator to take advantage of more features of the Windows 2000 operating system.
46. You have just been hired by mcsejobs.net to work as an administrator of the company's Windows 2000 network. One of the first questions you have upon joining is whether the domain is in mixed or native mode. Before asking, you decide to open Active Directory Users and Computers and create a group to determine what mode the domain is in. What type of group will you be unable to create if the domain is in mixed mode? *A. Universal Security B. Universal Distribution C. Global Security D. Global Distribution E. Domain Local Security Explanation: Universal Security groups can only be created when the domain is in native mode, not is mixed mode. All other types of groups can be created in both domain modes.
Active Directory 55
47. You are the network administrator of Great Lava Plc., which consists of one domain tree broken into a root domain called greatlava.com and four child domains named Europe, Asia, NA and SA. The root domain has a total of four domain controllers, two of which are running Windows 2000, and the other two are configured as BDC's running Windows NT 4. The administrator of the Europe child domain would like to change his domain to native mode. What would be the correct procedure to change the Europe domain to native mode? A. Upgrade the two remaining BDC's in the root domain to Windows 2000, and upgrade the root domain. Then upgrade the Europe domain to native mode. B. Upgrade the Europe domain to native mode. C. Upgrade the root domain to native mode and prepare the other child domains for the upgrade, then upgrade the Europe domain and all other domains in the tree will be upgraded automatically. D. Upgrade the two remaining BDC's in the root domain to Windows 2000, and upgrade the root domain. Upgrading the root domain will upgrade all the child domains.
Chapter 1: 47. You are the network administrator of Great Lava Plc., which consists of one domain tree broken into a root domain called greatlava.com and four child domains named Europe, Asia, NA and SA. The root domain has a total of four domain controllers, two of which are running Windows 2000, and the other two are configured as BDC's running Windows NT 4. The administrator of the Europe child domain would like to change his domain to native mode. What would be the correct procedure to change the Europe domain to native mode? A. Upgrade the two remaining BDC's in the root domain to Windows 2000, and upgrade the root domain. Then upgrade the Europe domain to native mode. *B. Upgrade the Europe domain to native mode. C. Upgrade the root domain to native mode and prepare the other child domains for the upgrade, then upgrade the Europe domain and all other domains in the tree will be upgraded automatically. D. Upgrade the two remaining BDC's in the root domain to Windows 2000, and upgrade the root domain. Upgrading the root domain will upgrade all the child domains. Explanation: Domains can be upgraded to native mode individually without concern for the state of other domains in the tree or forest. Upgrading a domain only upgrades that one domain and not any others in the tree or forest.
Active Directory 57
48. In implementing your Active Directory structure, you have decided to collapse a number of existing Windows NT 4.0 resource domains into a single Windows 2000 domain and replace them with organizational units. Management has asked you to explain the reasoning behind your decision. In order to do that, you have outlined a number of reasons for using organizational units. Which of the following statements about organizational units are true? (Choose three.) A. Organizational units can be nested in other organizational units. B. Objects can be moved between organizational units within a domain. C. Objects can be moved between organizational units within a forest. D. Organizational units can be used instead of groups to assign permissions. E. Organizational units can contain printers, users, groups, and computers.
Chapter 1: 48. In implementing your Active Directory structure, you have decided to collapse a number of existing Windows NT 4.0 resource domains into a single Windows 2000 domain and replace them with organizational units. Management has asked you to explain the reasoning behind your decision. In order to do that, you have outlined a number of reasons for using organizational units. Which of the following statements about organizational units are true? (Choose three.) *A. Organizational units can be nested in other organizational units.
*B. Objects can be moved between organizational units within a domain.
C. Objects can be moved between organizational units within a forest. D. Organizational units can be used instead of groups to assign permissions. *E. Organizational units can contain printers, users, groups, and computers. Explanation: Organizational units can be nested in other organizational units, and objects within one OU can be moved to another OU within the same domain but not between domains. Organizational units can not be used instead of groups and assigned permissions. An OU is a logical grouping of objects that can be delegated control of for task based administration but can not be used as a replacement to security groups. Printers, users, groups and computers can be placed in an OU.
Active Directory 59 49. As one of the network administrators in your organization, you sit on the design committee and are trying to decide on reasons to or not to use multiple domains. Of the reasons below, which of the following is not a valid reason for creating multiple domains? A. Politics B. Different security requirements C. Large number of objects D. Better control of replication E. Decentralized administration
50. As one of the network administrators in your Windows 2000 domain you are explaining the concept of transitive trusts to a colleague. Which of the following statements best represents the concept of a transitive trust? A. If domain A trusts domain B and domain B trusts domain C then domain A trusts domain C. B. If domain A trusts domain C and domain B trusts domain C then domain A and domain B trust domain C. C. If domain A trusts domain B and domain B trusts domain A then domain A is trusted by domain B. D. If domain A trusts domain B and domain B trusts domain C then domain C trusts domain B.
Chapter 1: 49. As one of the network administrators in your organization, you sit on the design committee and are trying to decide on reasons to or not to use multiple domains. Of the reasons below, which of the following is not a valid reason for creating multiple domains? A. Politics B. Different security requirements *C. Large number of objects D. Better control of replication E. Decentralized administration Explanation: Politics, different security requirements like password policy, control, or replication, and decentralized administration are all valid reasons for choosing a multiple model. Having a large number of objects is not a valid reason. The scalability of a domain is not limited to the domain but to the forest. It is the global catalog that is forest-wide and must be able to store all the objects of the forest. Domain controllers store all the objects and their respective attributes within their domain. Global catalog servers store all the objects from all domains in the forest but only selected properties of objects not within the domain the global catalog is a member of. Global catalog servers are also domain controllers, so they are also responsible for storing all the objects and object attributes of the objects within their own domain.
50. As one of the network administrators in your Windows 2000 domain you are explaining the concept of transitive trusts to a colleague. Which of the following statements best represents the concept of a transitive trust? *A. If domain A trusts domain B and domain B trusts domain C then domain A trusts domain C. B. If domain A trusts domain C and domain B trusts domain C then domain A and domain B trust domain C. C. If domain A trusts domain B and domain B trusts domain A then domain A is trusted by domain B. D. If domain A trusts domain B and domain B trusts domain C then domain C trusts domain B. Explanation: Transitive trusts mean that if one domain trusts a second domain and that second domain trusts a third domain, then the first domain also trusts the third domain due to the trusts.
Active Directory 61 51. You are the network administrator for your organization. Your Windows 2000 domain consists of a forest of two trees. The root of the forest is called gotcha.com and has two child domains called east and west. The second tree's root is called voodoo.com and also has two child domains named east and west. As the administrator of east.voodoo.com you would like to make changes to the schema. In which domain would you need to be added to the Schema Admins group? A. East.voodoo.com B. Voodoo.com C. Gotcha.com D. Voodoo.com and East.voodoo.com
52. As the administrator of your organization's Windows 2000 domain, you are interested in measuring the size of the Active Directory database. What is the name of the Active Directory database file and where is it stored? A. %windir%\system32\ntds.dit B. %windir%\ntds\ntds.dit C. %windir%\system32\edb.chk D. %windir%\ntds\edb.chk E. %windir%\security\database\secedit.sdb
Chapter 1: 51. You are the network administrator for your organization. Your Windows 2000 domain consists of a forest of two trees. The root of the forest is called gotcha.com and has two child domains called east and west. The second tree's root is called voodoo.com and also has two child domains named east and west. As the administrator of east.voodoo.com you would like to make changes to the schema. In which domain would you need to be added to the Schema Admins group? A. East.voodoo.com B. Voodoo.com *C. Gotcha.com D. Voodoo.com and East.voodoo.com Explanation: The Schema Admins group only exists in the root domain of the forest, which in this case is gotcha.com. Therefore that is the domain in which you will have to be added to the Schema Admins group.
52. As the administrator of your organization's Windows 2000 domain, you are interested in measuring the size of the Active Directory database. What is the name of the Active Directory database file and where is it stored? A. %windir%\system32\ntds.dit *B. %windir%\ntds\ntds.dit C. %windir%\system32\edb.chk D. %windir%\ntds\edb.chk E. %windir%\security\database\secedit.sdb Explanation: The correct path to the Active Directory database is %windir%\ntds\ and the name of the file is ntds.dit. There is a second ntds.dit file in the system32 directory but that file is the original that gets copied when Active Directory is installed and moved to its new located in the ntds directory on the domain controller. The edb.chk files are the checkpoint files that track the transactions that have or have not been committed to the database.
Active Directory 63 53. As one of the network administrators in your organization, you sit on the design committee and are trying to decide on reasons to or not to use multiple sites. Of the reasons below, what are two valid reasons to use multiple sites? A. To optimize replication traffic B. To optimize authentication traffic C. To allow for faster searches of the Active Directory D. To optimize administration E. To optimize operations masters
54. You are one of the administrators responsible for making schema changes in your organization. You launch the MMC from the Run command and try to add the Schema management snap-in, but it's not in the list of available snap-ins. What can you do to get the schema management snap-in to appear in the list? A. At the Run command type regsvr32 schmmgmt.dll B. At the Run command type regedt32 C. At the Run command type %windir%\system32\schmgmt.msc"
runas
/user:america\administrator
"mmc
D. A t the Run command type runas /user:mcsejobs.net\administrator "mmc %windir%\system32\schmgmt.msc"
Chapter 1: 53. As one of the network administrators in your organization, you sit on the design committee and are trying to decide on reasons to or not to use multiple sites. Of the reasons below, what are two valid reasons to use multiple sites? *A. To optimize replication traffic *B. To optimize authentication traffic C. To allow for faster searches of the Active Directory D. To optimize administration E. To optimize operations masters Explanation: Sites are used for two primary reasons; to optimize replication and authentication traffic. By creating sites, as an administrator you can govern when the connections between sites are used for replication and you can force your users to try to authenticate to a domain controller within their own site before using a costly connection to authenticate to a distant domain controller.
54. You are one of the administrators responsible for making schema changes in your organization. You launch the MMC from the Run command and try to add the Schema management snap-in, but it's not in the list of available snap-ins. What can you do to get the schema management snap-in to appear in the list? *A. At the Run command type regsvr32 schmmgmt.dll B. At the Run command type regedt32 C. At the Run command type runas /user:america\administrator "mmc
%windir%\system32\schmgmt.msc"
D. At the Run command type runas /user:mcsejobs.net\administrator "mmc %windir%\system32\schmgmt.msc" Explanation: The Schema Management snap-in is not available in the list of available add-ins until the adminpak.msi, which contains all the administrative tools, is installed or the schema management .dll is registered. Using the runas command will not register the schema management .dll by itself. Running the regedt32 utility will not register the .dll.
Active Directory 65 55. You are the administrator of the Canada OU in the America domain of your organization's Windows 2000 Active Directory network. You have created a number of user accounts in the OU under the following naming convention: the first initial of the user's first name and the first 6 characters of the last name. You are now interested in creating computer accounts in the same OU for the Windows 2000 Professional computers. Of the following naming conventions, which one will not work in the Canada OU? A. First initial of the computer user's first name, and first 6 characters of the last name B. First initial of the computer user's last name, and first 6 characters of the first name C. First initial of the computer user's first name, and first 6 characters of the last name followed by and number 1 D. First initial of the computer user's last name, and first 6 characters of the first name followed by the users department id
56. As the administrator of your Windows 2000 network, you are trying to decide upon a group strategy that will minimize replication between global catalog servers in your Active Directory multiple domain structure. Which of the following strategies will minimize the replication between global catalog servers? A. Place users into global groups and add global groups to universal groups. B. Place users into both global groups and universal groups. C. Place users into universal groups and add universal groups to global groups. D. Place users into universal groups and add universal groups to domain local groups.
Chapter 1: 55. You are the administrator of the Canada OU in the America domain of your organization's Windows 2000 Active Directory network. You have created a number of user accounts in the OU under the following naming convention: the first initial of the user's first name and the first 6 characters of the last name. You are now interested in creating computer accounts in the same OU for the Windows 2000 Professional computers. Of the following naming conventions, which one will not work in the Canada OU? *A. First initial of the computer user's first name, and first 6 characters of the last name B. First initial of the computer user's last name, and first 6 characters of the first name C. First initial of the computer user's first name, and first 6 characters of the last name followed by and number 1 D. First initial of the computer user's last name, and first 6 characters of the first name followed by the users department id Explanation: The naming convention used for computers can not be the same as the user account naming convention because of the requirements of distinguished names. Distinguished names must be unique in the Active Directory. The naming conventions could be the same if used in different organizational units but not in the same organizational unit.
56. As the administrator of your Windows 2000 network, you are trying to decide upon a group strategy that will minimize replication between global catalog servers in your Active Directory multiple domain structure. Which of the following strategies will minimize the replication between global catalog servers? *A. Place users into global groups and add global groups to universal groups. B. Place users into both global groups and universal groups. C. Place users into universal groups and add universal groups to global groups. D. Place users into universal groups and add universal groups to domain local groups. Explanation: Placing users into global groups and global groups into universal groups will minimize the replication between global catalog servers. If a universal group's membership is made up of individual user accounts, replication will occur whenever the universal groups membership changes. By adding global groups to universal groups, the membership of a global group can change without affecting the membership of the universal group.
Active Directory 67 57. Your manager has been attending a number of Microsoft Windows 2000 briefings and hearing about the idea of delegating administration and how with Windows 2000 it is possible to collapse your multiple domain structures into fewer domains. What component of the logical structure allows you as the administrator to do all this? A. The creation of organizational units B. The creation of group policy C. The creation of sites D. The creation of universal groups
58. Your organization's Windows 2000 network consists of one root domain named planet.com and two child domains named east and west. You currently have one global catalog server in the planet.com domain and would like to configure a second in the east.planet.com domain. Which criteria do you have to meet in order to configure a global catalog server? A. Must be a member of the Enterprise Administrators group B. Must be a member of the Domain Administrators group C. Must be a member of the Schema Administrators group D. Must be a member of the planet.com domain administrators group
Chapter 1: 57. Your manager has been attending a number of Microsoft Windows 2000 briefings and hearing about the idea of delegating administration and how with Windows 2000 it is possible to collapse your multiple domain structures into fewer domains. What component of the logical structure allows you as the administrator to do all this? *A. The creation of organizational units B. The creation of group policy C. The creation of sites D. The creation of universal groups Explanation: Organizational units allow for administration to be delegated in whole or in part to a user or a group of users for a specific organizational unit. Task-based delegation would include such things as the ability to change passwords. The creation of group policies does not allow for administration to be delegated, but rather a set of rules to be applied at various levels in the logical structure. The creation of sites is useful for the administration of replication and authentication traffic.
58. Your organization's Windows 2000 network consists of one root domain named planet.com and two child domains named east and west. You currently have one global catalog server in the planet.com domain and would like to configure a second in the east.planet.com domain. Which criteria do you have to meet in order to configure a global catalog server? A. Must be a member of the Enterprise Administrators group *B. Must be a member of the Domain Administrators group C. Must be a member of the Schema Administrators group D. Must be a member of the planet.com domain administrators group Explanation: In order to configure a domain controller to be a global catalog server you must be a member of the domain administrators group.
Active Directory 69 59. Your organization's Windows 2000 network consists of one root domain named planet.com and two child domains named east and west. You currently have one global catalog server in the planet.com domain and would like to configure a second in the east.planet.com domain. Which utility can be used to configure a domain controller to be a global catalog server? A. Active Directory Users and Computers B. Active Directory Sites and Services C. Dcpromo /gc D. Schema Management E. Security Templates
60. Your manager has been attending a number of Microsoft Windows 2000 briefings and hearing about the idea of global catalog servers. He is not sure what these servers are used for. He suggests a number of features of a global catalog server below. Which of the following are global catalog features? (Choose three.) A. Allow for easier searching of objects. B. Can use universal group membership information to log on to the network. C. Allow a domain to be switched to Native mode. D. Allow for more than one million objects to be stored in the Active Directory. E. Contains the access permissions for each object and attribute in the forest.
Chapter 1: 59. Your organization's Windows 2000 network consists of one root domain named planet.com and two child domains named east and west. You currently have one global catalog server in the planet.com domain and would like to configure a second in the east.planet.com domain. Which utility can be used to configure a domain controller to be a global catalog server? A. Active Directory Users and Computers *B. Active Directory Sites and Services C. Dcpromo /gc D. Schema Management E. Security Templates Explanation: Active Directory Sites and Services. When you get into this utility, you expand the Servers folder, then you expand the NTDS settings of the particular server. You then right-click on NTDS Settings and click on properties. There you will see the check box labeled "Global Catalog" that you would check.
60. Your manager has been attending a number of Microsoft Windows 2000 briefings and hearing about the idea of global catalog servers. He is not sure what these servers are used for. He suggests a number of features of a global catalog server below. Which of the following are global catalog features? (Choose three.) *A. Allow for easier searching of objects.
*B. Can use universal group membership information to log on to the network.
C. Allow a domain to be switched to Native mode. D. Allow for more than one million objects to be stored in the Active Directory. *E. Contains the access permissions for each object and attribute in the forest. Explanation: Global catalog servers store all of the objects in your forest and act as a central repository that can be easily searched by your users. The global catalog can also be used to allow users to log on via universal group memberships. A global catalog also contains the access permissions for each object and attribute meaning that only users with the permission to view the object they are searching for will see that object in the result set. A global catalog doesn't have anything to do with the number of objects that can be stored in the Active Directory and doesn't specifically prevent or allow switching between domain modes.
Active Directory 71 61. As the administrator of your company's single domain model you are interested in dividing the Operations Master roles amongst the four domain controllers in your domain. What is the recommended method to do this? A. Use NTDSUTIL to seize the roles from one domain controller to another. B. Use Active Directory Sites and Services to transfer the roles from one domain controller to another. C. Use Active Directory Users and Computers to transfer the roles from one domain controller to another. D. Use NTDSUTIL to transfer the roles from one domain controller to another.
62. You and another administrator are adding users to your organization's single domain on two different domain controllers. A third administrator changes a password of a domain user account. During the next replication cycle, how will the password change replicate between domain controllers? A. The entire user object and all properties will be replicated between domain controllers. B. The entire object and all properties will be replicated to the domain controller's replication partners. C. The object's password property will be replicated between domain controllers. D. The object's password property will be replicated to the domain controller's replication partners.
Chapter 1: 61. As the administrator of your company's single domain model you are interested in dividing the Operations Master roles amongst the four domain controllers in your domain. What is the recommended method to do this? A. Use NTDSUTIL to seize the roles from one domain controller to another. B. Use Active Directory Sites and Services to transfer the roles from one domain controller to another. *C. Use Active Directory Users and Computers to transfer the roles from one domain controller to another. D. Use NTDSUTIL to transfer the roles from one domain controller to another. Explanation: Active Directory Users and Computers should be used to transfer the roles amongst the domain controllers. Seizing the roles is only recommended when the domain controller that has the role has crashed and is unrecoverable. NTDSUTIL is the utility used to seize but not transfer the operations master roles.
62. You and another administrator are adding users to your organization's single domain on two different domain controllers. A third administrator changes a password of a domain user account. During the next replication cycle, how will the password change replicate between domain controllers? A. The entire user object and all properties will be replicated between domain controllers. B. The entire object and all properties will be replicated to the domain controller's replication partners. C. The object's password property will be replicated between domain controllers. *D. The object's password property will be replicated to the domain controller's replication partners. Explanation: Replication occurs at the attribute level in Windows 2000, so only the password change itself would be replicated, not all the properties of the object. The attribute will be replicated to the domain controller's replication partners, not all domain controllers.
Active Directory 73 63. As the administrator of your company's Windows 2000 domain you are required to import all of the users and groups from another LDAP compliant directory. What tool will you use to do this? A. LDIFDE B. Active Directory Users and Computers C. CSVDE D. NTDSUTIL
64. You are the administrator of your organization's newly migrated Windows 2000 network. The network currently consists of both Windows NT domain controllers and Windows 2000 domain controllers. Your users and groups have been successfully migrated to the Users container. During the migration, you decided that some reengineering of your organization's existing groups was in order to take advantage of some of the new features of Windows 2000. As you begin to make some changes to the groups, you find that you are unable to nest global groups within other global groups. What is preventing you from doing this? A. You must be a member of the enterprise administrators group to nest groups. B. Nesting of groups is a special right that must be assigned to a user to allow them to perform that task. C. The domain must be in native mode to nest groups. D. Group nesting must be performed at the global catalog server, not just any domain controller.
Chapter 1: 63. As the administrator of your company's Windows 2000 domain you are required to import all of the users and groups from another LDAP compliant directory. What tool will you use to do this? *A. LDIFDE B. Active Directory Users and Computers C. CSVDE D. NTDSUTIL Explanation: LDIFDE is a command line utility that can be used to import and export directory information. Active Directory Users and Computers and NTDSUTIL both cannot be used to importing from another LDAP compliant directory. CSVDE is used to import or export data from comma-separated value (csv) formatted files like those used in Excel.
64. You are the administrator of your organization's newly migrated Windows 2000 network. The network currently consists of both Windows NT domain controllers and Windows 2000 domain controllers. Your users and groups have been successfully migrated to the Users container. During the migration, you decided that some reengineering of your organization's existing groups was in order to take advantage of some of the new features of Windows 2000. As you begin to make some changes to the groups, you find that you are unable to nest global groups within other global groups. What is preventing you from doing this? A. You must be a member of the enterprise administrators group to nest groups. B. Nesting of groups is a special right that must be assigned to a user to allow them to perform that task. *C. The domain must be in native mode to nest groups. D. Group nesting must be performed at the global catalog server, not just any domain controller. Explanation: In order to nest groups, the domain must be in native mode, not mixed mode. You do not have to be a member of the enterprise administrators group and there is no special right to nest groups that would allow for nesting in native mode. The nesting of groups can be performed on any domain controller or even remotely with the administrative tools installed on a Windows 2000 professional computer.
Active Directory 75 65. You are one of five administrators in your organization and are part of the Windows 2000 system administration team. You originally migrated your five Windows NT 4 domains to Windows 2000 domains but have now collapsed all five into one Windows 2000 domain. When you removed the four existing domains you did not choose the option that specified that this domain controller was the last domain controller in the domain, hence the domains did not get deleted. How can you delete the domains? A. Use Active Directory Domains and Trusts to remove the domains B. Use eseutil to remove the domains C. Use ntdsutil to remove the domains D. Use Active Directory Users and Computers to remove the domains
66. You are the senior Windows 2000 system administrator in your organization and are guiding a junior administrator through the process of installing a domain controller in an existing Windows 2000 domain. What two choices will you inform the junior administrator are available? A. During the installation of Windows 2000 Server, choose the role of the computer to be a domain controller. B. After the installation of Active Directory, at the Run command, have the junior administrator type dcpromo and answer the prompts in the Wizard. C. After the installation of Active Directory, from the Administrative Tools menu, select to Configure the Computer, choose the Active Directory hyperlink, select to install and answer the prompts in the Wizard. D. From the Command Prompt, type dcpromote and answer the prompts in the Wizard.
Chapter 1: 65. You are one of five administrators in your organization and are part of the Windows 2000 system administration team. You originally migrated your five Windows NT 4 domains to Windows 2000 domains but have now collapsed all five into one Windows 2000 domain. When you removed the four existing domains you did not choose the option that specified that this domain controller was the last domain controller in the domain, hence the domains did not get deleted. How can you delete the domains? A. Use Active Directory Domains and Trusts to remove the domains B. Use eseutil to remove the domains *C. Use ntdsutil to remove the domains D. Use Active Directory Users and Computers to remove the domains Explanation: ntdsutil is a command line utility that can be used to add and remove domains. Domains cannot be removed with Active Directory Domains and Trusts or Active Directory Users and Computers. Eseutil is a command line utility that can be used to repair, check, move, compact, and dump the directory database files and is often called by ntdsutil to perform these various operations.
66. You are the senior Windows 2000 system administrator in your organization and are guiding a junior administrator through the process of installing a domain controller in an existing Windows 2000 domain. What two choices will you inform the junior administrator are available? A. During the installation of Windows 2000 Server, choose the role of the computer to be a domain controller. *B. After the installation of Active Directory, at the Run command, have the junior administrator type dcpromo and answer the prompts in the Wizard. *C. After the installation of Active Directory, from the Administrative Tools menu, select to Configure the Computer, choose the Active Directory hyperlink, select to install and answer the prompts in the Wizard. D. From the Command Prompt, type dcpromote and answer the prompts in the Wizard. Explanation: The dcpromo command and the Configure Your Server selection on the Administrative Tools menu are the two ways in which you can promote a Windows 2000 member server to be a Windows 2000 Active Directory domain controller. Unlike NT 4.0, there is no longer a choice during the installation of the operating system to choose a role for the server.
Active Directory 77 67. You are the senior Windows 2000 system administrator in your organization and are about to demote one of your original Windows 2000 domain controllers to a Windows 2000 member server. What is the correct procedure to do this? A. Log on to the domain as a user that is a member of the Enterprise Admins group. At the Run Command type dcpromo and answer the prompts from the wizard. B. Log on to the domain as a user that is a member of the Schema Admins group. At the Run Command type dcpromo and answer the prompts from the wizard. C. Log on to the domain as a user that is a member of the Domain Admins group. At the Run Command type dcpromo and answer the prompts from the wizard. D. Log on to the computer as local Administrator. At the Run Command type dcpromo and answer the prompts from the wizard. E. Reinstall the operating system and choose the Domain Controller role during setup.
Chapter 1: 67. You are the senior Windows 2000 system administrator in your organization and are about to demote one of your original Windows 2000 domain controllers to a Windows 2000 member server. What is the correct procedure to do this? *A. Log on to the domain as a user that is a member of the Enterprise Admins group. At the Run Command type dcpromo and answer the prompts from the wizard. B. Log on to the domain as a user that is a member of the Schema Admins group. At the Run Command type dcpromo and answer the prompts from the wizard. C. Log on to the domain as a user that is a member of the Domain Admins group. At the Run Command type dcpromo and answer the prompts from the wizard. D. Log on to the computer as local Administrator. At the Run Command type dcpromo and answer the prompts from the wizard. E. Reinstall the operating system and choose the Domain Controller role during setup. Explanation: In order to demote a Windows 2000 domain controller to a member server, you must be logged on as a user that is a member of the Enterprise Admins group. The Enterprise Admins group only exists in the root domain of the Forest. Logging on locally to a domain controller is not possible except as a member of the Domain Administrators group and even in this case, the option would not be available from the logon dialog box. Reinstalling the operating system is no longer required as it was in NT 4.0 to change a domain controller to a member server or vice versa.
Active Directory 79 68. As the senior Windows 2000 administrator in your organization, you are responsible for the planning and implementation of the Active Directory site, domain and organizational unit structures. In your design, you have created a root domain named mcsejobs.net and two child domains, America and Europe. You have also create a second tree named techiejobs.com with two child domains, America and Europe. Your organization has just gone through a leveraged buyout and the name of the company is going to be changing to mcsejobs.com. How can you rename the root domain? A. Install a new domain controller in the new root domain named mcsejobs.com and then reinstall all the other domain controllers in both the root and child domains and the second tree. B. Rename the exiting root domain controller first to the new root domain named mcsejobs.com. Then rename all of the other domain controllers in the root domain followed by all the domain controllers in the child domains and the second tree. C. Create a new DNS zone for the new Active Directory root named mcsejobs.com. Next, rename the exiting root domain controller to the new root domain named mcsejobs.com. Then rename all of the other domain controllers in the root domain followed by all the domain controllers in the child domains and the second tree. D. Create a new DNS zone for the new Active Directory root named mcsejobs.com. Then demote the domain controller acting as the global catalog server in the root domain and re-promote it to the new root domain.
Chapter 1: 68. As the senior Windows 2000 administrator in your organization, you are responsible for the planning and implementation of the Active Directory site, domain and organizational unit structures. In your design, you have created a root domain named mcsejobs.net and two child domains, America and Europe. You have also create a second tree named techiejobs.com with two child domains, America and Europe. Your organization has just gone through a leveraged buyout and the name of the company is going to be changing to mcsejobs.com. How can you rename the root domain? *A. Install a new domain controller in the new root domain named mcsejobs.com and then reinstall all the other domain controllers in both the root and child domains and the second tree. B. Rename the exiting root domain controller first to the new root domain named mcsejobs.com. Then rename all of the other domain controllers in the root domain followed by all the domain controllers in the child domains and the second tree. C. Create a new DNS zone for the new Active Directory root named mcsejobs.com. Next, rename the exiting root domain controller to the new root domain named mcsejobs.com. Then rename all of the other domain controllers in the root domain followed by all the domain controllers in the child domains and the second tree. D. Create a new DNS zone for the new Active Directory root named mcsejobs.com. Then demote the domain controller acting as the global catalog server in the root domain and re-promote it to the new root domain. Explanation: If the root domain controller needs to be renamed, your entire Active directory structure must be recreated. There is no way at this time to rename the root domain controller without reinstalling all domain controllers in your forest.
Active Directory 81 69. You are installing Active Directory on your first domain controller in your organization. The computer has five physical disks and you want to optimize the performance of the Active Directory. What is the best choice you can make during installation to optimize performance? A. Install the Active Directory database on a separate physical disk than the Winnt folder. B. Install the Active Directory database on a separate physical disk than the database log files. C. Install the Active Directory database on a separate physical disk than the Sysvol folder. D. Install the Sysvol folder on a separate physical disk than Winnt folder.
70. As the Windows 2000 system administrator for your organization, you are going over your Active Directory installation checklist before you begin your installation. Which of the following should be on your checklist for Active Directory to install correctly? (Choose three.) A. A partition or volume formatted with the NTFS file system is required for the Sysvol folder. B. A partition or volume formatted with the NTFS file system is required for the Winnt folder. C. The username and password of an account that is a member of the Enterprise Admins group. D. The username and password of an account that is a member of the Domain Admins group. E. The DNS service is installed on the computer to be promoted to a domain controller.
Chapter 1: 69. You are installing Active Directory on your first domain controller in your organization. The computer has five physical disks and you want to optimize the performance of the Active Directory. What is the best choice you can make during installation to optimize performance? A. Install the Active Directory database on a separate physical disk than the Winnt folder. *B. Install the Active Directory database on a separate physical disk than the database log files. C. Install the Active Directory database on a separate physical disk than the Sysvol folder. D. Install the Sysvol folder on a separate physical disk than Winnt folder. Explanation: Installing the Active Directory database on a separate physical disk than the database log files will improve the performance of the domain controller.
70. As the Windows 2000 system administrator for your organization, you are going over your Active Directory installation checklist before you begin your installation. Which of the following should be on your checklist for Active Directory to install correctly? (Choose three.) *A. A partition or volume formatted with the NTFS file system is required for the Sysvol folder. B. A partition or volume formatted with the NTFS file system is required for the Winnt folder. *C. The username and password of an account that is a member of the Enterprise Admins group. *D. The username and password of an account that is a member of the Domain Admins group. E. The DNS service is installed on the computer to be promoted to a domain controller. Explanation: Before you install Active Directory, you should confirm that you have access to a username and password of an account that is a member of either the Enterprise Admins or Domain Admins group and that there is an NTFS partition or volume that the Sysvol folder can be created on. It is recommended that the Winnt folder be placed on an NTFS partition but not required. A DNS server that supports SRV records must be available in the domain but does not have to be on the computer configured as a domain controller.
Active Directory 83 71. As the Windows 2000 system administrator for your organization, you are planning your Active Directory installation and want to ensure fault tolerance. How can you create a fault tolerant environment? A. Add a second domain controller to the domain. B. Add a second domain controller in a child domain and configure that it as a global catalog server. C. Configure an existing domain controller in a child domain as a global catalog server. D. Configure Windows load balancing.
72. Y ou have just installed a computer named Tordc1 and configured it as the first domain controller in the mcsejobs.net domain. You want to confirm that the Active Directory installation was successful. Where would you look for the server object that is created when a server is promoted to a domain controller? A. Look in the Domain Controllers organizational unit in the Mcsejobs.net domain with Active Directory Users and Computers. B. Look in the Server container under the Default-First-Site-Name site with Active Directory Sites and Services. C. Look in the Computers container in the Mcsejobs.net domain with Active Directory Users and Computers. D. Look in the NTDS Settings object in the Default-First-Site-Name site with Active Directory Sites and Services.
Chapter 1: 71. As the Windows 2000 system administrator for your organization, you are planning your Active Directory installation and want to ensure fault tolerance. How can you create a fault tolerant environment? *A. Add a second domain controller to the domain. B. Add a second domain controller in a child domain and configure that it as a global catalog server. C. Configure an existing domain controller in a child domain as a global catalog server. D. Configure Windows load balancing. Explanation: Adding a second domain controller to the domain will create a faulttolerant environment. Adding a second domain controller in a child domain and configuring it as a global catalog server will not create a fault tolerant environment. As a global catalog server, all forest objects will be replicated but not all attributes of the objects of the parent domain. Configuring Windows load balancing will not work with the basic Server operating system, only Windows 2000 Advanced Server.
72. Y ou have just installed a computer named Tordc1 and configured it as the first domain controller in the mcsejobs.net domain. You want to confirm that the Active Directory installation was successful. Where would you look for the server object that is created when a server is promoted to a domain controller? *A. Look in the Domain Controllers organizational unit in the Mcsejobs.net domain with Active Directory Users and Computers. *B. Look in the Server container under the Default-First-Site-Name site with Active Directory Sites and Services. C. Look in the Computers container in the Mcsejobs.net domain with Active Directory Users and Computers. D. Look in the NTDS Settings object in the Default-First-Site-Name site with Active Directory Sites and Services. Explanation: A server object is created for each domain controller in the Default-FirstSite-Name site container. You can confirm this with the Active Directory Sites and Services snap-in.
Active Directory 85 73. You are attempting to add a domain controller to an existing Windows 2000 Active Directory domain and are prompted during the promotion for a user's credentials with sufficient permissions. What is the correct combination or combinations of user credentials to choose? A. Username, password, domain name B. User Principle Name, password, domain name C. Username, password, Fully Qualified Domain Name D. User Principle Name, password, Fully Qualified Domain Name
74. As the administrator of your company's Windows 2000 domain, you have noticed some differences in how a domain controller gets added to a site. The first domain controller you installed was placed in one site, but the second domain controller you installed had a server object created in a second site. Which of the following explanations most accurately describe the reasoning behind this? (Choose two.) A. The first domain controller created in a new Active Directory domain is added to the Default-First-Name-Site. B. Additional domain controllers are added to sites based on the domain controller's IP address. C. The first domain controller created in a new Active Directory domain is added to the site that the administrator specifies during the domain controller's installation. D. Additional domain controllers are added to sites based on the domain controller's host name.
Chapter 1: 73. You are attempting to add a domain controller to an existing Windows 2000 Active Directory domain and are prompted during the promotion for a user's credentials with sufficient permissions. What is the correct combination or combinations of user credentials to choose? *A. Username, password, domain name B. User Principle Name, password, domain name C. Username, password, Fully Qualified Domain Name D. User Principle Name, password, Fully Qualified Domain Name Explanation: The correct information to specify is a username, password and domain name. A User Principle Name is not accepted as valid credentials. Only the domain for which the username you are specifying is required, not the fully qualified domain name.
74. As the administrator of your company's Windows 2000 domain, you have noticed some differences in how a domain controller gets added to a site. The first domain controller you installed was placed in one site, but the second domain controller you installed had a server object created in a second site. Which of the following explanations most accurately describe the reasoning behind this? (Choose two.) *A. The first domain controller created in a new Active Directory domain is added to the Default-First-Name-Site. *B. Additional domain controllers are added to sites based on the domain controller's IP address. C. The first domain controller created in a new Active Directory domain is added to the site that the administrator specifies during the domain controller's installation. D. Additional domain controllers are added to sites based on the domain controller's host name. Explanation: The first domain controller created in a new Active Directory domain is added to the Default-First-Name-Site, which is the default site created during the installation of Active Directory. Additional domain controllers are added to sites based on their IP address. A site consists of one or more IP subnets connected by a high-speed connection. When a site is created, subnets should be associated with that site for site membership to be determined. If a site with a subnet object is found during the installation of Active Directory and the domain controller's IP address is within that subnet then the server object is created in the associated site.
Active Directory 87 75. After the promotion of a member server to a domain controller, you want to confirm that the three directory partitions have been created successfully on the new domain controller. You use ADSIEdit to look for what three partitions? (Choose three.) A. The domain directory partition B. The configuration directory partition C. The Schema directory partition D. The Site directory partition E. The Forest directory partition
76. The first domain controller in the root domain is required to have its system time synchronized with an external time source. What command would you schedule to run daily to perform this synchronization? A. net time /setsntp://server.domain.domain B. net time /set /sntp:\\server.domain.domain C. net time /sntpset:\\server.domain.domain D. net time /sntp /set://server.domain.domain
Chapter 1: 75. After the promotion of a member server to a domain controller, you want to confirm that the three directory partitions have been created successfully on the new domain controller. You use ADSIEdit to look for what three partitions? (Choose three.) *A. The domain directory partition *B. The configuration directory partition *C. The Schema directory partition D. The Site directory partition E. The Forest directory partition Explanation: The domain, configuration, and schema directory partitions are the three partitions that get created on a domain controller. The domain directory partition contains the domain objects and their attributes for a single domain. The configuration directory partition contains information about the sites, services, and domains within the forest. The schema directory partition contains class and attribute definitions for all existing and possible Active Directory objects.
76. The first domain controller in the root domain is required to have its system time synchronized with an external time source. What command would you schedule to run daily to perform this synchronization? *A. net time /setsntp://server.domain.domain B. net time /set /sntp:\\server.domain.domain C. net time /sntpset:\\server.domain.domain D. net time /sntp /set://server.domain.domain Explanation: The correct command for the time synchronization service is net time /setsntp://server.domain.domain.
Active Directory 89 77. You are one of the administrators on the Web Team at a large Internet Service Provider. The ISP is evaluating whether to install Windows 2000 Server or Advanced Server as a Web hosting platform to support the use of FrontPage Server Extensions for their clients. In the evaluation process, you have been asked to design an Active Directory logical structure that best represents the needs of the ISP. The ISP's customers are broken into two groups; residential and commercial. From an administrative standpoint there is no difference but from a marketing standpoint, different levels of service are available to the two groups. How would you design your Active Directory logical structure? A. Create a single domain and within that domain create a single organizational unit within the Users container called customers. B. Create an empty root domain and two child domains. Name the child domains residential and commercial. C. Create an empty root domain and a single child domain with two organizational units called residential and commercial. D. Create a single domain and within that domain an organizational unit named customers. Within the customers organizational unit create two other organizational units named residential and commercial.
78. Which of the following single master operations roles are forest-wide? A. RID Master B. Schema Master C. PDC Emulator D. Domain Naming Master E. Backup Domain Controller
Chapter 1: 77. You are one of the administrators on the Web Team at a large Internet Service Provider. The ISP is evaluating whether to install Windows 2000 Server or Advanced Server as a Web hosting platform to support the use of FrontPage Server Extensions for their clients. In the evaluation process, you have been asked to design an Active Directory logical structure that best represents the needs of the ISP. The ISP's customers are broken into two groups; residential and commercial. From an administrative standpoint there is no difference but from a marketing standpoint, different levels of service are available to the two groups. How would you design your Active Directory logical structure? A. Create a single domain and within that domain create a single organizational unit within the Users container called customers. B. Create an empty root domain and two child domains. Name the child domains residential and commercial. C. Create an empty root domain and a single child domain with two organizational units called residential and commercial. *D. Create a single domain and within that domain an organizational unit named customers. Within the customers organizational unit create two other organizational units named residential and commercial. Explanation: The recommended strategy for an organizational design in this case would be to create an organizational unit called customers within a single domain and two sub-OUs within that. There is no need now to differentiate the customers into different OUs but that need may arise in the future. Using a single domain is useful because it minimizes the administration required and can offer the scalability required. An OU cannot be created with the Users container, making that in invalid option. Multiple domains are also not required, eliminating those options.
78. Which of the following single master operations roles are forest-wide? A. RID Master *B. Schema Master C. PDC Emulator *D. Domain Naming Master E. Backup Domain Controller
Active Directory 91 79. You have just finished the installation of Active Directory on a member server and reboot the computer as a domain controller. You would like to verify that the SRV records were created and use nslookup to do this. Nslookup reports a time-out when you run it at the command prompt. What is causing the time outs? A. A reverse lookup zone is not configured. B. The DNS server you are querying does not support SRV records. C. A forward lookup zone is not configured. D. The DNS server you are querying does not support dynamic update.
80. Which version of Windows 2000 includes Windows Clustering and load balancing? A. Windows 2000 Server B. Windows 2000 Advanced Server C. Windows 2000 Professional D. Windows 2000 Datacenter
Chapter 1: 79. You have just finished the installation of Active Directory on a member server and reboot the computer as a domain controller. You would like to verify that the SRV records were created and use nslookup to do this. Nslookup reports a time-out when you run it at the command prompt. What is causing the time outs? *A. A reverse lookup zone is not configured. B. The DNS server you are querying does not support SRV records. C. A forward lookup zone is not configured. D. The DNS server you are querying does not support dynamic update. Explanation: You will receive time-outs when running nslookup if a reverse lookup zone is not configured. Nslookup generates a reverse lookup to find the host name of the DNS server based on its IP address and if a reverse lookup zone is not configured, it will report a time out.
80. Which version of Windows 2000 includes Windows Clustering and load balancing? A. Windows 2000 Server *B. Windows 2000 Advanced Server C. Windows 2000 Professional *D. Windows 2000 Datacenter Explanation: Windows 2000 Advanced Server, designed for use in a large enterprise network, contains all the features available in Windows 2000 Server, in addition to Windows Clustering and load balancing. Windows 2000 Datacenter Server also includes these features.
Active Directory 93 81. You have successfully upgraded all of your company's Windows NT 4.0 domain controllers to Windows 2000 and would like to take advantage of all of the new features that Windows 2000 has to offer by switching domain modes. How will you switch modes? A. In Active Directory Users and Computers, right click the domain, click the change button and confirm your choice. B. In Active Directory Users and Computers, right click the domain controllers OU, click the change button, and confirm your choice. C. In Active Directory Sites and Services, right click the server object named after the domain controller, click the change button, and confirm your choice. D. In Active Directory Sites and Services, right click the domain controller's NTDS Settings object, click the change button, and confirm your choice. E. At the Run command, type change mode /native.
82. As the domain administrator you would like to grant a user, Chloe Ward, the permissions to create OUs within the Musicians OU but only that OU. What would be the recommended way to grant Chloe the permission to do this? A. Add Chloe to the Administrators group. B. Grant Chloe List and Create Child OU permissions within the domain. C. Grant Chloe List, Read, and Create Child OU permissions within the Musicians OU. D. Grant Chloe Read, and Manage Child OU permissions within the Musicians OU.
Chapter 1: 81. You have successfully upgraded all of your company's Windows NT 4.0 domain controllers to Windows 2000 and would like to take advantage of all of the new features that Windows 2000 has to offer by switching domain modes. How will you switch modes? *A. In Active Directory Users and Computers, right click the domain, click the change button and confirm your choice. B. In Active Directory Users and Computers, right click the domain controllers OU, click the change button, and confirm your choice. C. In Active Directory Sites and Services, right click the server object named after the domain controller, click the change button, and confirm your choice. D. In Active Directory Sites and Services, right click the domain controller's NTDS Settings object, click the change button, and confirm your choice. E. At the Run command, type change mode /native. Explanation: The mode of the domain can be changed from Mixed to Native mode with the Active Directory Users and Computers snap-in by right-clicking the domain and selecting the change button.
82. As the domain administrator you would like to grant a user, Chloe Ward, the permissions to create OUs within the Musicians OU but only that OU. What would be the recommended way to grant Chloe the permission to do this? A. Add Chloe to the Administrators group. B. Grant Chloe List and Create Child OU permissions within the domain. *C. Grant Chloe List, Read, and Create Child OU permissions within the Musicians OU. D. Grant Chloe Read, and Manage Child OU permissions within the Musicians OU. Explanation: To create OUs, a user must be a member of the Domain Admins or Enterprise Admins groups or have Read, and Create Child OU permissions. List permission is not required to create OUs, but without it, the user is not able to see the new Child OU after it is created.
Active Directory 95 83. As you are installing the first Windows 2000 domain controller in your domain. You have upgraded your Windows NT 4.0 PDC to Windows 2000 and during the promotion to a domain controller you receive an Access Denied message. What is the most likely cause of the problem? A. You are not logged on as an Administrator. B. DNS is not configured properly to allow for authentication. C. The default permissions on the Winnt folder are preventing you from proceeding with the promotion to a domain controller. D. The partition that you have selected to install the Sysvol folder on is not formatted with the NTFS file system.
84. One of the domain controllers in your Windows 2000 domain is going to be demoted to a member server because a newer computer was brought online last week. In the demotion, what will happen to the user accounts? A. The user accounts will be deleted and only the default user accounts for the administrator and the guest will exist. B. The user accounts will be removed from the Active Directory database and created in the local computers security account manager database. C. During the demotion you will be prompted to delete or create the user accounts as local accounts. D. All domain local groups become local groups, all global groups are deleted, and all users become local computer accounts.
Chapter 1: 83. As you are installing the first Windows 2000 domain controller in your domain. You have upgraded your Windows NT 4.0 PDC to Windows 2000 and during the promotion to a domain controller you receive an Access Denied message. What is the most likely cause of the problem? *A. You are not logged on as an Administrator. B. DNS is not configured properly to allow for authentication. C. The default permissions on the Winnt folder are preventing you from proceeding with the promotion to a domain controller. D. The partition that you have selected to install the Sysvol folder on is not formatted with the NTFS file system. Explanation: You must be logged on as the Administrator to create the first domain controller in a new forest. An improperly configured DNS server would generate an error but not an Access Denied message. The Sysvol folder must also be located on a partition or volume formatted with the NTFS file system but not doing that would not generate an access denied message. The default permissions on the Winnt folder would not result in an Access Denied message.
84. One of the domain controllers in your Windows 2000 domain is going to be demoted to a member server because a newer computer was brought online last week. In the demotion, what will happen to the user accounts? *A. The user accounts will be deleted and only the default user accounts for the administrator and the guest will exist. B. The user accounts will be removed from the Active Directory database and created in the local computers security account manager database. C. During the demotion you will be prompted to delete or create the user accounts as local accounts. D. All domain local groups become local groups, all global groups are deleted, and all users become local computer accounts. Explanation: During the demotion from a domain controller to a member server, all user accounts other than the default accounts are removed from the computer. Only the administrator and guest account as well as the other default local groups remain.
Active Directory 97 85. YCorp has hired you as a consultant to help install 300 Windows 2000 servers on their 25,000-node network. The company has already hired a team study the network and an installation task list has been created. The distribution and placements of the servers has already been decided as shown in the table below: Location Number of servers OS types Number of clients
Koh Samui 2 Windows NT 30
Workstation 4.0
Penang 2 Windows NT 30
Server 4.0
Narita 100 Mix of Windows NT 10000
4.0 Server and
Windows NT 3.51
Server
Songtan 45 Mix of Windows NT 2440 4.0 Workstation
and Windows NT
4.0 Server
Mallersdorf 25 Windows 98 and 1800
Windows 95
Utrecht 100 Windows NT 4.0 10000
Server
Flagstaff 26 Mix of Windows NT 700
4.0 Server and
Windows 98
Which of the following operating systems will be able to upgrade instead of requiring a fresh installation? A. Windows 95 B. Windows 98 C. Windows NT 4.0 Workstation D. Windows NT 4.0 Server E. Windows NT 3.51 Server
Chapter 1: 85. YCorp has hired you as a consultant to help install 300 Windows 2000 servers on their 25,000-node network. The company has already hired a team study the network and an installation task list has been created. The distribution and placements of the servers has already been decided as shown in the table below: Location Number of servers OS types Number of clients
Koh Samui 2 Windows NT 30
Workstation 4.0
Penang 2 Windows NT 30
Server 4.0
Narita 100 Mix of Windows NT 10000
4.0 Server and
Windows NT 3.51
Server
Songtan 45 Mix of Windows NT 2440 4.0 Workstation
and Windows NT
4.0 Server
Mallersdorf 25 Windows 98 and 1800
Windows 95
Utrecht 100 Windows NT 4.0 10000
Server
Flagstaff 26 Mix of Windows NT 700
4.0 Server and
Windows 98
Which of the following operating systems will be able to upgrade instead of requiring a fresh installation? A. Windows 95 B. Windows 98 C. Windows NT 4.0 Workstation *D. Windows NT 4.0 Server *E. Windows NT 3.51 Server Explanation: The only operating systems that can be upgraded to Windows 2000 are the existing Windows NT Servers (either 3.51 or 4.0). However, assuming that all the above computers meet the hardware standards for Windows 2000 installation, the systems that are not already installed as Windows NT Servers can be given fresh Windows 2000 installations.
Notes:
100 Chapter 2
Introduction In this section we will examine Microsoft’s DNS service in Windows 2000, its configuration and optimization, and its relationship to Active Directory. DNS is used by Windows 2000 in place of the older WINS service, necessary for the discovery of servers in the enterprise. In Windows 2000, a client will use DNS to discover the location of servers, in the initial access to the network, during the process we used to call logon but now call authentication. To install Active Directory, the version of DNS running in the network must support SRV (Service Resource Records) records. As their name indicates, these DNS records provide the location of services. Their format is service.protocol.name.ttl.class.SRV.priority.weight.port.target So that a server named BFQ-1 providing telnet services would have a record something like _telnet._tcp.BFQ-Site.BFQ.msft 600 IN SRV 0 100 23 BFQ-1.BFQ.msft. In addition to supporting SRV records, Microsoft recommends that your version of DNS support dynamic updates and incremental zone transfers. Dynamic updates allow records to be created automatically in DNS, rather than having to create them manually as was in the case in traditional DNS implementations. Incremental zone transfers allows secondary DNS servers to only update their zone database with the changes in the database since the last update, rather than transferring the entire zone as in older DNS implementations.
Using DNS with Active Directory Service 101
Chapter 2: Using DNS With Active Directory Service The objective of this chapter is to provide the reader with an understanding of the following: 1.
Install and configure DNS for Active Directory.
2.
Integrate Active Directory DNS zones with existing DNS infrastructure.
3.
Configure zones for dynamic updates and secure dynamic updates.
4.
Create and configure DNS records.
5.
Manage, monitor, and troubleshoot DNS.
1. What two things must you do before installing DNS service on a Windows 2000 server? (Choose 2) A. Install Active Directory on the server. B. Configure the computer with a static IP address. C. Configure the computer with a DNS domain name. D. Install DHCP services on the computer.
2. What are the three types of zones supported by DNS in Windows 2000? (Choose 3) A. Primary zones B. Active Directory integrated zones C. Standard primary zones D. Secondary zones E. Standard secondary zones
102 Chapter 2 1. What two things must you do before installing DNS service on a Windows 2000 server? (Choose 2) A. Install Active Directory on the server. *B. Configure the computer with a static IP address. *C. Configure the computer with a DNS domain name. D. Install DHCP services on the computer. Explanation: Before the administrator can install DNS on a Windows 2000 Server, the server must be assigned a static IP address and must be given a host name and a domain name. The DNS service install then installs the DNS server service, starts the service and installs the DNS console. Additionally, the appropriate registry entry is made for the startup of the DNS service and DNS database files are placed in the newly created folder systemroot\System32\DNS. There are two ways to install the DNS service: during the Windows 2000 installation or using Add/Remove Programs-/Add/Remove Windows Components-Networking Services. DNS must be installed prior to Active Directory.
2. What are the three types of zones supported by DNS in Windows 2000? (Choose 3) A. Primary zones *B. Active Directory integrated zones *C. Standard primary zones D. Secondary zones *E. Standard secondary zones Explanation: Before the administrator can install DNS on a Windows 2000 Server, the server must be assigned a static IP address and must be given a host name and a domain name. There are two ways to install the DNS service: during the Windows 2000 installation or using Add/Remove Programs-/Add/Remove Windows Components-Networking Services. DNS must be installed prior to Active Directory. DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication.
Using DNS with Active Directory Service 103 3. What two events can trigger a zone transfer in DNS? (Choose 2) A. The secondary server queries a master server for changes in the zone database. B. The secondary server sends a notification of a change to the master server. C. The master server queries its secondary servers for changes in the zone database. D. The master server notifies the secondary servers about a change in the zone database.
4. Where is the zone database stored for a standard primary zone in Windows 2000? A. In an Active Directory object B. In the systemroot\System32\DNS folder C. In the DNS server Active Directory object D. In the systemroot\System32\etc folder
104 Chapter 2 3. What two events can trigger a zone transfer in DNS? (Choose 2) *A. The secondary server queries a master server for changes in the zone database. B. The secondary server sends a notification of a change to the master server. C. The master server queries its secondary servers for changes in the zone database. *D. The master server notifies the secondary servers about a change in the zone database. Explanation: DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file and in the newly created folder systemroot\System32\DNS. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication. Zone transfers in DNS are triggered two ways: a master server sends a change notification to the secondary servers, or the secondary server queries the master for changes in the master database.
4. Where is the zone database stored for a standard primary zone in Windows 2000? A. In an Active Directory object *B. In the systemroot\System32\DNS folder C. In the DNS server Active Directory object D. In the systemroot\System32\etc folder Explanation: DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file and in the newly created folder systemroot\System32\DNS. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication. Zone transfers in DNS are triggered two ways: a master server sends a change notification to the secondary servers, or the secondary server queries the master for changes in the master database.
Using DNS with Active Directory Service 105 5. Where is the zone database stored for an Active Directory integrated zone in Windows 2000? A. In an Active Directory object B. In the systemroot\System32\DNS folder C. In the Active Directory DNS Zone object D. In the systemroot\System32\etc folder
6. What two events occur in Dynamic DNS (DDNS)? (Choose 2) A. The client computer automatically queries DNS for a dynamic domain name. B. The DHCP client automatically updates an A resource record. C. The DHCP server obtains a domain or host name for the DHCP client. D. The DHCP server updates the PTR record in DNS.
106 Chapter 2 5. Where is the zone database stored for an Active Directory integrated zone in Windows 2000? *A. In an Active Directory object B. In the systemroot\System32\DNS folder C. In the Active Directory DNS Zone object D. In the systemroot\System32\etc folder Explanation: DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file and in the newly created folder systemroot\System32\DNS. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication. Zone transfers in DNS are triggered two ways: a master server sends a change notification to the secondary servers, or the secondary server queries the master for changes in the master database.
6. What two events occur in Dynamic DNS (DDNS)? (Choose 2) A. The client computer automatically queries DNS for a dynamic domain name. *B. The DHCP client automatically updates an A resource record. C. The DHCP server obtains a domain or host name for the DHCP client. *D. The DHCP server updates the PTR record in DNS. Explanation: DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file and in the newly created folder systemroot\System32\DNS. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication. Zone transfers in DNS are triggered two ways: a master server sends a change notification to the secondary servers, or the secondary server queries the master for changes in the master database. Windows 2000 includes in DNS the ability to accept dynamic updates rather than just manual updates to the zone database. When a DHCP server leases an address, the client updates the A record in DNS and the server updates the PTR record in DNS - automatically.
Using DNS with Active Directory Service 107 7. What types of zones in Windows 2000 can be configured for secure dynamic updates? A. Standard primary zone B. Standard secondary zone C. Active Directory integrated zone D. Master zone
8. What is the zone replication method that is new with Windows 2000 and allows for replication of only the changes made to the authoritative database? A. AXFR (Full-zone transfer) B. IXFR (Incremental zone transfer) C. DDNS (Dynamic DNS) D. Replication Services
108 Chapter 2 7. What types of zones in Windows 2000 can be configured for secure dynamic updates? A. Standard primary zone B. Standard secondary zone *C. Active Directory integrated zone D. Master zone Explanation: DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file and in the newly created folder systemroot\System32\DNS. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication. Zone transfers in DNS are triggered two ways: a master server sends a change notification to the secondary servers, or the secondary server queries the master for changes in the master database. Windows 2000 includes in DNS the ability to accept dynamic updates rather than just manual updates to the zone database. When a DHCP server leases an address, the client updates the A record in DNS and the server updates the PTR record in DNS - automatically. Secure dynamic updates can only be provided in Active Directory integrated zones.
8. What is the zone replication method that is new with Windows 2000 and allows for replication of only the changes made to the authoritative database? A. AXFR (Full-zone transfer) *B. IXFR (Incremental zone transfer) C. DDNS (Dynamic DNS) D. Replication Services Explanation: DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file and in the newly created folder systemroot\System32\DNS. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication. Zone transfers in DNS are triggered two ways: a master server sends a change notification to the secondary servers, or the secondary server queries the master for changes in the master database. Zone transfers may occur using AXFR, which is a full-zone transfer or IXFR (incremental zone transfer), which only replicates the changes to the secondary zone. IXFR is new in Windows 2000.
Using DNS with Active Directory Service 109 9. What are two utilities for testing the DNS service in Windows 2000? (Choose 2) A. DNS Console B. Active Directory Users and Computers C. Nslookup D. DNS Manager
110 Chapter 2 9. What are two utilities for testing the DNS service in Windows 2000? (Choose 2) *A. DNS Console B. Active Directory Users and Computers *C. Nslookup D. DNS Manager Explanation: DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file and in the newly created folder systemroot\System32\DNS. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication. Zone transfers in DNS are triggered two ways: a master server sends a change notification to the secondary servers, or the secondary server queries the master for changes in the master database. Windows 2000 includes in DNS the ability to accept dynamic updates rather than just manual updates to the zone database. When a DHCP server leases an address, the client updates the A record in DNS and the server updates the PTR record in DNS - automatically. Finally, there are two types of queries supported in Windows 2000 DNS: simple queries, which use a DNS client to query a local DNS server, and recursive where the client request must be forwarded from one DNS server to another to complete the query. DNS can be tested either using Nslookup, which supports both interactive and noninteractive modes, and the DNS console.
Using DNS with Active Directory Service 111 10. What utility is used to manage DNS on a Windows 2000 server? A. Active Directory Users and Computers B. Active Directory Servers and Services C. DNS Console D. DNS Manager
112 Chapter 2 10. What utility is used to manage DNS on a Windows 2000 server? A. Active Directory Users and Computers B. Active Directory Servers and Services *C. DNS Console D. DNS Manager Explanation: Before the administrator can install DNS on a Windows 2000 Server, the server must be assigned a static IP address and must be given a host name and a domain name. There are two ways to install the DNS service: during the Windows 2000 installation or using Add/Remove Programs-/Add/Remove Windows Components-Networking Services. DNS must be installed prior to Active Directory. DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication. When DNS is installed a shortcut is added to Administrative Tools for the DNS console.
Using DNS with Active Directory Service 113 11. What default setting of Windows 2000 computers must be changed prior to the installation of DNS? A. Windows 2000 servers by default do not have Active Directory installed; therefore the administrator must first install AD. B. By default, Windows 2000 servers do not install TCP/IP, but NetBEUI. The administrator must first install TCP/IP. C. The administrator must change the default DHCP setting from Automatically Obtain an Address to a statically assigned address. D. The administrator must enable IP forwarding, which is disabled by default in Windows 2000.
114 Chapter 2 11. What default setting of Windows 2000 computers must be changed prior to the installation of DNS? A. Windows 2000 servers by default do not have Active Directory installed; therefore the administrator must first install AD. B. By default, Windows 2000 servers do not install TCP/IP, but NetBEUI. The administrator must first install TCP/IP. *C. The administrator must change the default DHCP setting from Automatically Obtain an Address to a statically assigned address. D. The administrator must enable IP forwarding, which is disabled by default in Windows 2000. Explanation: Before the administrator can install DNS on a Windows 2000 Server, the server must be assigned a static IP address and must be given a host name and a domain name. There are two ways to install the DNS service: during the Windows 2000 installation or using Add/Remove Programs-/Add/Remove Windows Components-Networking Services. DNS must be installed prior to Active Directory. DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication.
Using DNS with Active Directory Service 115 12. What resource record type in Windows 2000 enables integration of Active Directory and DNS? A. A records B. PTR records C. SRV records D. In.addr.arpa records
116 Chapter 2 12. What resource record type in Windows 2000 enables integration of Active Directory and DNS? A. A records B. PTR records *C. SRV records D. In.addr.arpa records Explanation: SRV records in DNS allow Active Directory domain controllers to be located with DNS. DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file and in the newly created folder systemroot\System32\DNS. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication. Zone transfers in DNS are triggered two ways: a master server sends a change notification to the secondary servers, or the secondary server queries the master for changes in the master database. Windows 2000 includes in DNS the ability to accept dynamic updates rather than just manual updates to the zone database. When a DHCP server leases an address, the client updates the A record in DNS and the server updates the PTR record in DNS - automatically. Finally, there are two types of queries supported in Windows 2000 DNS: simple queries, which use a DNS client to query a local DNS server, and recursive where the client request must be forwarded from one DNS server to another to complete the query.
Using DNS with Active Directory Service 117 13. A s the administrator of BFQ, Inc you wish to convert an existing DNS standard primary zone to an Active Directory integrated zone, however you do not have that option in the Change Zone Type dialog box. What have you failed to do properly? A. You did not change the server's DHCP setting from dynamic to static for IP addressing. B. You have not installed DNS on the domain controller. C. You installed DNS, but did not specify that Active Directory integrated zones would be available. D. You have not implemented Active Directory.
14. What is a Windows 2000 server requirement for converting a standard primary zone to an Active Directory integrated zone? A. The server running DNS must be a domain controller. B. The server holding the standard primary zone must be also a DHCP server. C. The partition holding the zone file must be formatted with NTFS. D. The server must be configured for full zone transfers.
118 Chapter 2 13. A s the administrator of BFQ, Inc you wish to convert an existing DNS standard primary zone to an Active Directory integrated zone, however you do not have that option in the Change Zone Type dialog box. What have you failed to do properly? A. You did not change the server's DHCP setting from dynamic to static for IP addressing. B. You have not installed DNS on the domain controller. C. You installed DNS, but did not specify that Active Directory integrated zones would be available. *D. You have not implemented Active Directory. Explanation: DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file and in the newly created folder systemroot\System32\DNS. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication. Standard primary zones can be converted to Active Directory integrated zones, providing that Active Directory has been installed, and that the server running DNS is a domain controller.
14. What is a Windows 2000 server requirement for converting a standard primary zone to an Active Directory integrated zone? *A. The server running DNS must be a domain controller. B. The server holding the standard primary zone must be also a DHCP server. C. The partition holding the zone file must be formatted with NTFS. D. The server must be configured for full zone transfers. Explanation: DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file and in the newly created folder systemroot\System32\DNS. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication. Standard primary zones can be converted to Active Directory integrated zones, providing that Active Directory has been installed, and that the server running DNS is a domain controller.
Using DNS with Active Directory Service 119 15. You are configuring DNS for dynamic updates, but the Allow Only Secure Updates choice does not appear in the Dynamic update list. What have you failed to configure correctly? A. The server must be running DHCP. B. The zone must be converted to an Active Directory integrated zone. C. The zone must be a standard primary zone. D. The DNS service must be stopped and restarted.
16. In what two modes will nslookup operate? (Choose 2) A. Active B. Nonactive C. Interactive D. noninteractive E. Passive
120 Chapter 2 15. You are configuring DNS for dynamic updates, but the Allow Only Secure Updates choice does not appear in the Dynamic update list. What have you failed to configure correctly? A. The server must be running DHCP. *B. The zone must be converted to an Active Directory integrated zone. C. The zone must be a standard primary zone. D. The DNS service must be stopped and restarted. Explanation: DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file and in the newly created folder systemroot\System32\DNS. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication. Standard primary zones can be converted to Active Directory integrated zones, providing that Active Directory has been installed, and that the server running DNS is a domain controller. Once converted, the zone can then be configured for secure dynamic updates, where the server will only accept updates from authorized computers and DHCP servers.
16. In what two modes will nslookup operate ? (Choose 2) A. Active B. Nonactive *C. Interactive *D. noninteractive E. Passive Explanation: Zone transfers in DNS are triggered two ways: a master server sends a change notification to the secondary servers, or the secondary server queries the master for changes in the master database. Windows 2000 includes in DNS the ability to accept dynamic updates rather than just manual updates to the zone database. When a DHCP server leases an address, the client updates the A record in DNS and the server updates the PTR record in DNS - automatically. Finally, there are two types of queries supported in Windows 2000 DNS: simple queries, which use a DNS client to query a local DNS server, and recursive where the client request must be forwarded from one DNS server to another to complete the query. DNS can be tested either using Nslookup, which supports both interactive and noninteractive modes, and the DNS console.
Using DNS with Active Directory Service 121 17. What must be present for Nslookup to work properly in Windows 2000 DNS? A. A PTR resource record for the DNS name server must exist in the server's database. B. A SRV record for the DNS name server must exist in the DNS server's database. C. An Active Directory integrated zone database must exist on the server. D. The name server must be a domain controller.
18. What type of zone transfer does Windows NT 4.0 support? A. AXFR (Full) B. IXFR (Incremental) C. AD integrated D. DHCP synchronized
122 Chapter 2 17. What must be present for Nslookup to work properly in Windows 2000 DNS? *A. A PTR resource record for the DNS name server must exist in the server's database. B. A SRV record for the DNS name server must exist in the DNS server's database. C. An Active Directory integrated zone database must exist on the server. D. The name server must be a domain controller. Explanation: Zone transfers in DNS are triggered two ways: a master server sends a change notification to the secondary servers, or the secondary server queries the master for changes in the master database. Windows 2000 includes in DNS the ability to accept dynamic updates rather than just manual updates to the zone database. When a DHCP server leases an address, the client updates the A record in DNS and the server updates the PTR record in DNS - automatically. Finally, there are two types of queries supported in Windows 2000 DNS: simple queries, which use a DNS client to query a local DNS server, and recursive where the client request must be forwarded from one DNS server to another to complete the query. DNS can be tested either using Nslookup, which supports both interactive and noninteractive modes, and the DNS console. Nslookup requires a PTR record for the DNS name server in the server's database.
18. What type of zone transfer does Windows NT 4.0 support? *A. AXFR (Full) B. IXFR (Incremental) C. AD integrated D. DHCP synchronized Explanation: DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file and in the newly created folder systemroot\System32\DNS. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication. Zone transfers in DNS are triggered two ways: a master server sends a change notification to the secondary servers, or the secondary server queries the master for changes in the master database. Zone transfers may occur using AXFR, which is a full-zone transfer or IXFR (incremental zone transfer), which only replicates the changes to the secondary zone. IXFR is new in Windows 2000. Windows NT 4.0 only supports AXFR (full) zone transfers.
Using DNS with Active Directory Service 123 19. What do we call that portion of the domain namespace in Windows 2000 that is defined by resource records stored in a database file? A. Partition B. Replica C. Zone D. Domain
20. As the administrator of a Windows 2000 Active Directory domain, you are responsible for creating and maintaining both the DNS namespace and Active Directory forest design. Which of the following statements best represents the DNS requirements in a Windows 2000 Active Directory structure? A. Each Active Directory domain requires a corresponding DNS domain. B. Each DNS domain requires a corresponding Active Directory domain. C. Each Active Directory domain requires a corresponding Active Directory zone. D. Each DNS domain requires a corresponding Active Directory zone.
124 Chapter 2 19. What do we call that portion of the domain namespace in Windows 2000 that is defined by resource records stored in a database file? A. Partition B. Replica *C. Zone D. Domain Explanation: DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file and in the newly created folder systemroot\System32\DNS. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication. Zone transfers in DNS are triggered two ways: a master server sends a change notification to the secondary servers, or the secondary server queries the master for changes in the master database. Zone transfers may occur using AXFR, which is a full-zone transfer or IXFR (incremental zone transfer), which only replicates the changes to the secondary zone. IXFR is new in Windows 2000. Windows NT 4.0 only supports AXFR (full) zone transfers.
20. As the administrator of a Windows 2000 Active Directory domain, you are responsible for creating and maintaining both the DNS namespace and Active Directory forest design. Which of the following statements best represents the DNS requirements in a Windows 2000 Active Directory structure? *A. Each Active Directory domain requires a corresponding DNS domain. B. Each DNS domain requires a corresponding Active Directory domain. C. Each Active Directory domain requires a corresponding Active Directory zone. D. Each DNS domain requires a corresponding Active Directory zone. Explanation: Each Active Directory domain requires a corresponding DNS domain for resolution of the services and hosts within the directory structure. DNS is the primary means of resolution in Windows 2000 domains and replaces the functionality that was previously provided by WINS. An Active Directory domain is not required for each DNS domain that exists. An example of this could be a company with five registered Internet domain names but only one internal Active Directory domain name. Creating five Active Directory domains for the external Internet domain names is not necessary. There is no such thing as an Active Directory zone, so those two answers are not correct.
Using DNS with Active Directory Service 125 21. As the DNS and Windows 2000 administrator in your company, you are planning the DNS namespace. Because DNS is the primary means of resolution in Windows 2000, you are trying to remember the type of zone to create if you want to be able to resolve a host to an IP address. What type of zone would you create? A. Forward lookup zone B. Reverse lookup zone C. Standard Primary zone D. Standard Secondary zone
22. As the DNS and Windows 2000 administrator in your company, you are planning the DNS namespace. Because DNS is the primary means of resolution in Windows 2000, you are trying to remember the type of zone to create if you want to be able to resolve an IP address to a host name. What type of zone would you create? A. Forward lookup zone B. Reverse lookup zone C. Standard Primary zone D. Standard Secondary zone E. Active Directory integrated zone
126 Chapter 2 21. As the DNS and Windows 2000 administrator in your company, you are planning the DNS namespace. Because DNS is the primary means of resolution in Windows 2000, you are trying to remember the type of zone to create if you want to be able to resolve a host to an IP address. What type of zone would you create? *A. Forward lookup zone B. Reverse lookup zone C. Standard Primary zone D. Standard Secondary zone Explanation: A forward lookup zone is used to resolve host names to IP addresses. A reverse lookup zone is used to resolve IP addresses to names. A standard primary zone is one of three types of zones that can be created and can be either forward or reverse lookup zones, but alone do not discriminate between types of resolution. A standard secondary is also one type of zone that can be created and can be used for either forward or reverse lookup.
22. As the DNS and Windows 2000 administrator in your company, you are planning the DNS namespace. Because DNS is the primary means of resolution in Windows 2000, you are trying to remember the type of zone to create if you want to be able to resolve an IP address to a host name. What type of zone would you create? A. Forward lookup zone *B. Reverse lookup zone C. Standard Primary zone D. Standard Secondary zone E. Active Directory integrated zone Explanation: A reverse lookup zone would be created to resolve an IP address to a host name. A forward lookup zone is used to resolve host names to IP addresses. Standard primary, Standard secondary, and Active Directory integrated zones are the three types of zones that can be created. Each type can be configured as either a forward or reverse lookup zone, but the type does not have anything to do with resolution.
Using DNS with Active Directory Service 127 23. Your current network has a BIND 8.1.0 server and you are planning an upgrade to Windows 2000 for your NT 4 clients and servers. Which of the following strategies will support the installation of Active Directory? (Choose three) A. Upgrade your BIND server to 8.1.2 or higher. B. Install a Windows 2000 server as standard primary DNS server to replace your BIND server. C. Delegate a zone for the Active Directory on your BIND server and install Windows 2000 server as a standard primary DNS server to support Active Directory. D. Delegate a zone for the Active Directory on your BIND server and install Windows 2000 server as a standard secondary DNS server to support Active Directory. E. Install a Windows 2000 server as standard secondary DNS server to replace your BIND server.
128 Chapter 2 23. Your current network has a BIND 8.1.0 server and you are planning an upgrade to Windows 2000 for your NT 4 clients and servers. Which of the following strategies will support the installation of Active Directory? (Choose three) *A. Upgrade your BIND server to 8.1.2 or higher. *B. Install a Windows 2000 server as standard primary DNS server to replace your BIND server. *C. Delegate a zone for the Active Directory on your BIND server and install Windows 2000 server as a standard primary DNS server to support Active Directory. D. Delegate a zone for the Active Directory on your BIND server and install Windows 2000 server as a standard secondary DNS server to support Active Directory. E. Install a Windows 2000 server as standard secondary DNS server to replace your BIND server. Explanation: Upgrading your BIND server to BIND 8.1.2 or higher is one solution to get Active Directory installed. Another solution is to install a Windows 2000 server as a standard primary to replace the BIND server. A third solution is to create a zone on the BIND server and delegate authority to a Windows 2000 server configured as a standard primary DNS server. Configuring Windows 2000 as a standard secondary DNS server first requires a standard primary making this an invalid option.
Using DNS with Active Directory Service 129 24. As the administrator responsible for upgrading all of your current Windows NT domain controllers to Windows 2000, you must plan for resolution. Your organization currently uses a BIND implementation for resolution that supports SRV records but not dynamic update and will not permit you to upgrade or use Windows 2000 DNS. What can you do to create the SRV records on your BIND server? A. Print out the contents of cache.dns and manually enter the SRV records on the BIND server. B. Print out the contents of netlogon.dns and manually enter the SRV records on the BIND server. C. Print out the contents of the services file and manually enter the SRV records on the BIND server. D. Print out the contents of place.dns and manually enter the SRV records on the BIND server.
130 Chapter 2 24. As the administrator responsible for upgrading all of your current Windows NT domain controllers to Windows 2000, you must plan for resolution. Your organization currently uses a BIND implementation for resolution that supports SRV records but not dynamic update and will not permit you to upgrade or use Windows 2000 DNS. What can you do to create the SRV records on your BIND server? A. Print out the contents of cache.dns and manually enter the SRV records on the BIND server. *B. Print out the contents of netlogon.dns and manually enter the SRV records on the BIND server. C. Print out the contents of the services file and manually enter the SRV records on the BIND server. D. Print out the contents of place.dns and manually enter the SRV records on the BIND server. Explanation: The Netlogon.dns file is found in the path %windir%\system32\config and contains all the required SRV entries and can be used to manually enter the records on a BIND server that does not support dynamic update. The cache.dns file contains all the default root servers but not SRV records. The services files contain a listing of services and service ports used by specific services.
Using DNS with Active Directory Service 131 25. You are the DNS administrator in for your company. You are trying to identify which port the global catalog service is listening on. When you open the DNS snap-in, you see the following service record: _ldap._tcp.gc._msdcs 600 IN SRV 0 100 3268 masterdc.learnix.com. Based on the service record, which port is the global catalog listening on? A. TCP port 600 B. TCP port 100 C. TCP port 3268 D. UDP port 600 E. UCP port 100
26. You are the DNS administrator in your organization and have been looking at your DNS zone file after the installation of Active Directory. One of the SRV records that you have identified is the following: ldap._tcp.gc._msdcs 600 IN SRV 0 100 3268 masterdc.mcsejobs.net Which of the following statements accurately describe this service record? A. Provides the global catalog service B. Provides the ldap service C. Uses the UDP protocol D. Uses the TCP protocol E. Has a FQDN of masterdc.mcsejobs.net
132 Chapter 2 25. You are the DNS administrator in for your company. You are trying to identify which port the global catalog service is listening on. When you open the DNS snap-in, you see the following service record: _ldap._tcp.gc._msdcs 600 IN SRV 0 100 3268 masterdc.learnix.com. Based on the service record, which port is the global catalog listening on? A. TCP port 600 B. TCP port 100 *C. TCP port 3268 D. UDP port 600 E. UCP port 100 Explanation: The global catalog listens for ldap communications on TCP port 3268. A service record is broken into the following format: service._protocol.name ttl class SRV priority weight port target
26. You are the DNS administrator in your organization and have been looking at your DNS zone file after the installation of Active Directory. One of the SRV records that you have identified is the following: ldap._tcp.gc._msdcs 600 IN SRV 0 100 3268 masterdc.mcsejobs.net Which of the following statements accurately describe this service record? A. Provides the global catalog service *B. Provides the ldap service C. Uses the UDP protocol *D. Uses the TCP protocol *E. Has a FQDN of masterdc.mcsejobs.net Explanation: The above service record provides the ldap service, using tcp in the registered domain mcsejobs.net on the computer with a fully qualified domain name of masterdc.mcsejobs.net. The service record does not use the udp protocol, nor does it provide the global catalog service. A domain controller configured as a global catalog server listens for and replies to ldap queries on tcp port 3268 but does not run a global catalog service. The correct domain name is mcsejobs.net, not masterdc.mcsejobs.net because masterdc is the host name, not a part of the domain name.
Using DNS with Active Directory Service 133 27. As the DNS administrator in your organization's Windows 2000 domain, you are responsible for maintaining DNS. You have just made a number of changes to your Windows 2000 DNS settings in an effort to experiment with the new DNS functionality. You are interested in seeing the changes that were recorded in the zone database file from the changes you made through the GUI. Using Windows Explorer, you open %windir%\system32\dns to view the zone database file but it is not there. What change could have caused this to disappear? A. The zone type was changed from Standard Primary to Standard Secondary. B. The zone type was changed from Standard Secondary to Standard Primary. C. The zone type was changed from Standard Primary to Active Directory Integrated. D. The forward lookup zone was configured to allow dynamic updates.
134 Chapter 2 27. As the DNS administrator in your organization's Windows 2000 domain, you are responsible for maintaining DNS. You have just made a number of changes to your Windows 2000 DNS settings in an effort to experiment with the new DNS functionality. You are interested in seeing the changes that were recorded in the zone database file from the changes you made through the GUI. Using Windows Explorer, you open %windir%\system32\dns to view the zone database file but it is not there. What change could have caused this to disappear? A. The zone type was changed from Standard Primary to Standard Secondary. B. The zone type was changed from Standard Secondary to Standard Primary. *C. The zone type was changed from Standard Primary to Active Directory Integrated. D. The forward lookup zone was configured to allow dynamic updates. Explanation: When the zone type is changed to Active Directory integrated, the DNS zone file is added as an object to Active Directory and deleted from its original location in the path %windir%\system32\dns. Changing the zone type from Standard Primary to Standard Secondary or vice versa will not affect the location of the zone database file. Configuring the zone to allow dynamic updates will not affect the location of the zone database file.
Using DNS with Active Directory Service 135 28. You are the administrator of your organization's Windows NT 4 network. Your network consists of three Windows NT 4 domains that you are planning on upgrading to a single Windows 2000 domain. You are beginning the migration by upgrading the two Windows NT 4 member servers that act as DNS servers to Windows 2000. After the upgrade, you open the DNS snap-in to ensure that all your resource records were preserved and to look at the new functionality. You notice that the option to configure an Active Directory integrated zone is not available. What would cause this? A. Active Directory must first be installed to configure the zone as Active Directory integrated. B. You must be logged on as a member of the enterprise administrators group. C. You must first stop and start the netlogon service. D. An upgraded DNS service does not support configuring a zone as Active Directory integrated. The DNS service should be removed before upgrading the operating system and reinstalled after the upgrade.
136 Chapter 2 28. You are the administrator of your organization's Windows NT 4 network. Your network consists of three Windows NT 4 domains that you are planning on upgrading to a single Windows 2000 domain. You are beginning the migration by upgrading the two Windows NT 4 member servers that act as DNS servers to Windows 2000. After the upgrade, you open the DNS snap-in to ensure that all your resource records were preserved and to look at the new functionality. You notice that the option to configure an Active Directory integrated zone is not available. What would cause this? *A. Active Directory must first be installed to configure the zone as Active Directory integrated. B. You must be logged on as a member of the enterprise administrators group. C. You must first stop and start the netlogon service. D. An upgraded DNS service does not support configuring a zone as Active Directory integrated. The DNS service should be removed before upgrading the operating system and reinstalled after the upgrade. Explanation: Active Directory must first be installed to configure a zone as Active Directory. As you have not yet installed Active Directory, there is no enterprise administrators group to be a member of. Stopping and starting the netlogon service is the recommended way of forcing the creation of the SRV records after the Active Directory is installed but will not affect your ability to configure the zone as Active Directory integrated. There are no restrictions on configuring an upgraded DNS service as an Active Directory integrated zone.
Using DNS with Active Directory Service 137 29. As one of the team members of the Windows 2000 administrative team, you are responsible for providing reasons to management why specific decisions were made. Which of the following benefits only apply to Active Directory DNS and would have influenced your decision to use Active Directory integrated DNS? (Choose two.) A. Eliminates single point of failure B. Allows for secure dynamic update C. Allows zone transfers only to other Active Directory integrated zones on Windows 2000 servers running DNS D. The zone file is stored as a text file in the path %windir%\system32\dns
30. Your organization is planning on installing Active Directory and you are working on getting the DNS configured properly before the rollout. You currently have a BIND server handling all resolution, and you have created a sub-zone named ad.mcsejobs.net on the BIND server and delegated authority of that zone to the Windows 2000 DNS server that will act as the Active directory domain. You would like to verify that the Windows 2000 DNS server is authoritative for the newly delegated zone. Which of the following nslookup commands would provide you with that information? A. nslookup -type=ns mscejobs.net B. nslookup -type=auth mcsejobs.net C. nslookup -type=ns ad.mcsejobs.net D. nslookup -type=auth ad.mcsejobs.net E. nslookup -type=server ad.mcsejobs.net
138 Chapter 2 29. As one of the team members of the Windows 2000 administrative team, you are responsible for providing reasons to management why specific decisions were made. Which of the following benefits only apply to Active Directory DNS and would have influenced your decision to use Active Directory integrated DNS? (Choose two.) *A. Eliminates single point of failure *B. Allows for secure dynamic update C. Allows zone transfers only to other Active Directory integrated zones on Windows 2000 servers running DNS D. The zone file is stored as a text file in the path %windir%\system32\dns Explanation: Active directory integrated zones eliminate the single point of failure associated with a standard primary DNS server because the DNS zone file becomes an object in Active Directory and replicates with the Active Directory to all domain controllers within the domain. Being an object in Active Directory also allows permissions to be set on records within zones to control which computers can update their records. Active Directory integrated DNS zones can be transfers to any other DNS server, not just Windows 2000 servers running DNS through a zone transfer.
30. Your organization is planning on installing Active Directory and you are working on getting the DNS configured properly before the rollout. You currently have a BIND server handling all resolution, and you have created a sub-zone named ad.mcsejobs.net on the BIND server and delegated authority of that zone to the Windows 2000 DNS server that will act as the Active directory domain. You would like to verify that the Windows 2000 DNS server is authoritative for the newly delegated zone. Which of the following nslookup commands would provide you with that information? A. nslookup -type=ns mscejobs.net B. nslookup -type=auth mcsejobs.net *C. nslookup -type=ns ad.mcsejobs.net D. nslookup -type=auth ad.mcsejobs.net E. nslookup -type=server ad.mcsejobs.net Explanation: The correct nslookup command is nslookup -type=ns ad.mcsejobs.net. Nslookup specifies the utility to use as nslookup. -type=ns sets the type of record to search for to name servers and ad.mcsejobs.net is the domain in which you want to search for the information.
Using DNS with Active Directory Service 139 31. You are having problems with name resolution in your Windows 2000 Active Directory domain named ad.mcsejobs.net. You want to confirm that your DNS forward lookup zone file contains all the address records of your client computers. What nslookup command would you run to see this information? A. A t the command prompt type nslookup and hit enter. Then type ls -t A ad.mcsejobs.net B. At the command prompt type nslookup and hit enter. Then type ls -t IN ad.mcsejobs.net C. At the command prompt type nslookup and hit enter. Then type ls -t=A ad.mcsejobs.net D. At the command prompt type nslookup ls -t A ad.mcsejobs.net
32. Y ou have just configured a zone on a BIND server to handle resolution for your Active Directory. The BIND server is version 8.2.2. What can you do to force the registration of the SRV records? A. At the Command Prompt type net stop netlogon, followed by net start netlogon. B. At the Command Prompt type net stop dnssrv, followed by net start dnssrv. C. At the Command Prompt type ipconfig /registerdns. D. At the Command Prompt type ipconfig /flushdns
140 Chapter 2 31. You are having problems with name resolution in your Windows 2000 Active Directory domain named ad.mcsejobs.net. You want to confirm that your DNS forward lookup zone file contains all the address records of your client computers. What nslookup command would you run to see this information? *A. At the command prompt type nslookup and hit enter. Then type ls -t A ad.mcsejobs.net B. At the command prompt type nslookup and hit enter. Then type ls -t IN
ad.mcsejobs.net
C. At the command prompt type nslookup and hit enter. Then type ls -t=A
ad.mcsejobs.net
D. At the command prompt type nslookup ls -t A ad.mcsejobs.net Explanation: To list all of the address or host records in the domain, type nslookup at the command prompt followed by enter. Then type ls to list, -t for type, and A for an Address type of record followed by the domain name of the Active Directory domain.
32. Y ou have just configured a zone on a BIND server to handle resolution for your Active Directory. The BIND server is version 8.2.2. What can you do to force the registration of the SRV records? *A. At the Command Prompt type net stop netlogon, followed by net start netlogon. B. At the Command Prompt type net stop dnssrv, followed by net start dnssrv. C. At the Command Prompt type ipconfig /registerdns. D. At the Command Prompt type ipconfig /flushdns Explanation: Stopping and starting the netlogon service with the net stop and net start commands is one way to force the registration of the SRV records in the DNS or BIND database.
Notes:
142 Chapter 3
Introduction Group Policy in Windows 2000 allows the administrator tremendous control over user and computer configuration, as well as providing for automation of scripting and for folder redirection. This is a major feature of Windows 2000 and a feature that Microsoft has been trumpeting quite loudly. As such, you can expect this area of Windows 2000 to be tested extensively. If you are not solid on the ins and outs of Group Policy, you will not pass the test. Preliminary information about Group Policy is covered in other Windows 2000 books and/or courses. Lastly, familiarity with earlier Windows System Policy Editor and ntconfig.pol and config.pol configurations will save the reader some time in learning this very rich area of Active Directory.
Change & Configuration Management 143
Chapter 3: Configuration Management The objective of this chapter is to provide the reader with an understanding of the following: 1.
Implement and troubleshoot Group Policy.
2.
Create and modify a Group Policy object (GPO).
3.
Link to an existing GPO.
4.
Delegate administrative control of Group Policy.
5.
Configure Group Policy options.
6.
Filter Group Policy settings by using security groups.
7.
Modify Group Policy prioritization.
8.
Manage and troubleshoot user environments by using Group Policy.
9.
Install, configure, manage, and troubleshoot software by using Group Policy.
10. Manage network configuration by using Group Policy. 11. Configure Active Directory to support Remote Installation Services (RIS). 12. Configure RIS options to support remote installations. 13. Configure RIS security.
1. What are three areas in which settings can be made to establish policy for user and computer configurations? (Choose 3) A. Administrative Templates B. Folder Redirection C. Taskbar Settings D. Shell Restrictions E. Software Installation
144 Chapter 3 1. What are three areas in which settings can be made to establish policy for user and computer configurations? (Choose 3) *A. Administrative Templates *B. Folder Redirection C. Taskbar Settings D. Shell Restrictions *E. Software Installation Explanation: In Windows 2000 the concept of policies takes on new meaning and increased power and flexibility. The Group Policy allows you to apply configurations to computer and user accounts across your network, specifying settings through five extensions: Administrative Templates, Security, Software Installation, Scripts and Folder Redirection. The Group Policy object is an Active Directory object that stores the various configuration settings for specified users and computers. When you create a Group Policy object (GPO), a Group Policy container is created that stores the version and status information for the GPO, while a folder structure is created on a specified domain controller to store all of the detailed information in the five areas named above.
Change & Configuration Management 145 2. Where are Group Policy settings saved in Active Directory? A. Group Policy settings are a property of an OU object B. Group Policy settings are a property of a group object C. Group Policy settings are a property of a Group Policy object D. Group Policy settings are saved as a file in My Documents on Domain Controllers
3. What two things are automatically created when you create a Group Policy object in Active Directory? A. Universal group object B. Group Policy container C. Group Policy settings D. Group Policy template
146 Chapter 3 2. Where are Group Policy settings saved in Active Directory? A. Group Policy settings are a property of an OU object B. Group Policy settings are a property of a group object *C. Group Policy settings are a property of a Group Policy object D. Group Policy settings are saved as a file in My Documents on Domain
Controllers
Explanation: In Windows 2000 the concept of policies takes on new meaning and increased power and flexibility. The Group Policy allows you to apply configurations to computer and user accounts across your network, specifying settings through five extensions: Administrative Templates, Security, Software Installation, Scripts and Folder Redirection. The Group Policy object is an Active Directory object that stores the various configuration settings for specified users and computers. When you create a Group Policy object (GPO), a Group Policy container is created that stores the version and status information for the GPO, while a folder structure is created on a specified domain controller to store all of the detailed information in the five areas named above.
3. What two things are automatically created when you create a Group Policy object in Active Directory? A. Universal group object *B. Group Policy container C. Group Policy settings *D. Group Policy template Explanation: In Windows 2000 the concept of policies takes on new meaning and increased power and flexibility. The Group Policy allows you to apply configurations to computer and user accounts across your network, specifying settings through five extensions: Administrative Templates, Security, Software Installation, Scripts and Folder Redirection. The Group Policy object is an Active Directory object that stores the various configuration settings for specified users and computers. When you create a Group Policy object (GPO), a Group Policy container is created that stores the version and status information for the GPO, while a folder structure is created on a specified domain controller to store all of the detailed information in the five areas named above.
Change & Configuration Management 147 4. What two steps must you take to implement Group Policies in Active Directory? (Choose 2) A. You must create a Group Policy object. B. You must create a Group Policy template. C. You must create a Group Policy container. D. You must associate the Group Policy object with the appropriate container. E. You must associate the Group Policy object with the appropriate Group Policy template.
148 Chapter 3 4. What two steps must you take to implement Group Policies in Active Directory? (Choose 2) *A. You must create a Group Policy object. B. You must create a Group Policy template. C. You must create a Group Policy container. *D. You must associate the Group Policy object with the appropriate container. E. You must associate the Group Policy object with the appropriate Group Policy template. Explanation: The Group Policy object is an Active Directory object that stores the various configuration settings for specified users and computers. When you create a Group Policy object (GPO), a Group Policy container is created that stores the version and status information for the GPO, while a folder structure is created on a specified domain controller to store all of the detailed information in the five areas named above. To implement policies using Group Policy, you must create a GPO and then associate it with a specific container so that the policies will affect all users or computers in that container and all child containers. It is possible for multiple policies to affect a given object, so Active Directory applies policies in the order site, then domain, then OU. This gives OU-level policies precedence. This "inheritance" of policies from parent OU to child OU can be modified by setting either No Override, which will prevent a child OU from overriding a parent OU setting, or Block Inheritance, which will allow a child OU to block policies from its parent.
Change & Configuration Management 149 5. What GPO is applied last in Active Directory? A. Site B. Domain C. Parent Container D. Child Container
150 Chapter 3 5. What GPO is applied last in Active Directory? A. Site B. Domain C. Parent Container *D. Child Container Explanation: The Group Policy object is an Active Directory object that stores the various configuration settings for specified users and computers. When you create a Group Policy object (GPO), a Group Policy container is created that stores the version and status information for the GPO, while a folder structure is created on a specified domain controller to store all of the detailed information in the five areas named above. To implement policies using Group Policy, you must create a GPO and then associate it with a specific container so that the policies will affect all users or computers in that container and all child containers. It is possible for multiple policies to affect a given object, so Active Directory applies policies in the order site, then domain, then OU. This gives OU-level policies precedence. This "inheritance" of policies from parent OU to child OU can be modified by setting either No Override, which will prevent a child OU from overriding a parent OU setting, or Block Inheritance, which will allow a child OU to block policies from its parent.
Change & Configuration Management 151 6. What setting can prevent child container policies from overriding parent container policies? A. Block Inheritance B. No Override C. No Inheritance D. Block Override
152 Chapter 3 6. What setting can prevent child container policies from overriding parent container policies? A. Block Inheritance *B. No Override C. No Inheritance D. Block Override Explanation: The Group Policy object is an Active Directory object that stores the various configuration settings for specified users and computers. When you create a Group Policy object (GPO), a Group Policy container is created that stores the version and status information for the GPO, while a folder structure is created on a specified domain controller to store all of the detailed information in the five areas named above. To implement policies using Group Policy, you must create a GPO and then associate it with a specific container so that the policies will affect all users or computers in that container and all child containers. It is possible for multiple policies to affect a given object, so Active Directory applies policies in the order site, then domain, then OU. This gives OU-level policies precedence. This "inheritance" of policies from parent OU to child OU can be modified by setting either No Override, which will prevent a child OU from overriding a parent OU setting, or Block Inheritance, which will allow a child OU to block policies from its parent.
Change & Configuration Management 153 7. What are two settings in Group Policies that are not refreshed periodically by Windows 2000? A. Administrative Templates B. Software Installation C. Security D. Folder Redirection E. Scripts
154 Chapter 3 7. What are two settings in Group Policies that are not refreshed periodically by Windows 2000? A. Administrative Templates *B. Software Installation C. Security *D. Folder Redirection E. Scripts Explanation: Permissions in Active Directory are applied in Active Directory Users and Computers - View - Advanced Features - Properties - Security. Permissions can be set using standard permissions, which include Full Control, Read, Write, Create All Child Objects, and Delete All Child Objects. Permissions can be granted or denied, and deny takes precedence over the granting of a permission. When permissions are set in Active Directory, the administrator can decide how the permission should inherit down the AD structure. This can allow the administrator to set fewer permissions and let the inheritance process continue to grant access. Windows 2000 will periodically refresh policies settings, by default every 90 minutes, except for Software Installation and Folder Redirection, which only apply when the computer starts, or when the user logs in to the network.
Change & Configuration Management 155 8. What are the steps for applying a Group Policy in Active Directory? A. Go to the appropriate container, right click and choose Properties - Group Policy Properties-Security and then check the box for APPLY Group Policy. B. Go to the appropriate Group Policy object, right click and choose Properties - Group Policy - Security and then check the box for Allow Group Policy. C. Go to the appropriate Group Policy container, right click and choose Properties Group Policy - Security and then check the box for Allow Group Policy. D. Open Active Directory Users and Computers and choose Properties - Group Policy Security and then check the box for Allow Group Policy.
156 Chapter 3 8. What are the steps for applying a Group Policy in Active Directory? *A. Go to the appropriate container, right click and choose Properties - Group Policy - Properties-Security and then check the box for APPLY Group Policy. B. Go to the appropriate Group Policy object, right click and choose Properties Group Policy - Security and then check the box for Allow Group Policy. C. Go to the appropriate Group Policy container, right click and choose Properties Group Policy - Security and then check the box for Allow Group Policy. D. Open Active Directory Users and Computers and choose Properties - Group Policy - Security and then check the box for Allow Group Policy. Explanation: The Group Policy object is an Active Directory object that stores the various configuration settings for specified users and computers. When you create a Group Policy object (GPO), a Group Policy container is created that stores the version and status information for the GPO, while a folder structure is created on a specified domain controller to store all of the detailed information in the five areas named above. To implement policies using Group Policy, you must create a GPO and then associate it with a specific container so that the policies will affect all users or computers in that container and all child containers. When you first create a GPO there are two sets of defaults: the Authenticated Users group will have Read and Apply Group Policy permissions and the System account and Domain Admins and Enterprise Admins will have Read, Create All Child Objects and Delete All Child Objects permissions. The actual setting of the policy occurs in the appropriate container, right click and choose Properties - Group Policy - Security and then check the box for Allow Group Policy.
Change & Configuration Management 157 9. What are the two main ways to modify inheritance for Group Polices? A. Set the "No Override" option B. Change the order in which GPOs are processed. C. Set an Inheritance Filter option D. Set Block Group Policy option E. Check the "Block Policy Inheritance" option on the Group Policies tab
10. What object in Active Directory enables filtering of GPOs? A. The associated container object B. Security groups C. Universal groups D. GPO Filters
158 Chapter 3 9. What are the two main ways to modify inheritance for Group Polices? *A. Set the "No Override" option B. Change the order in which GPOs are processed. C. Set an Inheritance Filter option D. Set Block Group Policy option *E. Check the "Block Policy Inheritance" option on the Group Policies tab Explanation: To implement policies using Group Policy, you must create a GPO and then associate it with a specific container so that the policies will affect all users or computers in that container and all child containers. It is possible for multiple policies to affect a given object, so Active Directory applies policies in the order site, then domain, then OU. This gives OU-level policies precedence. This "inheritance" of policies from parent OU to child OU can be modified by setting either No Override, which will prevent a child OU from overriding a parent OU setting, or Block Inheritance, which will allow a child OU to block policies from its parent. Additionally, you can modify the order in which the policies are processed by changing the order of the GPOs on the Group Policy tab.
10. What object in Active Directory enables filtering of GPOs? A. The associated container object *B. Security groups C. Universal groups D. GPO Filters Explanation: To implement policies using Group Policy, you must create a GPO and then associate it with a specific container so that the policies will affect all users or computers in that container and all child containers. It is possible for multiple policies to affect a given object, so Active Directory applies policies in the order site, then domain, then OU. This gives OU-level policies precedence. This "inheritance" of policies from parent OU to child OU can be modified by setting either No Override, which will prevent a child OU from overriding a parent OU setting, or Block Inheritance, which will allow a child OU to block policies from its parent. Additionally, you can modify the order in which the policies are processed by changing the order of the GPOs on the Group Policy tab. Lastly you can filter who is affected by a Group Policy by creating Security groups and granting them Apply Group Policy and Read permissions or removing the permissions to remove them from the policy.
Change & Configuration Management 159 11. What are the two areas of configuration displayed in the MMC when you use the Group Policy console? (Choose 2) A. Group Policy container B. Computer Configuration C. User Configuration D. Group Policy template
12. What are the three default folders named that are created below the User and Computer Configuration folders in the Group Policy console? (Choose 3) A. Software Settings B. Hardware Settings C. Windows Settings D. Administrative Settings E. Administrative Templates
160 Chapter 3 11. What are the two areas of configuration displayed in the MMC when you use the Group Policy console? (Choose 2) A. Group Policy container *B. Computer Configuration *C. User Configuration D. Group Policy template Explanation: To implement policies using Group Policy, you must create a GPO and then associate it with a specific container so that the policies will affect all users or computers in that container and all child containers. Once created, GPOs can be edited either in the properties of the associated OU, or by creating a custom MMC using the Group Policy snap-in. Group Policy has two main sections, User Configuration and Computer Configuration, within each of which are folders entitled Software Settings, Windows Settings and Administrative Templates.
12. What are the three default folders named that are created below the User and Computer Configuration folders in the Group Policy console? (Choose 3) *A. Software Settings B. Hardware Settings *C. Windows Settings D. Administrative Settings *E. Administrative Templates Explanation: To implement policies using Group Policy, you must create a GPO and then associate it with a specific container so that the policies will affect all users or computers in that container and all child containers. Once created, GPOs can be edited either in the properties of the associated OU, or by creating a custom MMC using the Group Policy snap-in. Group Policy has two main sections, User Configuration and Computer Configuration, within each of which are folders entitled Software Settings, Windows Settings and Administrative Templates.
Change & Configuration Management 161 13. What Windows 2000 server does the GPO MMC point to when you are configuring Group Policies? A. PDC B. BDC C. (PDC) Operations Master D. Master Domain Controller
14. What are the three settings for policies in the Administrative Template? (Choose 3) A. Allow B. Deny C. Enabled D. Disabled E. Not Configured
162 Chapter 3 13. What Windows 2000 server does the GPO MMC point to when you are configuring Group Policies? A. PDC B. BDC *C. (PDC) Operations Master D. Master Domain Controller Explanation: To implement policies using Group Policy, you must create a GPO and then associate it with a specific container so that the policies will affect all users or computers in that container and all child containers. Once created, GPOs can be edited either in the properties of the associated OU, or by creating a custom MMC using the Group Policy snap-in. Group Policy has two main sections, User Configuration and Computer Configuration, within each of which are folders entitled Software Settings, Windows Settings and Administrative Templates. While you are configuring Group Policy, the console is always pointed to the domain controller designated as the (PDC) Operations Master.
14. What are the three settings for policies in the Administrative Template? (Choose 3) A. Allow B. Deny *C. Enabled *D. Disabled *E. Not Configured Explanation: To implement policies using Group Policy, you must create a GPO and then associate it with a specific container so that the policies will affect all users or computers in that container and all child containers. Once created, GPOs can be edited either in the properties of the associated OU, or by creating a custom MMC using the Group Policy snap-in. Group Policy has two main sections, User Configuration and Computer Configuration, within each of which are folders entitled Software Settings, Windows Settings and Administrative Templates. Within these folders, settings are made by modifying the state of check boxes, Enabled, Disabled and Not Configured are the choices.
Change & Configuration Management 163 15. What is the last script to execute by default when Windows 2000 executes scripts from Group Policy settings? A. Computer/Startup B. Computer/Shutdown C. User/Logon D. User/Logoff
16. What are three folders that can be redirected to n etwork locations with Folder Redirection in Group Policies? (Choose 3) A. Application Data B. Applications C. Program Files D. My Documents E. Start Menu
164 Chapter 3 15. What is the last script to execute by default when Windows 2000 executes scripts from Group Policy settings? A. Computer/Startup *B. Computer/Shutdown C. User/Logon D. User/Logoff Explanation: The Group Policy allows you to apply configurations to computer and user accounts across your network, specifying settings through five extensions: Administrative Templates, Security, Software Installation, Scripts and Folder Redirection. Scripts in Windows 2000 can be associated with users or computers, and so the last script to execute, if one exists, would be the last one listed in the corresponding Properties dialog box, generally the shutdown script.
16. What are three folders that can be redirected to network locations with Folder Redirection in Group Policies? (Choose 3) *A. Application Data B. Applications C. Program Files *D. My Documents *E. Start Menu Explanation: The Group Policy allows you to apply configurations to computer and user accounts across your network, specifying settings through five extensions: Administrative Templates, Security, Software Installation, Scripts and Folder Redirection. Folder Redirection allows for the redirection of Application Data, Desktop, My Documents, My Pictures and Start Menu.
Change & Configuration Management 165 17. What are three guidelines for the implementation of Group Policies in Windows 2000 networks? (Choose 3) A. Create one Group Policy object for all users in your network to simplify management. B. Disable the unused portion of a GPO. C. Limit the number of GPOs that affect a given user or computer. D. Do not create separate GPOs for each domain. E. Group related settings in the same GPO rather than in separate GPOs.
18. What are two technologies included in Windows 2000 to help deploy and manage software throughout a company? (Choose 2) A. ZAK B. Windows Installer C. Installation Wizard D. Software Installation and Maintenance
166 Chapter 3 17. What are three guidelines for the implementation of Group Policies in Windows 2000 networks? (Choose 3) A. Create one Group Policy object for all users in your network to simplify management. *B. Disable the unused portion of a GPO.
*C. Limit the number of GPOs that affect a given user or computer.
D. Do not create separate GPOs for each domain. *E. Group related settings in the same GPO rather than in separate GPOs. Explanation: Microsoft details a number of guidelines for the implementation of Group Policy in Windows 2000. They suggest that you limit the use of Block Inheritance and No Override, limit the number of GPOs, disable the unused portion of a GPO, group related settings in a single GPO, and altogether consider the impact on your network traffic and logon performance by the creation of GPOs.
18. What are two technologies included in Windows 2000 to help deploy and manage software throughout a company? (Choose 2) A. ZAK *B. Windows Installer C. Installation Wizard *D. Software Installation and Maintenance Explanation: Windows 2000 includes two technologies for deploying and managing software throughout an organization: Windows Installer and the Software Installation and Maintenance technology. Windows Installer replaces the old standby SETUP.EXE with the Windows Installer package or .msi file. This technology provides for optional features of software being visible in the user interface, but only installed if used, thereby saving storage space and simplifying installation. Additionally, Windows Installer can replace missing files automatically, and the uninstall process is improved. Windows 2000 Software Installation and Maintenance technology allows for software deployment and management to be integrated with Active Directory and Group Policy. Working in coordination with Windows Installer packages, this technology allows for association of Group Policy objects with .msi packages. Thus, software deployment and maintenance can be automated through Active Directory.
Change & Configuration Management 167 19. What Windows 2000 technology allows for the automatic install or update of applications upon startup or logon? A. Windows Installer B. ZAK C. Software Installation and Maintenance D. Windows 2000 Installation Wizard
20. What are the four stages of the software life cycle? (Choose 4) A. Preparation B. Installation C. Deployment D. Maintenance E. Removal
168 Chapter 3 19. What Windows 2000 technology allows for the automatic install or update of applications upon startup or logon? A. Windows Installer B. ZAK *C. Software Installation and Maintenance D. Windows 2000 Installation Wizard Explanation: Windows 2000 includes two technologies for deploying and managing software throughout an organization: Windows Installer and the Software Installation and Maintenance technology. Windows Installer replaces the old standby SETUP.EXE with the Windows Installer package or .msi file. This technology provides for optional features of software being visible in the user interface, but only installed if used, thereby saving storage space and simplifying installation. Additionally, Windows Installer can replace missing files automatically, and the uninstall process is improved. Windows 2000 Software Installation and Maintenance technology allows for software deployment and management to be integrated with Active Directory and Group Policy. Working in coordination with Windows Installer packages, this technology allows for association of Group Policy objects with .msi packages. Thus, software deployment and maintenance can be automated through Active Directory.
20. What are the four stages of the software life cycle? (Choose 4) *A. Preparation B. Installation *C. Deployment *D. Maintenance *E. Removal Explanation: The four phases of the software life cycle are Preparation, Deployment, Maintenance and Removal. The Preparation phase in Windows 2000 involves securing a Windows Installer package (.msi) for the application, and/or modifying the file for deployment. The Deployment phase is centered around either assigning applications, which will advertise the application on the user desktop, or publishing applications, which will not advertise the application, but make the installation available through Add/Remove Programs. The Maintenance phase involves the delivery of service packs or upgrades, and the Removal phase involves either a forced removal, where the software is automatically removed, or optional removal, where the software is not uninstalled and new users cannot install the software.
Change & Configuration Management 169 21. What are three of the steps for deploying software using the Software Installation and Maintenance technology in Windows 2000? (Choose 3) A. Visit each workstation and take an inventory of software. B. Create or acquire an .msi file and the related files for the application. C. Place the .msi file and associated files on a shared folder. D. Associate the shared folder with the appropriate OU. E. Create or modify a GPO to facilitate delivery.
22. How would you deliver a software package using the Software Installation and Maintenance technology for a department if the software was a primary tool for the department users? A. Create a GPO and publish the software to the users. B. Create a GPO and assign the software to the users. C. Create a GPO but do not advertise the software. D. Create a GPO and publish it to the computers in that department.
170 Chapter 3 21. What are three of the steps for deploying software using the Software Installation and Maintenance technology in Windows 2000? (Choose 3) A. Visit each workstation and take an inventory of software. *B. Create or acquire an .msi file and the related files for the application. *C. Place the .msi file and associated files on a shared folder. D. Associate the shared folder with the appropriate OU. *E. Create or modify a GPO to facilitate delivery. Explanation: The deployment phase is centered around either assigning applications, which will advertise the application on the user desktop, or publishing applications, which will not advertise the application, but make the installation available through Add/Remove Programs. First the administrator needs to acquire the appropriate .msi file, then place the file on a shared folder, create or modify a GPO, and finally configure the GPO to specify whether the software is associated with users or computers and whether to assign or publish the software.
22. How would you deliver a software package using the Software Installation and Maintenance technology for a department if the software was a primary tool for the department users? A. Create a GPO and publish the software to the users. *B. Create a GPO and assign the software to the users. C. Create a GPO but do not advertise the software. D. Create a GPO and publish it to the computers in that department. Explanation: The deployment phase is centered around either assigning applications, which will advertise the application on the user desktop, or publishing applications, which will not advertise the application, but make the installation available through Add/Remove Programs. First the administrator needs to acquire the appropriate .msi file, then place the file on a shared folder, create or modify a GPO, and finally configure the GPO to specify whether the software is associated with users or computers and whether to assign or publish the software. If the use of the application is required, then you will assign the software to the computers so that the software will automatically be installed upon startup. If the software is published, it will show up on the desktop and be installed when the user double-clicks on the icon.
Change & Configuration Management 171 23. You have a department with users who time-share the computers. What is the best way to deploy software using Software Installation and Maintenance technology so that the software will be available for all users? A. Create a GPO and assign the software to the users. B. Create a GPO and publish the software to the users. C. Create a GPO and assign the software to the computers. D. Create a GPO and force install the software on the computers using the Force Run option.
24. When a software package is published using Software Installation and Maintenance, how can a user then install the software? A. The user can install the software by double-clicking on the icon. B. The user can use Add/Remove Programs in Control Panel to install the software. C. The user can install the software by simply double-clicking on a file associated with the software. D. The user cannot install the software, it will only run remotely.
172 Chapter 3 23. You have a department with users who time-share the computers. What is the best way to deploy software using Software Installation and Maintenance technology so that the software will be available for all users? A. Create a GPO and assign the software to the users. B. Create a GPO and publish the software to the users. *C. Create a GPO and assign the software to the computers. D. Create a GPO and force install the software on the computers using the Force Run option. Explanation: The deployment phase is centered around either assigning applications, which will advertise the application on the user desktop, or publishing applications, which will not advertise the application, but make the installation available through Add/Remove Programs. First the administrator needs to acquire the appropriate .msi file, then place the file on a shared folder, create or modify a GPO, and finally configure the GPO to specify whether the software is associated with users or computers and whether to assign or publish the software. If the use of the application is required, then you will assign the software to the computers so that the software will automatically be installed upon startup. If the software is published, it will show up on the desktop and be installed when the user double-clicks on the icon.
24. When a software package is published using Software Installation and Maintenance, how can a user then install the software? A. The user can install the software by double-clicking on the icon. *B. The user can use Add/Remove Programs in Control Panel to install the software. C. The user can install the software by simply double-clicking on a file associated with the software. D. The user cannot install the software, it will only run remotely. Explanation: The deployment phase is centered around either assigning applications, which will advertise the application on the user desktop, or publishing applications, which will not advertise the application, but make the installation available through Add/Remove Programs. First the administrator needs to acquire the appropriate .msi file, then place the file on a shared folder, create or modify a GPO, and finally configure the GPO to specify whether the software is associated with users or computers and whether to assign or publish the software. If the use of the application is required, then you will assign the software to the computers so that the software will automatically be installed upon startup. If the software is published, it will show up on the desktop and be installed when the user double-clicks on the icon.
Change & Configuration Management 173 25. What are two differences between assigning and publishing software using Software Installation and Maintenance technology in Windows 2000? (Choose 2) A. Published software is not advertised. B. Assigned software is not advertised. C. Software cannot be published to computers. D. Software cannot be published to users.
174 Chapter 3 25. What are two differences between assigning and publishing software using Software Installation and Maintenance technology in Windows 2000? (Choose 2) *A. Published software is not advertised. B. Assigned software is not advertised. *C. Software cannot be published to computers. D. Software cannot be published to users. Explanation: The Deployment phase is centered around either assigning applications, which will advertise the application on the user desktop, or publishing applications, which will not advertise the application, but make the installation available through Add/Remove Programs. First the administrator needs to acquire the appropriate .msi file, then place the file on a shared folder, create or modify a GPO, and finally configure the GPO to specify whether the software is associated with users or computers and whether to assign or publish the software. If the use of the application is required, then you will assign the software to the computers so that the software will automatically be installed upon startup. If the software is published, it will show up on the desktop and be installed when the user double-clicks on the icon. Publishing software can only be done through users, not through computers, while assigning can be done through either.
Change & Configuration Management 175 26. W hat can an administrator use to publish applications when a Windows Installer package is not available? A. A Group Policy Object B. A .zap file C. An .msi file D. An Administrative Template
176 Chapter 3 26. What can an administrator use to publish applications when a Windows Installer package is not available? A. A Group Policy Object *B. A .zap file C. An .msi file D. An Administrative Template Explanation: The Deployment phase is centered around either assigning applications, which will advertise the application on the user desktop, or publishing applications, which will not advertise the application, but make the installation available through Add/Remove Programs. First the administrator needs to acquire the appropriate .msi file, then place the file on a shared folder, create or modify a GPO, and finally configure the GPO to specify whether the software is associated with users or computers and whether to assign or publish the software. If a Windows Installer package is not available, the administrator can create a .zap file, a text file that can be executed by Windows 2000 Software Installation and Maintenance. These files have limitations: they can only be published; they will not auto-repair software; they run the software's SETUP.EXE and often will require users input, and finally, .zap files require user rights to install the software, something users generally do not have on a Windows 2000 workstation.
Change & Configuration Management 177 27. What are three limitations when using a .zap file to publish non-Windows Installer applications? (Choose 3) A. The applications cannot be assigned. B. These applications do not show up in Add/Remove Programs in Control Panel. C. These applications do not auto-repair when files have been deleted or damaged. D. These applications generally cannot support user customization during the installation. E. These programs seldom will support an unattended install.
178 Chapter 3 27. What are three limitations when using a .zap file to publish non-Windows Installer applications? (Choose 3) *A. The applications cannot be assigned. B. These applications do not show up in Add/Remove Programs in Control Panel. *C. These applications do not auto-repair when files have been deleted or damaged. D. These applications generally cannot support user customization during the installation. *E. These programs seldom will support an unattended install. Explanation: The deployment phase is centered around either assigning applications, which will advertise the application on the user desktop, or publishing applications, which will not advertise the application, but make the installation available through Add/Remove Programs. First the administrator needs to acquire the appropriate .msi file, then place the file on a shared folder, create or modify a GPO, and finally configure the GPO to specify whether the software is associated with users or computers and whether to assign or publish the software. If a Windows Installer package is not available, the administrator can create a .zap file, a text file that can be executed by Windows 2000 Software Installation and Maintenance. These files have limitations: they can only be published; they will not auto-repair software; they run the software's SETUP.EXE and often will require users input, and finally, .zap files require user rights to install the software, something users generally do not have on a Windows 2000 workstation.
Change & Configuration Management 179 28. If a previous version of an application has been installed, what happens during logon when the administrator has configured a mandatory upgrade in Software Installation and Maintenance? A. The software upgrade will proceed automatically. B. The users will be prompted to upgrade the software at the time of logon. C. The user will not be allowed to logon until the mandatory upgrade has been completed. D. Nothing
180 Chapter 3 28. If a previous version of an application has been installed, what happens during logon when the administrator has configured a mandatory upgrade in Software Installation and Maintenance? A. The software upgrade will proceed automatically. B. The users will be prompted to upgrade the software at the time of logon. C. The user will not be allowed to logon until the mandatory upgrade has been completed. *D. Nothing Explanation: The four phases of the software life cycle are preparation, deployment, maintenance and removal. The preparation phase in Windows 2000 involves securing a Windows Installer package (.msi) for the application, and/or modifying the file for deployment. The Maintenance phase involves the delivery of service packs or upgrades. Upgrades can be deployed as optional or mandatory. Mandatory upgrades are used to discontinue the use of a previous version of software and force all users to the new version. This is done in the GPO for the new software, specifying the original version and checking Required Upgrade for Existing Packages. The next time the users launches the original software, the upgrade will proceed. Optional upgrades follow the same process, however, the administrator will clears the Required Upgrade for Existing Packages box.
Change & Configuration Management 181 29. What method is most effective in deploying a new service pack or software patch in Software Installation and Maintenance? A. Mandatory Upgrade B. Optional Upgrade C. Redeploy Application D. Reinstall Application
30. What method would you use to uninstall applications from computers in your Windows 2000 network? A. Forced Removal B. Optional Removal C. Forced Uninstall D. Optional Uninstall
182 Chapter 3 29. What method is most effective in deploying a new service pack or software patch in Software Installation and Maintenance? A. Mandatory Upgrade B. Optional Upgrade *C. Redeploy Application D. Reinstall Application Explanation: The four phases of the software life cycle are Preparation, Deployment, Maintenance and Removal. The Maintenance phase involves the delivery of service packs or upgrades, and the Removal phase involves either a forced removal, where the software is automatically removed, or optional removal, where the software is not uninstalled and new users cannot install the software. Upgrades can be deployed as optional or mandatory. Mandatory upgrades are used to discontinue the use of a previous version of software and force all users to the new version. This is done in the GPO for the new software, specifying the original version and checking Required Upgrade for Existing Packages. The next time the users launches the original software, the upgrade will proceed. Optional upgrades follow the same process, however, the administrator will clears the Required Upgrade for Existing Packages box. The Maintenance phase of software often involves applying a service pack to the software. The service pack is placed in the same folder with the original .msi and the original GPO is modified by checking the Redeploy Application box. The service pack will then be applied in the same manner as the original application.
30. What method would you use to uninstall applications from computers in your Windows 2000 network? *A. Forced Removal B. Optional Removal C. Forced Uninstall D. Optional Uninstall Explanation: The four phases of the software life cycle are Preparation, Deployment, Maintenance and Removal. The Removal phase involves either a forced removal, where the software is automatically removed, or optional removal, where the software is not uninstalled and new users cannot install the software. Forced removal causes the software to be automatically uninstalled, and the software cannot be reinstalled. Optional removal allows the users to continue to use the software, but does not allow any new installs. Once deleted manually, the application cannot be reinstalled.
Change & Configuration Management 183 31. What are three capabilities that administrators have when using Software Installation to manage software on their Windows 2000 network? (Choose 3) A. The ability to associate file extensions with applications B. Creating categories of software to prevent users from installing too many applications. C. The ability to assign to computers based on operating system, for example, Windows 95/98, NT 4.0, 2000. D. The ability to prevent application installation being invoked through associated documents.
184 Chapter 3 31. What are three capabilities that administrators have when using Software Installation to manage software on their Windows 2000 network? (Choose 3) *A. The ability to associate file extensions with applications *B. Creating categories of software to prevent users from installing too many applications. C. The ability to assign to computers based on operating system, for example, Windows 95/98, NT 4.0, 2000. *D. The ability to prevent application installation being invoked through associated documents. Explanation: Windows 2000 includes two technologies for deploying and managing software throughout an organization: Windows Installer and the Software Installation and Maintenance technology. Windows 2000 Software Installation and Maintenance technology allows for software deployment and management to be integrated with Active Directory and Group Policy. Working in coordination with Windows Installer packages, this technology allows for association of Group Policy objects with .msi packages. Thus, software deployment and maintenance can be automated through Active Directory. Additionally, administrators can associate file extensions with programs in Software Installation, prevent installation through document invocation, control what programs are listed in Add/Remove Programs, categorize programs in Add/Remove Programs and have a program automatically uninstall when a GPO no longer applies to a user.
Change & Configuration Management 185 32. What are three of the deployment options for an application using Windows 2000 Software Installation and Maintenance? (Choose 3) A. Enable/Disable Auto-install B. Force Run Yes/No C. Choice of the Deployment Type D. Choice of the Installation User Interface
186 Chapter 3 32. What are three of the deployment options for an application using Windows 2000 Software Installation and Maintenance? (Choose 3) *A. Enable/Disable Auto-install B. Force Run Yes/No *C. Choice of the Deployment Type *D. Choice of the Installation User Interface Explanation: Windows 2000 includes two technologies for deploying and managing software throughout an organization: Windows Installer and the Software Installation and Maintenance technology. Windows 2000 Software Installation and Maintenance technology allows for software deployment and management to be integrated with Active Directory and Group Policy. Working in coordination with Windows Installer packages, this technology allows for association of Group Policy objects with .msi packages. Thus, software deployment and maintenance can be automated through Active Directory. Additionally, administrators can associate file extensions with programs in Software Installation, prevent installation through document invocation, control what programs are listed in Add/Remove Programs, categorize programs in Add/Remove Programs and have a program automatically uninstall when a GPO no longer applies to a user. Within the GPO the administrator can set options on the Deployment tab of the package including changing deployment type from assigned to published (or vice versa), setting auto-install upon document activation, causing an uninstall when the GPO is no longer associated, not allowing the application to be listed in Add/Remove Programs and choosing the user interface during installation.
Change & Configuration Management 187 33. As the administrator of BFQ, Inc., you have deployed an application using Windows 2000 Software Installation. What are two things that you can do to troubleshoot if the deployment does not go as planned? (Choose 2) A. Delete the Group Policy objects and recreate them. B. Check to see that the application shows up in Add/Remove Programs. C. Look for an icon on the user desktop. D. Look for Group Policy conflicts.
34. In a typical software life cycle, what are the four primary tasks for software management? (Choose 4) A. Acquire software B. Test software C. Deploy Software D. Maintain software E. Remove software
188 Chapter 3 33. As the administrator of BFQ, Inc., you have deployed an application using Windows 2000 Software Installation. What are two things that you can do to troubleshoot if the deployment does not go as planned? (Choose 2) A. Delete the Group Policy objects and recreate them. *B. Check to see that the application shows up in Add/Remove Programs. C. Look for an icon on the user desktop. *D. Look for Group Policy conflicts. Explanation: Windows 2000 includes two technologies for deploying and managing software throughout an organization: Windows Installer and the Software Installation and Maintenance technology. Windows 2000 Software Installation and Maintenance technology allows for software deployment and management to be integrated with Active Directory and Group Policy. While this technology can streamline software issues, troubleshooting can be troublesome. There are three things that can be checked if software deployment is not proceeding as expected. First, verify that the application appears in Add/Remove Programs to determine whether the software was assigned or published. Secondly, verify that the user has access to the server hosting the software distribution - that is, is the server available for anyone? Lastly, look for potential conflicts with GPOs.
34. In a typical software life cycle, what are the four primary tasks for software management? (Choose 4) *A. Acquire software B. Test software *C. Deploy Software *D. Maintain software *E. Remove software Explanation: The four primary tasks for software maintenance are: Acquisition, Deployment, Maintenance, and Removal. The Acquisition phase in Windows 2000 involves securing a Windows Installer package (.msi) for the application, and/or modifying the file for deployment, or creating a .zap file for deployment. The Deployment phase is centered around either assigning applications, which will advertise the application on the user desktop, or publishing applications, which will not advertise the application, but make the installation available through Add/Remove Programs. The Maintenance phase involves the delivery of service packs or upgrades, and the Removal phase involves either a forced removal, where the software is automatically removed, or optional removal, where the software is not uninstalled and new users cannot install the software.
Change & Configuration Management 189 35. What are three types of files that can be used with Group Policy to deploy applications? (Choose 3) A. .sif files B. Native Windows Installer packages (.msi files) C. .zip files D. Repackaged applications (.msi files) E. .zap files
36. What are two disadvantages of using repackaged application files (.msi) for application deployment with Group Policies? (Choose 2) A. Repackaged applications do not self-repair. B. Repackaged applications will not install features on demand. C. Repackaged applications cannot be used with an unattended install. D. Repackaged applications actually cannot be deployed with Group Policies.
190 Chapter 3 35. What are three types of files that can be used with Group Policy to deploy applications? (Choose 3) A. .sif files *B. Native Windows Installer packages (.msi files) C. .zip files *D. Repackaged applications (.msi files)
*E. .zap files
Explanation: First the administrator needs to acquire the appropriate .msi file, then place
the file on a shared folder, create or modify a GPO, and finally configure the GPO to specify whether the software is associated with users or computers and whether to assign or publish the software. If a Windows Installer package is not available, the administrator can repackage the application (creating a .msi file) or create a .zap file, a text file that can be executed by Windows 2000 Software Installation and Maintenance. These .zap files have limitations: they can only be published; they will not auto-repair software; they run the software's SETUP.EXE and often will require users input, and finally, .zap files require user rights to install the software, something users generally do not have on a Windows 2000 workstation. Repackaged (.msi) files also do not support auto-repair and do not install features on-demand.
36. What are two disadvantages of using repackaged application files (.msi) for application deployment with Group Policies? (Choose 2) *A. Repackaged applications do not self-repair.
*B. Repackaged applications will not install features on demand.
C. Repackaged applications cannot be used with an unattended install. D. Repackaged applications actually cannot be deployed with Group Policies. Explanation: First the administrator needs to acquire the appropriate .msi file, then place the file on a shared folder, create or modify a GPO, and finally configure the GPO to specify whether the software is associated with users or computers and whether to assign or publish the software. If a Windows Installer package is not available, the administrator can repackage the application (creating a .msi file) or create a .zap file, a text file that can be executed by Windows 2000 Software Installation and Maintenance. These .zap files have limitations: they can only be published; they will not auto-repair software; they run the software's SETUP.EXE and often will require users input, and finally, .zap files require user rights to install the software, something users generally do not have on a Windows 2000 workstation. Repackaged (.msi) files also do not support auto-repair and do not install features on-demand.
Change & Configuration Management 191 37. H ow does a .zap file improve the deployment process for applications that have native Windows Installer packages (.msi)? A. The .zap file provides the unattended information for the installation of the application. B. The .zap file contains instructions on how to publish the application, and is used to point to the .msi file. C. It does not, but the .zap file contains instructions on how to publish the application, which is then installed using the setup.exe for the application. D. The .zap file contains the application program code compressed so that the installation can proceed more quickly.
192 Chapter 3 37. H ow does a .zap file improve the deployment process for applications that have native Windows Installer packages (.msi)? A. The .zap file provides the unattended information for the installation of the application. B. The .zap file contains instructions on how to publish the application, and is used to point to the .msi file. *C. It does not, but the .zap file contains instructions on how to publish the application, which is then installed using the setup.exe for the application. D. The .zap file contains the application program code compressed so that the installation can proceed more quickly. Explanation: First the administrator needs to acquire the appropriate .msi file, then place the file on a shared folder, create or modify a GPO, and finally configure the GPO to specify whether the software is associated with users or computers and whether to assign or publish the software. If a Windows Installer package is not available, the administrator can repackage the application (creating a .msi file) or create a .zap file, a text file that can be executed by Windows 2000 Software Installation and Maintenance. These .zap files have limitations: they can only be published; they will not auto-repair software; they run the software's SETUP.EXE and often will require users input, and finally, .zap files require user rights to install the software, something users generally do not have on a Windows 2000 workstation. Repackaged (.msi) files also do not support auto-repair and do not install features on-demand.
Change & Configuration Management 193 38. After you have acquired software and wish to deploy it using Windows 2000, what are your next two steps? (Choose 2) A. Install it on a source computer. B. Copy the software to a distribution computer. C. Create or edit an answer file for the deployment of the software. D. Create or edit a Group Policy for the deployment of the software. E. Create a CD-based image of the software for deployment.
194 Chapter 3 38. After you have acquired software and wish to deploy it using Windows 2000, what are your next two steps? (Choose 2) A. Install it on a source computer. *B. Copy the software to a distribution computer. C. Create or edit an answer file for the deployment of the software. *D. Create or edit a Group Policy for the deployment of the software. E. Create a CD-based image of the software for deployment. Explanation: The Deployment phase is centered around either assigning applications, which will advertise the application on the user desktop, or publishing applications, which will not advertise the application, but make the installation available through Add/Remove Programs. First the administrator needs to acquire the appropriate .msi file, then place or copy the file on a shared folder at a distribution point, create or modify a GPO, and finally configure the GPO to specify whether the software is associated with users or computers and whether to assign or publish the software. If the use of the application is required, then you will assign the software to the computers so that the software will automatically be installed upon startup. If the software is published, it will show up on the desktop and be installed when the user double-clicks on the icon. Publishing software can only be done through users, not through computers, while assigning can be done through either.
Change & Configuration Management 195 39. What are three options available during the configuration of deployment options in a Group Policy? (Choose 3) A. Deployment type B. Auto installs this application by file extension activation C. Auto-repair this application D. Uninstall this application when GPO no longer applies to users or computers E. Custom deployment
40. When configuring deployment options in a Group Policy, what are two choices that may be presented to a user during the installation of an application using an .msi file? (Choose 2) A. Basic B. Compact C. Custom D. Maximum
196 Chapter 3 39. What are three options available during the configuration of deployment options in a Group Policy? (Choose 3) *A. Deployment type *B. Auto installs this application by file extension activation C. Auto-repair this application *D. Uninstall this application when GPO no longer applies to users or computers E. Custom deployment Explanation: The Deployment phase is centered around either assigning applications, which will advertise the application on the user desktop, or publishing applications, which will not advertise the application, but make the installation available through Add/Remove Programs. First the administrator needs to acquire the appropriate .msi file, then place or copy the file on a shared folder at a distribution point, create or modify a GPO, and finally configure the GPO to specify whether the software is associated with users or computers and whether to assign or publish the software. In the configuration of the GPO, the administrator has five options for deployment: to specify the deployment type (assigned or published), auto install by file activation, uninstall when GPO no longer applies to users or computers, do not display in Add/Remove Programs, and setting the user interface options.
40. When configuring deployment options in a Group Policy, what are two choices that may be presented to a user during the installation of an application using an .msi file? (Choose 2) *A. Basic B. Compact C. Custom *D. Maximum Explanation: In the configuration of the GPO, the administrator has five options for deployment: to specify the deployment type (assigned or published), auto install by file activation, uninstall when GPO no longer applies to users or computers, do not display in Add/Remove Programs, and setting the user interface options. Installations involving an .msi file may support a Basic or Maximize installation; otherwise the user interface options are meaningless.
Change & Configuration Management 197 41. In planning for the deployment of an application, you have learned that the vendor does not have an .msi file, and the application cannot be repackaged. What is your next alternative for deployment of this application using Group Policies? A. Create a CD-based image. B. Create a RIPrep image. C. Create a .zap file. D. Create a GPO boot disk.
42. What two parameters are required for the creation and use of a .zap file? (Choose 2) A. [Ext] B. FriendlyName C. Publisher D. SetupCommand E. [Application]
198 Chapter 3 41. In planning for the deployment of an application, you have learned that the vendor does not have an .msi file, and the application cannot be repackaged. What is your next alternative for deployment of this application using Group Policies? A. Create a CD-based image. B. Create a RIPrep image. *C. Create a .zap file. D. Create a GPO boot disk. Explanation: The administrator needs to acquire the appropriate .msi file, then place the file on a shared folder, create or modify a GPO, and finally configure the GPO to specify whether the software is associated with users or computers and whether to assign or publish the software. If a Windows Installer package is not available, the administrator can repackage the application (creating a .msi file) or create a .zap file, a text file that can be executed by Windows 2000 Software Installation and Maintenance. These .zap files have limitations: they can only be published; they will not auto-repair software; they run the software's SETUP.EXE and often will require users input, and finally, .zap files require user rights to install the software, something users generally do not have on a Windows 2000 workstation. Repackaged (.msi) files also do not support auto-repair and do not install features on-demand.
42. What two parameters are required for the creation and use of a .zap file? (Choose 2) A. [Ext] *B. FriendlyName C. Publisher *D. SetupCommand E. [Application] Explanation: If a Windows Installer package is not available, the administrator can repackage the application (creating a .msi file) or create a .zap file, a text file that can be executed by Windows 2000 Software Installation and Maintenance. A .zap file is a text file and has two main sections: [Application] and [Ext]. The [Application] section contains parameters FriendlyName, to specify a descriptive name, SetupCommand, for the UNC path to the setup.exe for installation, DisplayVersion, for the application version number, Publisher, to specify the vendor and URL to specify the vendor website location.
Change & Configuration Management 199 43. What can you create to make the published applications that appear in Add/Remove Programs easier to locate? A. .zap files B. Categories C. Program groups D. .msi files
44. What are three tasks that can be automated through Group Policies to make application deployment easier? (Choose 3) A. Application upgrades B. Service pack deployment C. Menu customization D. Software removal
200 Chapter 3 43. What can you create to make the published applications that appear in Add/Remove Programs easier to locate? A. .zap files *B. Categories C. Program groups D. .msi files Explanation: The administrator needs to acquire the appropriate .msi file, then place the file on a shared folder, create or modify a GPO, and finally configure the GPO to specify whether the software is associated with users or computers and whether to assign or publish the software. If the administrator decides to publish the application (and they will then appear in Add/Remove Programs), then these applications can be further organized by logically grouping them in Add/Remove Programs into categories.
44. What are three tasks that can be automated through Group Policies to make application deployment easier? (Choose 3) *A. Application upgrades *B. Service pack deployment C. Menu customization *D. Software removal Explanation: Maintaining and removing software involves the delivery of service packs for applications, upgrades, and the eventual removal of the application. Upgrades can be deployed as optional or mandatory. Mandatory upgrades are used to discontinue the use of a previous version of software and force all users to the new version. This is done in the GPO for the new software, specifying the original version and checking Required Upgrade for Existing Packages. The next time the users launches the original software, the upgrade will proceed. Optional upgrades follow the same process, however, the administrator will clears the Required Upgrade for Existing Packages box.
Change & Configuration Management 201 45. What are the two types of automatic upgrades available in Group Policy deployment? (Choose 2) A. Automatic B. Mandatory C. Custom D. Optional
46. W hat two tasks must you perform to deploy a service pack or software update? (Choose 2) A. Place the service pack or software update in the same folder as the original .msi file and also place an updated .msi or an .msp file for deployment. B. Place the service pack or software update in the same folder as the original .msi file and create a .zap file for deployment. C. In the GPO that originally deployed the application, click Redeploy Application. D. In the GPO that was originally used for deployment, click Service Pack or Software Update.
202 Chapter 3 45. What are the two types of automatic upgrades available in Group Policy deployment? (Choose 2) A. Automatic *B. Mandatory C. Custom *D. Optional Explanation: Maintaining and removing software involves the delivery of service packs for applications, upgrades, and the eventual removal of the application. Upgrades can be deployed as optional or mandatory. Mandatory upgrades are used to discontinue the use of a previous version of software and force all users to the new version. This is done in the GPO for the new software, specifying the original version and checking Required Upgrade for Existing Packages. The next time the users launches the original software, the upgrade will proceed. Optional upgrades follow the same process, however, the administrator needs to clear the Required Upgrade for Existing Packages box.
46. W hat two tasks must you perform to deploy a service pack or software update? (Choose 2) *A. Place the service pack or software update in the same folder as the original .msi file and also place an updated .msi or an .msp file for deployment. B. Place the service pack or software update in the same folder as the original .msi file and create a .zap file for deployment. *C. In the GPO that originally deployed the application, click Redeploy Application. D. In the GPO that was originally used for deployment, click Service Pack or Software Update. Explanation: Maintaining and removing software involves the delivery of service packs for applications, upgrades, and the eventual removal of the application. The deployment of service packs requires the administrator to acquire not only the service pack, but also the new .msi or .msp file. These must be placed in the same folder as the original .msi file, and then the original GPO must be modified to Redeploy Application.
Change & Configuration Management 203 47. W hat are the two software removal options in software deployment using Group Policy? (Choose 2) A. Automatic B. Forced C. Custom D. Optional
48. What are three strategies for assigning or publishing software? (Choose 3) A. Assign the application to users B. Publish the application to users C. Assign the application to computers D. Publish the application to computers
204 Chapter 3 47. W hat are the two software removal options in software deployment using Group Policy? (Choose 2) A. Automatic *B. Forced C. Custom *D. Optional Explanation: Maintaining and removing software involves the delivery of service packs for applications, upgrades, and the eventual removal of the application. Software removal allows for a forced or optional removal. With forced, the software is automatically deleted, either the next time the user logs on or the next time the computer is turned on (depending on whether the application was assigned to the user or the computer). In optional removal, any new users or computers simply cannot install the application. It is not automatically removed, and cannot be reinstalled if it is manually removed.
48. What are three strategies for assigning or publishing software? (Choose 3) *A. Assign the application to users *B. Publish the application to users *C. Assign the application to computers D. Publish the application to computers Explanation: Deployment is centered on either assigning or publishing applications. Assigning applications to users will advertise the application on the user Start menu, while assigning applications to computers will cause the application install to start immediately upon computer startup. Publishing applications to can only be done to users and will not advertise the application but make the installation available through Add/Remove Programs. If the use of the application is required, then you will assign the software to the computers so that the software will automatically be installed upon startup. If the software is published, it will show up on the desktop and be installed when the user double-clicks on the icon.
Change & Configuration Management 205 49. You want an application to always appear on a user's Start menu. What strategy will you use to accomplish this? A. Assign the application to users B. Assign the application to computers C. Publish the application to users D. Publish the application to computers
50. You do not want users to be able to remove an application from their computers. What strategy will you use to accomplish this? A. Assign the application to users B. Assign the application to computers C. Publish the application to users D. Publish the application to computers
206 Chapter 3 49. You want an application to always appear on a user's Start menu. What strategy will you use to accomplish this? *A. Assign the application to users B. Assign the application to computers C. Publish the application to users D. Publish the application to computers Explanation: Deployment is centered on either assigning or publishing applications. Assigning applications to users will advertise the application on the user Start menu, while assigning applications to computers will cause the application install to start immediately upon computer startup. Publishing applications to can only be done to users and will not advertise the application but make the installation available through Add/Remove Programs. If the use of the application is required, then you will assign the software to the computers so that the software will automatically be installed upon startup. If the software is published, it will show up on the desktop and be installed when the user double-clicks on the icon.
50. You do not want users to be able to remove an application from their computers. What strategy will you use to accomplish this? A. Assign the application to users *B. Assign the application to computers C. Publish the application to users D. Publish the application to computers Explanation: Deployment is centered on either assigning or publishing applications. Assigning applications to users will advertise the application on the user Start menu, while assigning applications to computers will cause the application install to start immediately upon computer startup. Publishing applications to can only be done to users and will not advertise the application but make the installation available through Add/Remove Programs. If the use of the application is required, then you will assign the software to the computers so that the software will automatically be installed upon startup. If the software is published, it will show up on the desktop and be installed when the user double-clicks on the icon.
Change & Configuration Management 207 51. W hat are two strategies for applying software deployment policies in Active Directory? (Choose 2) A. Create OUs based on software needs B. Deploy software in the lowest level OUs C. Create OUs based on location D. Deploy software high in the Active Directory tree
52. What are three recommendations for optimizing the software deployment process? (Choose 3) A. Use domain controllers for software distribution. B. Assign applications to users rather than to computers. C. Use member servers for software distribution. D. Use DFS for software deployment. E. Assign applications to computers rather than to users.
208 Chapter 3 51. W hat are two strategies for applying software deployment policies in Active Directory? (Choose 2) *A. Create OUs based on software needs B. Deploy software in the lowest level OUs C. Create OUs based on location *D. Deploy software high in the Active Directory tree Explanation: Microsoft recommends four strategies for deploying applications through policies in Active Directory: create OUs based on software needs for targeted applications, deploy software high in the AD tree for organizational-wide applications, deploy one application for each GPO for more flexibility in maintaining applications, or deploying multiple applications with a single GPO to reduce administrative overhead.
52. What are three recommendations for optimizing the software deployment process? (Choose 3) A. Use domain controllers for software distribution. *B. Assign applications to users rather than to computers.
*C. Use member servers for software distribution.
*D. Use DFS for software deployment.
E. Assign applications to computers rather than to users. Explanation: To optimize the performance of the actual deployment process, administrators can use member servers as distribution points so that domain controllers will not be burdened by the additional load, assign applications to users rather than computers so that they will not be automatically installed when the computer starts up, and use DFS (Distributed File System) to load balance the software distribution.
Change & Configuration Management 209 53. What are two strategies for deploying software across slow network links? (Choose 2) A. Disable software installation across slow links B. Modify slow link detection for Group Policy C. In Deployment Properties check the Auto-install this application by file extension activation button. D. Modify deployment options to prevent published software installation across slow links.
54. What do you check when users cannot find an assigned application on their Start menu or in Add/Remove Programs? A. Verify that the user has logged on to the computer. B. Verify that the users have access to the software distribution computer. C. Make sure the appropriate .msi file is located in the application folder. D. Verify that you deployed the application by using a UNC path rather than a local path. E. Check for a lower-level GPO within its Block Policy Inheritance option set.
210 Chapter 3 53. What are two strategies for deploying software across slow network links? (Choose 2) A. Disable software installation across slow links *B. Modify slow link detection for Group Policy C. In Deployment Properties check the Auto-install this application by file extension activation button. *D. Modify deployment options to prevent published software installation across slow links. Explanation: Software deployment across slow WAN links can be especially troublesome. Try opening the Default Domain Policy GPPO and resetting the slow link detection threshold (by default 500 Kbps). Administrators need to be aware that policies are disable across slow links by default, and must be allowed to enable installation at remote locations. Lastly, published applications can still be installed at remote locations through Add/Remove Programs, unless the administrator sets the application to not display in Add/Remove Programs and clears the Auto-install by file extension activation box.
54. What do you check when users cannot find an assigned application on their Start menu or in Add/Remove Programs? A. Verify that the user has logged on to the computer. B. Verify that the users have access to the software distribution computer. C. Make sure the appropriate .msi file is located in the application folder. D. Verify that you deployed the application by using a UNC path rather than a local path. *E. Check for a lower-level GPO within its Block Policy Inheritance option set. Explanation: Deployment is centered on either assigning or publishing applications. Assigning applications to users will advertise the application on the user Start menu, while assigning applications to computers will cause the application install to start immediately upon computer startup. Publishing applications to can only be done to users and will not advertise the application but make the installation available through Add/Remove Programs. If the use of the application is required, then you will assign the software to the computers so that the software will automatically be installed upon startup. If the software is published, it will show up on the desktop and be installed when the user double-clicks on the icon. If an application does not appear in Add/Remove Programs, then the administrator should check to see if a lower-level GPO has Block Policy Inheritance set.
Change & Configuration Management 211 55. What do you check when users cannot install an application that you either assigned or published to users? A. Verify that the user has logged on to the computer. B. Verify that the users have access to the software distribution computer. C. Make sure the appropriate .msi file is located in the application folder. D. Verify that you deployed the application by using a UNC path rather than a local path. E. Check for a lower-level GPO within its Block Policy Inheritance option set.
212 Chapter 3 55. What do you check when users cannot install an application that you either assigned or published to users? A. Verify that the user has logged on to the computer. *B. Verify that the users have access to the software distribution computer. C. Make sure the appropriate .msi file is located in the application folder. D. Verify that you deployed the application by using a UNC path rather than a local path. E. Check for a lower-level GPO within its Block Policy Inheritance option set. Explanation: Deployment is centered on either assigning or publishing applications. Assigning applications to users will advertise the application on the user Start menu, while assigning applications to computers will cause the application install to start immediately upon computer startup. Publishing applications to can only be done to users and will not advertise the application but make the installation available through Add/Remove Programs. If the use of the application is required, then you will assign the software to the computers so that the software will automatically be installed upon startup. If the software is published, it will show up on the desktop and be installed when the user double-clicks on the icon. If users can see the application, but cannot install it, then check their permissions to the distribution point.
Change & Configuration Management 213 56. What do you check when Windows Installer cannot locate a package when users attempt to install an application? A. Verify that the user has logged on to the computer. B. Verify that the users have access to the software distribution computer. C. Make sure the appropriate .msi file is located in the application folder. D. Verify that you deployed the application by using a UNC path rather than a local path. E. Check for a lower-level GPO within its Block Policy Inheritance option set.
214 Chapter 3 56. What do you check when Windows Installer cannot locate a package when users attempt to install an application? A. Verify that the user has logged on to the computer. B. Verify that the users have access to the software distribution computer. C. Make sure the appropriate .msi file is located in the application folder. *D. Verify that you deployed the application by using a UNC path rather than a local path. E. Check for a lower-level GPO within its Block Policy Inheritance option set. Explanation: Deployment is centered on either assigning or publishing applications. Assigning applications to users will advertise the application on the user Start menu, while assigning applications to computers will cause the application install to start immediately upon computer startup. Publishing applications to can only be done to users and will not advertise the application but make the installation available through Add/Remove Programs. If the use of the application is required, then you will assign the software to the computers so that the software will automatically be installed upon startup. If the software is published, it will show up on the desktop and be installed when the user double-clicks on the icon. If Windows Installer cannot locate the application package when users attempt to install, then check to see if you set the path to the .msi file using a local path or UNC (correct way!).
Change & Configuration Management 215 57. What are the two main uses for Administrative Templates? (Choose 2) A. They define the rights and permissions that Administrators have in the appropriate OU. B. They define the user interface for the GPO console. C. They determine the registry modifications that may be applied to anyone who uses the template. D. They can be used to create Administrative accounts with the same properties?
216 Chapter 3 57. What are the two main uses for Administrative Templates? (Choose 2) A. They define the rights and permissions that Administrators have in the
appropriate OU.
*B. They define the user interface for the GPO console. *C. They determine the registry modifications that may be applied to anyone who uses the template. D. They can be used to create Administrative accounts with the same properties? Explanation: Administrative Templates define the user interface for the Group Policy console and also determine registry modifications that can be made whenever the template is used. Each time a GPO is created, two default templates are added: System.adm and Inetrs.adm. Rather than creating custom templates, administrators should modify the System.adm and add their custom settings. Otherwise, a separate custom template has to be added to each GPO separately as needed. Templates written for Windows 2000 applications use Group Policy settings, which write to either \Software\Policies or \Software\Microsoft\Windows\Current\Version\Policies, and are automatically removed if the GPO is deleted or unlinked. Users cannot override these Group Policy settings. For applications that are not written for Windows 2000, the administrator will configure Administrative Templates using preferences. Preferences write to the registry anywhere but the two locations above. These registry modifications remain even if the GPO is unlinked or deleted and may be modified by the users.
Change & Configuration Management 217 58. What are two differences between Group Policy settings and preferences? (Choose 2) A. Settings create registry entries that users can modify, while preferences create entries that cannot be modified. B. Preferences create registry entries that users can modify, while settings create entries that cannot be modified. C.
S ettings write to \Software\Policies or \Software\Microsoft\Windows\Current\Version\Policies while preferences write to any registry key but these.
D.
Preferences write to \Software\Policies or \Software\Microsoft\Windows\Current\Version\Policies while settings write to any registry key but these.
218 Chapter 3 58. What are two differences between Group Policy settings and preferences? (Choose 2) A. Settings create registry entries that users can modify, while preferences create entries that cannot be modified. *B. Preferences create registry entries that users can modify, while settings create entries that cannot be modified. *C. Settings write to \Software\Policies or \Software\Microsoft\Windows\Current\Version\Policies while preferences write to any registry key but these. D. Preferences write to \Software\Policies or \Software\Microsoft\Windows\Current\Version\Policies while settings write to any registry key but these. Explanation: Administrative Templates define the user interface for the Group Policy console and also determine registry modifications that can be made whenever the template is used. Each time a GPO is created, two default templates are added: System.adm and Inetrs.adm. Rather than creating custom templates, administrators should modify the System.adm and add their custom settings. Otherwise, a separate custom template has to be added to each GPO separately as needed. Templates written for Windows 2000 applications use Group Policy settings, which write to either \Software\Policies or \Software\Microsoft\Windows\Current\Version\Policies, and are automatically removed if the GPO is deleted or unlinked. Users cannot override these Group Policy settings. For applications that are not written for Windows 2000, the administrator will configure Administrative Templates using preferences. Preferences write to the registry anywhere but the two locations above. These registry modifications remain even if the GPO is unlinked or deleted and may be modified by the users.
Change & Configuration Management 219 59. What three things are required elements in Administrative Templates? (Choose 3) A. Tags B. Properties C. Values D. Settings E. Controls
220 Chapter 3 59. What three things are required elements in Administrative Templates? (Choose 3) *A. Tags B. Properties *C. Values D. Settings *E. Controls Explanation: Administrative Templates define the user interface for the Group Policy console and also determine registry modifications that can be made whenever the template is used. Each time a GPO is created, two default templates are added: System.adm and Inetrs.adm. Rather than creating custom templates, administrators should modify the System.adm and add their custom settings. Otherwise, a separate custom template has to be added to each GPO separately as needed. Templates are text files made up of Tags, Values and Controls. Tags provide and action or command name, Values are variables that might appear in the user interface or might be written to the registry, and Controls define user interface elements manipulated within the Group Policy. The required Tags in creating an Administrative Template are CLASS, which specifies which root key and has two Tags: CLASS USER for HKEY_CURRENT_USER and CLASS MACHINE for HKEY_LOCAL_MACHINE; CATEGORY, for naming registry-based policies that are not the default policies; POLICY, KEYNAME, PART and VALUENAME. Within controls, the most significant entry is specifying a CHECKBOX control under PART. This defines a graphical toggle for enabling or disabling a policy-based registry setting. Similar to the check box in the old System Policy Editor, this allows the administrator to create checkboxes for controlling settings. Other important control elements include EDITTEXT, COMBOBOX, DROPDOWNLIST, NUMERIC and LISTBOX.
Change & Configuration Management 221 60. What are three elements in Administrative Templates that can provide interface elements (controls) that can be manipulated in Group Policy? (Choose 3) A. CHECKBOX B. CLASS C. EDITTEXT D. CATEGORY E. NUMERIC
222 Chapter 3 60. What are three elements in Administrative Templates that can provide interface elements (controls) that can be manipulated in Group Policy? (Choose 3) *A. CHECKBOX B. CLASS *C. EDITTEXT D. CATEGORY *E. NUMERIC Explanation: Administrative Templates define the user interface for the Group Policy console and also determine registry modifications that can be made whenever the template is used. Each time a GPO is created, two default templates are added: System.adm and Inetrs.adm. Rather than creating custom templates, administrators should modify the System.adm and add their custom settings. Otherwise, a separate custom template has to be added to each GPO separately as needed. Templates are text files made up of Tags, Values and Controls. Tags provide and action or command name, Values are variables that might appear in the user interface or might be written to the registry, and Controls define user interface elements manipulated within the Group Policy. The required Tags in creating an Administrative Template are CLASS, which specifies which root key and has two Tags: CLASS USER for HKEY_CURRENT_USER and CLASS MACHINE for HKEY_LOCAL_MACHINE; CATEGORY, for naming registry-based policies that are not the default policies; POLICY, KEYNAME, PART and VALUENAME. Within controls, the most significant entry is specifying a CHECKBOX control under PART. This defines a graphical toggle for enabling or disabling a policy-based registry setting. Similar to the check box in the old System Policy Editor, this allows the administrator to create checkboxes for controlling settings. Other important control elements include EDITTEXT, COMBOBOX, DROPDOWNLIST, NUMERIC and LISTBOX.
Change & Configuration Management 223 61. W hat control is the recommended control for most policies when configuring Administrative Templates? A. CHECKBOX B. EDITTEXT C. COMBOBOX D. DROPDOWNLIST
224 Chapter 3 61. W hat control is the recommended control for most policies when configuring Administrative Templates? *A. CHECKBOX B. EDITTEXT C. COMBOBOX D. DROPDOWNLIST Explanation: Administrative Templates define the user interface for the Group Policy console and also determine registry modifications that can be made whenever the template is used. Each time a GPO is created, two default templates are added: System.adm and Inetrs.adm. Rather than creating custom templates, administrators should modify the System.adm and add their custom settings. Otherwise, a separate custom template has to be added to each GPO separately as needed. Templates are text files made up of Tags, Values and Controls. Tags provide and action or command name, Values are variables that might appear in the user interface or might be written to the registry, and Controls define user interface elements manipulated within the Group Policy. The required Tags in creating an Administrative Template are CLASS, which specifies which root key and has two Tags: CLASS USER for HKEY_CURRENT_USER and CLASS MACHINE for HKEY_LOCAL_MACHINE; CATEGORY, for naming registry-based policies that are not the default policies; POLICY, KEYNAME, PART and VALUENAME. Within controls, the most significant entry is specifying a CHECKBOX control under PART. This defines a graphical toggle for enabling or disabling a policy-based registry setting. Similar to the check box in the old System Policy Editor, this allows the administrator to create checkboxes for controlling settings. Other important control elements include EDITTEXT, COMBOBOX, DROPDOWNLIST, NUMERIC and LISTBOX.
Change & Configuration Management 225 62. What character(s) indicate the use of a variable in an Administrative Template string? A. % B. * C. !! D. %string%
226 Chapter 3 62. What character(s) indicate the use of a variable in an Administrative Template string? A. % B. * *C. !! D. %string% Explanation: Administrative Templates define the user interface for the Group Policy console and also determine registry modifications that can be made whenever the template is used. Each time a GPO is created, two default templates are added: System.adm and Inetrs.adm. Rather than creating custom templates, administrators should modify the System.adm and add their custom settings. Otherwise, a separate custom template has to be added to each GPO separately as needed. Templates are text files made up of Tags, Values and Controls. Tags provide and action or command name, values are variables that might appear in the user interface or might be written to the registry, and controls define user interface elements manipulated within the Group Policy. Strings are used to define variables used within the body of the template and can be modified for templates that will be converted to other languages (French, German, etc). Variables are indicated in the body of a template by preceding the string with !!.
Change & Configuration Management 227 63. What are the two default Administrative Templates that are added to every GPO as it is created? (Choose 2) A. System.adm B. Default.adm C. Inetres.adm D. Policy.adm
228 Chapter 3 63. What are the two default Administrative Templates that are added to every GPO as it is created? (Choose 2) *A. System.adm B. Default.adm *C. Inetres.adm D. Policy.adm Explanation: Administrative Templates define the user interface for the Group Policy console and also determine registry modifications that can be made whenever the template is used. Each time a GPO is created, two default templates are added: System.adm and Inetrs.adm. Rather than creating custom templates, administrators should modify the System.adm and add their custom settings. Otherwise, a separate custom template has to be added to each GPO separately as needed. Templates are text files made up of Tags, Values and Controls. Tags provide and action or command name, values are variables that might appear in the user interface or might be written to the registry, and controls define user interface elements manipulated within the Group Policy. Strings are used to define variables used within the body of the template and can be modified for templates that will be converted to other languages (French, German, etc). Variables are indicated in the body of a template by preceding the string with !!.
Change & Configuration Management 229 64. You are the administrator of a small Windows 2000 domain that consists of 4 member servers and two domain controllers in one domain named Wazzoo.com. The company has 45 users and is growing quickly. You would like to provide the 45 users with access to an inventory database on one of the Windows 2000 member servers. What is the best way to grant all users access to the database? A. Create a domain local group and add the Domain Users global group to the domain local group. Grant the domain local group read and write permission to the database. B. Create a local group on the member server and add the Domain Users global group to the local group. Grant the local group read and write permission to the database. C. Grant read and write permission to the Domain Users global group for the database. D. Create a global security group called dbusers and add the Domain Users global group to the dbusers group. Create a domain local group called database and add the dbusers global group as a member. Grant the dbusers group read and write permission to the database.
65. What are three security settings available in Group Policy to ensure network security? (Choose 3) A. Account Policies B. Event Log C. Application Data D. Registry
230 Chapter 3 64. You are the administrator of a small Windows 2000 domain that consists of 4 member servers and two domain controllers in one domain named Wazzoo.com. The company has 45 users and is growing quickly. You would like to provide the 45 users with access to an inventory database on one of the Windows 2000 member servers. What is the best way to grant all users access to the database? *A. Create a domain local group and add the Domain Users global group to the domain local group. Grant the domain local group read and write permission to the database. B. Create a local group on the member server and add the Domain Users global group to the local group. Grant the local group read and write permission to the database. C. Grant read and write permission to the Domain Users global group for the database. D. Create a global security group called dbusers and add the Domain Users global group to the dbusers group. Create a domain local group called database and add the dbusers global group as a member. Grant the dbusers group read and write permission to the database. Explanation: Domain local groups are designed to be used to assign permissions to resources. Global groups should contain users and should be added to domain local groups to grant their members access to resources based on local group memberships.
65. What are three security settings available in Group Policy to ensure network security? (Choose 3) *A. Account Policies *B. Event Log C. Application Data *D. Registry Explanation: The Group Policy allows you to apply configurations to computer and user accounts across your network, specifying settings through five extensions: Administrative Templates, Security, Software Installation, Scripts and Folder Redirection. The Security settings extension allows the administrator to configure settings in the areas of Account policies, which can include password policies, account lockout policies and Kerberos v5 policies, Local Policies, for computers and mostly concerned with auditing policies, user rights etc, Event Log, specifying the parameters for the logs, Restricted Group, allowing the management of built-in groups and registry settings.
Change & Configuration Management 231
Note:
The remaining questions in this chapter
cover two pages each.
232 Chapter 3 66. Role: You are the administrator of the mcsejobs.net Windows 2000 network. Company: Mcsejobs.net has been growing at an annual rate of 45% and anticipates sustained growth for the next five years. The company's original focus was as a Web portal that provided links to jobs for MCSEs on the Internet. It quickly grew into much more, offering job seekers valuable information about the Windows 2000 operating system. Network: The network consists of one domain tree called mcsejobs.net and two child domains named America and Europe. Administration of the domains is centralized and located in the company's head office in Toronto, Canada. The company has offices in New York City, San Francisco, London, and Vienna. The mcsejobs.net domain is an empty root domain with only the default users and groups including the Enterprise and Schema Admins. The America domain contains all the companies North American users and groups and the Europe domain contains all the European users and groups. Each office has a RAS server named after the city it is located in. The servers' names are NYRAS, SFRAS, LNRAS, VARAS, and TORAS. The mcsejobs.net domain has three domain controllers, one located in Toronto, one located in San Francisco, and one in New York City. The America domain has two domain controllers, one located in New York and the other in San Francisco. The Europe domain has two domain controllers as well, with one located in London and the other in Vienna. Both the American and the European offices contain the following departments; Sales, Product Support, Marketing, Human Resources, and Accounting. Connectivity: Each office has a 128Kbps connection to the Internet and a connection to the head office via a VPN. Each office is located in its own site.
Change & Configuration Management 233 You are responsible for creating a group policy that establishes password and account policy settings to employees of mcsejobs.net. You need to ensure that the group policies are always available to users when they are logging on. Where would you create and place the group policy that contains the password and account policy settings? A. Create one group policy in the mcsejobs.net domain. B. Create one group policy for each domain with the same settings. C. Create one group policy in the mcsejobs.net domain and create links from each child domain to the parent domain. D. Create one group policy in the mcsejobs.net domain and enable the No Override option. E. Create one group policy with the same settings in both the America and Europe domains.
234 Chapter 3 66. Role: You are the administrator of the mcsejobs.net Windows 2000 network. Company: Mcsejobs.net has been growing at an annual rate of 45% and anticipates sustained growth for the next five years. The company's original focus was as a Web portal that provided links to jobs for MCSEs on the Internet. It quickly grew into much more, offering job seekers valuable information about the Windows 2000 operating system. Network: The network consists of one domain tree called mcsejobs.net and two child domains named America and Europe. Administration of the domains is centralized and located in the company's head office in Toronto, Canada. The company has offices in New York City, San Francisco, London, and Vienna. The mcsejobs.net domain is an empty root domain with only the default users and groups including the Enterprise and Schema Admins. The America domain contains all the companies North American users and groups and the Europe domain contains all the European users and groups. Each office has a RAS server named after the city it is located in. The servers' names are NYRAS, SFRAS, LNRAS, VARAS, and TORAS. The mcsejobs.net domain has three domain controllers, one located in Toronto, one located in San Francisco, and one in New York City. The America domain has two domain controllers, one located in New York and the other in San Francisco. The Europe domain has two domain controllers as well, with one located in London and the other in Vienna. Both the American and the European offices contain the following departments; Sales, Product Support, Marketing, Human Resources, and Accounting. Connectivity: Each office has a 128Kbps connection to the Internet and a connection to the head office via a VPN. Each office is located in its own site.
Change & Configuration Management 235 You are responsible for creating a group policy that establishes password and account policy settings to employees of mcsejobs.net. You need to ensure that the group policies are always available to users when they are logging on. Where would you create and place the group policy that contains the password and account policy settings? A. Create one group policy in the mcsejobs.net domain. B. Create one group policy for each domain with the same settings. C. Create one group policy in the mcsejobs.net domain and create links from each child domain to the parent domain. D. Create one group policy in the mcsejobs.net domain and enable the No Override option. *E. Create one group policy with the same settings in both the America and Europe domains. Explanation: Creating one group policy with the same settings in both America and Europe would achieve the required results and allow all users to receive the security settings. Creating one group policy for each domain with the same settings would allow the all users in each domain to receive the policy but because there are no users other than those created by default in the mcsejobs.net domain there is no need to place a policy there. Creating a single group policy in the mcsejobs.net domain would not configure any users with the security settings because no users exist in that domain. The no override option would not have an effect in the mcsejobs.net domain because no users exist there.
236 Chapter 3 67. Role: You are the administrator of the mcsejobs.net Windows 2000 network. Company: Mcsejobs.net has been growing at an annual rate of 45% and anticipates sustained growth for the next five years. The company's original focus was as a web portal that provided links to jobs for MCSEs on the Internet. It quickly grew into much more, offering job seekers valuable information about the Windows 2000 operating system. Network: The network consists of one domain tree called mcsejobs.net and two child domains named America and Europe. Administration of the domains is centralized and located in the company's head office in Toronto, Canada. The company has offices in New York City, San Francisco, London, and Vienna. The mcsejobs.net domain is an empty root domain with only the default users and groups including the Enterprise and Schema Admins. The America domain contains all the companies North American users and groups and the Europe domain contains all the European users and groups. Each office has a RAS server named after the city it is located in. The servers' names are NYRAS, SFRAS, LNRAS, VARAS, and TORAS. The mcsejobs.net domain has three domain controllers, one located in Toronto, one located in San Francisco, and one in New York City. The America domain has two domain controllers, one located in New York and the other in San Francisco. The Europe domain has two domain controllers as well, with one located in London and the other in Vienna. Both the American and the European offices contain the following departments; Sales, Product Support, Marketing, Human Resources, and Accounting. Connectivity: Each office has a 128Kbps connection to the Internet and a connection to the head office via a VPN. Each office is located in its own site.
Change & Configuration Management 237 You are also responsible for establishing a group policy whose settings restrict the Europe domain's sales group from having the Run command on the Start menu. How would you accomplish this? A. Create a group policy at the Europe domain level and configure the settings to restrict the Run command from appearing on the Start menu. Change the permissions of the group policy by adding the Sales group and granting them the Read and Apply group policy permission. Remove the Authenticated Users group from the permission list. B. Create a group policy at the Europe domain controllers OU level and configure the settings to restrict the Run command from appearing on the Start menu. Change the permissions of the group policy by adding the Sales group and granting them the Read and Apply group policy permission. Remove the Authenticated Users group from the permission list. C. Create a group policy at the Europe domain level and configure the settings to restrict the Run command from appearing on the Start menu. Change the permissions of the group policy by adding the Sales group and granting them the Read and Apply group policy permission. Change the permissions on the Authenticated Users group to Deny Read permission. D. Create a group policy at the Europe domain controllers OU level and configure settings to restrict the Run command from appearing on the Start menu. Change permissions of the group policy by adding the Sales group and granting them Read and Apply group policy permission. Change the permissions on Authenticated Users group to Deny Read permission.
the the the the
238 Chapter 3 67. Role: You are the administrator of the mcsejobs.net Windows 2000 network. Company: Mcsejobs.net has been growing at an annual rate of 45% and anticipates sustained growth for the next five years. The company's original focus was as a web portal that provided links to jobs for MCSEs on the Internet. It quickly grew into much more, offering job seekers valuable information about the Windows 2000 operating system. Network: The network consists of one domain tree called mcsejobs.net and two child domains named America and Europe. Administration of the domains is centralized and located in the company's head office in Toronto, Canada. The company has offices in New York City, San Francisco, London, and Vienna. The mcsejobs.net domain is an empty root domain with only the default users and groups including the Enterprise and Schema Admins. The America domain contains all the companies North American users and groups and the Europe domain contains all the European users and groups. Each office has a RAS server named after the city it is located in. The servers' names are NYRAS, SFRAS, LNRAS, VARAS, and TORAS. The mcsejobs.net domain has three domain controllers, one located in Toronto, one located in San Francisco, and one in New York City. The America domain has two domain controllers, one located in New York and the other in San Francisco. The Europe domain has two domain controllers as well, with one located in London and the other in Vienna. Both the American and the European offices contain the following departments; Sales, Product Support, Marketing, Human Resources, and Accounting. Connectivity: Each office has a 128Kbps connection to the Internet and a connection to the head office via a VPN. Each office is located in its own site.
Change & Configuration Management 239 You are also responsible for establishing a group policy whose settings restrict the Europe domain's sales group from having the Run command on the Start menu. How would you accomplish this? *A. Create a group policy at the Europe domain level and configure the settings to restrict the Run command from appearing on the Start menu. Change the permissions of the group policy by adding the Sales group and granting them the Read and Apply group policy permission. Remove the Authenticated Users group from the permission list. B. Create a group policy at the Europe domain controllers OU level and configure the settings to restrict the Run command from appearing on the Start menu. Change the permissions of the group policy by adding the Sales group and granting them the Read and Apply group policy permission. Remove the Authenticated Users group from the permission list. C. Create a group policy at the Europe domain level and configure the settings to restrict the Run command from appearing on the Start menu. Change the permissions of the group policy by adding the Sales group and granting them the Read and Apply group policy permission. Change the permissions on the Authenticated Users group to Deny Read permission. D. Create a group policy at the Europe domain controllers OU level and configure the settings to restrict the Run command from appearing on the Start menu. Change the permissions of the group policy by adding the Sales group and granting them the Read and Apply group policy permission. Change the permissions on the Authenticated Users group to Deny Read permission. Explanation: For the group policy settings to only restrict the European sales group, the group policy must be set at the European domain as that is the domain the Sales users log on to. The policy must then be filtered so that it applies only to the Sales group and not all authenticated users. To accomplish this you should add the Sales group to the permission list and grant them both Read and Apply group policy permission and remove the authenticated users group from the permission list. Denying the authenticated users group read permission would result in the Sales group not having read permission either and therefore not inherit the group policy settings. Applying the group policy at the domain controllers OU level would not result in the Sales group receiving the group policy unless the Sales group was located in the domain controllers OU and that was not stated.
240 Chapter 3 68. Role: You are the administrator of the mcsejobs.net Windows 2000 network. Company: Mcsejobs.net has been growing at an annual rate of 45% and anticipates sustained growth for the next five years. The company's original focus was as a web portal that provided links to jobs for MCSEs on the Internet. It quickly grew into much more, offering job seekers valuable information about the Windows 2000 operating system. Network: The network consists of one domain tree called mcsejobs.net and two child domains named America and Europe. Administration of the domains is centralized and located in the company's head office in Toronto, Canada. The company has offices in New York City, San Francisco, London, and Vienna. The mcsejobs.net domain is an empty root domain with only the default users and groups including the Enterprise and Schema Admins. The America domain contains all the companies North American users and groups and the Europe domain contains all the European users and groups. Each office has a RAS server named after the city it is located in. The servers' names are NYRAS, SFRAS, LNRAS, VARAS, and TORAS. The mcsejobs.net domain has three domain controllers, one located in Toronto, one located in San Francisco, and one in New York City. The America domain has two domain controllers, one located in New York and the other in San Francisco. The Europe domain has two domain controllers as well, with one located in London and the other in Vienna. Both the American and the European offices contain the following departments; Sales, Product Support, Marketing, Human Resources, and Accounting. Connectivity: Each office has a 128Kbps connection to the Internet and a connection to the head office via a VPN. Each office is located in its own site.
Change & Configuration Management 241 You are an administrator responsible for creating one group policy for all the computers and another group policy for all the users in the America domain. You are concerned about inheritance and want to ensure that all users receive the settings in the group policy, and that they are not overridden by the settings of another group policy. How can you ensure that the policies are effective? A. Create one group policy for all the computers at the Computers container and create another group policy for all the users at the Users container. Enable the no override setting on both group policies. B. Create one group policy for all computers at the America domain level and create another group policy for all the users at the America domain level. Enable no override on both group policies. C. Create one group policy for all the computers at the Computers container and create another group policy for all the users at the Users container. Enable the block inheritance setting on both group policies. D. Create one group policy for all computers at the America domain level and create another group policy for all the users at the America domain level. Enable the block inheritance setting on both group policies.
242 Chapter 3 68. Role: You are the administrator of the mcsejobs.net Windows 2000 network. Company: Mcsejobs.net has been growing at an annual rate of 45% and anticipates sustained growth for the next five years. The company's original focus was as a web portal that provided links to jobs for MCSEs on the Internet. It quickly grew into much more, offering job seekers valuable information about the Windows 2000 operating system. Network: The network consists of one domain tree called mcsejobs.net and two child domains named America and Europe. Administration of the domains is centralized and located in the company's head office in Toronto, Canada. The company has offices in New York City, San Francisco, London, and Vienna. The mcsejobs.net domain is an empty root domain with only the default users and groups including the Enterprise and Schema Admins. The America domain contains all the companies North American users and groups and the Europe domain contains all the European users and groups. Each office has a RAS server named after the city it is located in. The servers' names are NYRAS, SFRAS, LNRAS, VARAS, and TORAS. The mcsejobs.net domain has three domain controllers, one located in Toronto, one located in San Francisco, and one in New York City. The America domain has two domain controllers, one located in New York and the other in San Francisco. The Europe domain has two domain controllers as well, with one located in London and the other in Vienna. Both the American and the European offices contain the following departments; Sales, Product Support, Marketing, Human Resources, and Accounting. Connectivity: Each office has a 128Kbps connection to the Internet and a connection to the head office via a VPN. Each office is located in its own site.
Change & Configuration Management 243 You are an administrator responsible for creating one group policy for all the computers and another group policy for all the users in the America domain. You are concerned about inheritance and want to ensure that all users receive the settings in the group policy, and that they are not overridden by the settings of another group policy. How can you ensure that the policies are effective? A. Create one group policy for all the computers at the Computers container and create another group policy for all the users at the Users container. Enable the no override setting on both group policies. *B. Create one group policy for all computers at the America domain level and create another group policy for all the users at the America domain level. Enable no override on both group policies. C. Create one group policy for all the computers at the Computers container and create another group policy for all the users at the Users container. Enable the block inheritance setting on both group policies. D. Create one group policy for all computers at the America domain level and create another group policy for all the users at the America domain level. Enable the block inheritance setting on both group policies. Explanation: Creating two group policies, one for users and the other for computers, at the domain level and setting the no override option would ensure that all users and computers receive the settings of the group policy. Group policies cannot be set on containers, meaning that the computers container and the users container will not support the creation of group policies. Group policies can only be configured at the Site, domain, or organizational unit level.
244 Chapter 4
Introduction Certainly no one would argue with the statement that Active Directory is the centerpiece of Windows 2000 networking. This distributed, replicated database provides a central point from which all network management can be coordinated. Maintenance of Active Directory, the optimization of Active Directory and disaster recovery for Active Directory becomes essential in the on-going administration of a Windows 2000 network. In this section we will look at how to create objects in Active Directory, either manually or through the use of scripting, how to move objects, how to locate objects in Active Directory, as well as how to provide access to objects and how to delegate administration in Active Directory. We will then look at how to monitor, optimize and troubleshoot domain controllers and AD. This is a major undertaking, given the fact that Active Directory has been designed with no limitations on size, and has been designed to encompass multiple locations. Lastly we will cover disaster recovery options including recovering Active Directory from a failed domain controller.
Active Directory Components 245
Chapter 4: Components of Active Directory The objective of this chapter is to provide the reader with an understanding of the following: 1.
Manage Active Directory objects.
2.
Move Active Directory objects.
3.
Publish resources in Active Directory.
4.
Locate objects in Active Directory.
5.
Create and manage objects manually or by using scripting.
6.
Control access to Active Directory objects.
7.
Delegate administrative control of objects in Active Directory.
8.
Monitor, optimize, and troubleshoot Active Directory performance and replication.
9.
Back up and restore Active Directory.
10. Perform an authoritative and a nonauthoritative restore of Active Directory. 11. Recover from a system failure. 12. Seize operations master roles.
1. When creating user accounts in Active Directory, there are four names that are given. What name provides for backwards compatibility to users logging on from Windows NT 3.51 or 4.0 computers? A. First and Last Name B. Name C. User Logon Name D. Downlevel Logon Name
246 Chapter 4 1. When creating user accounts in Active Directory, there are four names that are given. What name provides for backwards compatibility to users logging on from Windows NT 3.51 or 4.0 computers? A. First and Last Name B. Name C. User Logon Name *D. Downlevel Logon Name Explanation: Organizational Unit objects are container objects in Active Directory and can contain other AD objects such as user, computer, and group objects. To create an Organizational Unit object below another OU, the user must have the Read, List Contents and Create Organizational Unit Objects permissions. Certainly, members of the Administrators group can create OUs anywhere in the forest by default. To create an OU, open Active Directory Users and Computers, then right-click the container in which you wish to create an OU, select New, and name the new OU. The most fundamental account in Active Directory is the user account, since all access to resources in the network eventually originates from this object. New user accounts are created in Active Directory Users and Computers. In creating users, there are five name properties to configure: first name and last name, generally used for searching for users, name, which AD displays as the account name and must be unique in the OU, User logon name (or user principal name UPN), which is the logon name for the user, and downlevel logon name, which is used to logon to computers running previous versions of Windows.
Active Directory Components 247 2. What name given a User account must be unique within the container? A. Last Name B. User Logon Name C. First Name D. Downlevel Logon Name
248 Chapter 4 2. What name given a User account must be unique within the container? A. Last Name *B. User Logon Name C. First Name D. Downlevel Logon Name Explanation: Organizational Unit objects are container objects in Active Directory and can contain other AD objects such as user, computer, and group objects. To create an Organizational Unit object below another OU, the user must have the Read, List Contents and Create Organizational Unit Objects permissions. Certainly, members of the Administrators group can create OUs anywhere in the forest by default. To create an OU, open Active Directory Users and Computers, then right-click the container in which you wish to create an OU, select New, and name the new OU. The most fundamental account in Active Directory is the user account, since all access to resources in the network eventually originates from this object. New user accounts are created in Active Directory Users and Computers. In creating users, there are five name properties to configure: first name and last name, generally used for searching for users, name, which AD displays as the account name and must be unique in the OU, User logon name (or user principal name UPN), which is the logon name for the user, and downlevel logon name, which is used to logon to computers running previous versions of Windows. The downlevel logon name must be unique within a given domain.
Active Directory Components 249 3. What happens to permissions when you move objects in Active Directory? (Choose 2) A. Permissions granted directly to the object are lost and must be restored. B. Permissions inherited from the former OU are retained. C. Permissions from the new OU are inherited. D. Permissions granted directly to the object are retained.
4. How can objects can be located in Active Directory? (Choose 2) A. Users can use Start-Find. B. Administrators can use Active Directory Users and Computers - Find. C. Users can search in Explorer/Tools/Find. D. Administrators and Users can use the Find option in Active Directory Users and Computers.
250 Chapter 4 3. What happens to permissions when you move objects in Active Directory? (Choose 2) A. Permissions granted directly to the object are lost and must be restored. B. Permissions inherited from the former OU are retained. *C. Permissions from the new OU are inherited.
*D. Permissions granted directly to the object are retained.
Explanation: Organizational Unit objects are container objects in Active Directory and
can contain other AD objects such as user, computer, and group objects. To create an Organizational Unit object below another OU, the user must have the Read, List Contents and Create Organizational Unit Objects permissions. Certainly, members of the Administrators group can create OUs anywhere in the forest by default. Objects can be moved within Active Directory Users and Computers by simply right-clicking the object and choosing Move. You then expand the domain tree, click the destination container and choose OK. Permissions that were granted directly to the moved object remain the same and the object will inherit the permissions in effect in the new parent OU.
4. How can objects can be located in Active Directory? (Choose 2) A. Users can use Start-Find. *B. Administrators can use Active Directory Users and Computers - Find. C. Users can search in Explorer/Tools/Find. D. Administrators and Users can use the Find option in Active Directory Users and Computers. Explanation: Certainly, members of the Administrators group can create OUs anywhere in the forest by default. Objects can be moved within Active Directory Users and Computers by simply right-clicking the object and choosing Move. You then expand the domain tree, click the destination container and choose OK. Permissions that were granted directly to the moved object remain the same, and the object will inherit the permissions in effect in the new parent OU. Active Directory Users and Computers also provides a Find function on the Action menu in the main console.
Active Directory Components 251 5. What are the two basic group types that are now supported in Active Directory? (Choose 2) A. Domain Local groups B. Global groups C. Universal groups D. Security groups E. Distribution groups
6. What type of group should you create in Active Directory if you want the access token used during logon to be reduced in size? A. Local groups B. Global groups C. Security groups D. Distribution groups E. Universal groups
252 Chapter 4 5. What are the two basic group types that are now supported in Active Directory? (Choose 2) A. Domain Local groups B. Global groups C. Universal groups *D. Security groups *E. Distribution groups Explanation: Organizational Unit objects are container objects in Active Directory, and can contain other AD objects such as user, computer, and group objects. In Active Directory there are two basic group types: Security groups and Distribution groups. Security groups are used to grant or deny rights or permissions while Distribution groups are used for sending e-mails with e-mail applications.
6. What type of group should you create in Active Directory if you want the access token used during logon to be reduced in size? A. Local groups B. Global groups C. Security groups *D. Distribution groups E. Universal groups Explanation: Organizational Unit objects are container objects in Active Directory and can contain other AD objects such as user, computer, and group objects. In Active Directory there are two basic group types: Security groups and Distribution groups. Security groups are used to grant or deny rights or permissions while Distribution groups are used for sending e-mails with e-mail applications. Because Windows 2000 creates an access token (containing the SIDs of all of the Security groups to which the user belongs) and forwards that to the user in the logon process, creating less Security groups and more Distribution groups can reduce the size of the token and improve the logon process.
Active Directory Components 253 7. What accounts can be added as members of a Domain Local group? A. Accounts from the local domain only B. Accounts from any domain in the forest C. Accounts from the same OU as the group object is in D. Accounts cannot exist in Domain Local groups.
254 Chapter 4 7. What accounts can be added as members of a Domain Local group? A. Accounts from the local domain only *B. Accounts from any domain in the forest C. Accounts from the same OU as the group object is in D. Accounts cannot exist in Domain Local groups. Explanation: Organizational Unit objects are container objects in Active Directory and can contain other AD objects such as user, computer, and group objects. In Active Directory there are two types of Groups: Security groups and Distribution groups. Security groups are used to grant or deny rights or permissions, while Distribution groups are used for sending e-mails with e-mail applications. Both types of groups have an attribute called scope, which determines who can be a member and where the group can be used. The three scopes are domain local, global and universal. Domain Local groups (in a native mode domain) can contain user accounts, Global groups and Universal groups from any domain in the forest, and other domain Local groups from the same domain. In a mixed mode domain, domain Local groups can contain user accounts and Global groups from any domain. Global groups, in a native domain, can contain user accounts and Global groups from the domain in which the Global group exists. In mixed mode the Global group can contain only user accounts from the domain in which it exists. Universal groups can only be created in domains operating in native mode. They can contain user accounts, Global groups and other Universal groups from any domain in the forest.
Active Directory Components 255 8. What accounts can a Universal group contain when in mixed mode? A. Only accounts from the local domain B. Accounts from any domain in the forest C. You cannot create a Universal group in a domain operating in mixed mode. D. Only user accounts from the local domain and any Global groups in the forest.
256 Chapter 4 8. What accounts can a Universal group contain when in mixed mode? A. Only accounts from the local domain B. Accounts from any domain in the forest *C. You cannot create a Universal group in a domain operating in mixed mode. D. Only user accounts from the local domain and any Global groups in the forest. Explanation: Organizational Unit objects are container objects in Active Directory and can contain other AD objects such as user, computer, and group objects. In Active Directory there are two types of Groups: Security groups and Distribution groups. Security groups are used to grant or deny rights or permissions, while Distribution groups are used for sending e-mails with e-mail applications. Both types of groups have an attribute called scope, which determines who can be a member and where the group can be used. The three scopes are domain local, global and universal. Domain Local groups (in a native mode domain) can contain user accounts, Global groups and Universal groups from any domain in the forest, and other domain Local groups from the same domain. In a mixed mode domain, domain Local groups can contain user accounts and Global groups from any domain. Global groups, in a native domain, can contain user accounts and Global groups from the domain in which the Global group exists. In mixed mode the Global group can contain only user accounts from the domain in which it exists. Universal groups can only be created in domains operating in native mode. They can contain user accounts, Global groups and other Universal groups from any domain in the forest.
Active Directory Components 257 9. What is the recommended strategy for using groups to grant permissions to access resources? A. Place accounts into Domain Local groups, then Domain local into global and then grant permissions to the Global groups. B. Place accounts into Domain Local groups, Domain local into global, global into Universal and then grant permissions to the Universal groups. C. Place accounts into Global groups, then global into Domain local and then grant permissions to the Local groups.
10. What are three properties of groups that must be specified to create the group in Active Directory? (Choose 3) A. Group Name B. Group Members C. Group Type D. Group Location E. Group Scope
258 Chapter 4 9. What is the recommended strategy for using groups to grant permissions to access resources? A. Place accounts into Domain Local groups, then Domain local into global and then grant permissions to the Global groups. B. Place accounts into Domain Local groups, Domain local into global, global into Universal and then grant permissions to the Universal groups. *C. Place accounts into Global groups, then global into Domain local and then grant permissions to the Local groups. Explanation: Organizational Unit objects are container objects in Active Directory and can contain other AD objects such as user, computer, and group objects. In Active Directory there are two types of Groups: Security groups and Distribution groups. Security groups are used to grant or deny rights or permissions, while Distribution groups are used for sending e-mails with e-mail applications. Both types of groups have an attribute called scope, which determines who can be a member and where the group can be used. The three scopes are domain local, global and universal. The recommended strategy for using groups is to put user accounts into Global groups and Global groups into domain Local groups and then grant permissions to the domain Local groups.
10. What are three properties of groups that must be specified to create the group in Active Directory? (Choose 3) *A. Group Name B. Group Members *C. Group Type D. Group Location *E. Group Scope Explanation: In Active Directory there are two types of Groups: Security groups and Distribution groups. Security groups are used to grant or deny rights or permissions, while Distribution groups are used for sending e-mails with e-mail applications. Both types of groups have an attribute called scope, which determines who can be a member and where the group can be used. The three scopes are domain local, global and universal. To create a group in Active Directory Users and Computers, rightclick the appropriate OU, select New and click Group. Then provide the group name, downlevel name, type and scope.
Active Directory Components 259 11. A fter you create a group, what are three types of objects that can be added as members? (Choose 3) A. User accounts B. Group objects C. Container objects D. Computer objects
12. What are two situations in which you cannot change the scope of a group in Active Directory? (Choose 2) A. When the group is in a different tree in the forest. B. When the domain is in mixed mode. C. When the group scope is universal. D. When the group is in a "Locked" state.
260 Chapter 4 11. A fter you create a group, what are three types of objects that can be added as members? (Choose 3) *A. User accounts *B. Group objects C. Container objects *D. Computer objects Explanation: In Active Directory there are two types of Groups: Security groups and Distribution groups. Security groups are used to grant or deny rights or permissions, while Distribution groups are used for sending e-mails with e-mail applications. Both types of groups have an attribute called scope, which determines who can be a member and where the group can be used. The three scopes are domain local, global and universal. To create a group in Active Directory Users and Computers, rightclick the appropriate OU, select New and click Group. Then provide the group name, downlevel name, type and scope. After the group is created, you can add users, other groups and computers as members.
12. What are two situations in which you cannot change the scope of a group in Active Directory? (Choose 2) A. When the group is in a different tree in the forest. *B. When the domain is in mixed mode. *C. When the group scope is universal. D. When the group is in a "Locked" state. Explanation: In Active Directory there are two types of Groups: Security groups and Distribution groups. Security groups are used to grant or deny rights or permissions, while Distribution groups are used for sending e-mails with e-mail applications. Both types of groups have an attribute called scope, which determines who can be a member and where the group can be used. The three scopes are domain local, global and universal. To create a group in Active Directory Users and Computers, rightclick the appropriate OU, select New and click Group. Then provide the group name, downlevel name, type and scope. Once a group has been created, you may wish to change either the type or scope of the group. You can change the type between security and distribution on the General tab of the Properties box for the group. Scope would be changed in the same dialog box. These two changes are only possible if the domain is operating in native mode. Lastly, you cannot change the scope of a universal group, since the other scopes have more restrictive membership properties.
Active Directory Components 261 13. What are three of the standard permissions in Active Directory security? (Choose 3) A. Full Control B. Write All Properties C. Read D. Write E. Administer
14. When allowing and denying permissions conflict, which takes precedence? A. The permissions allowed for a group always takes precedence over user denied permissions. B. The user allowed permissions always takes precedence over the group denied permissions. C. Denied permissions always take precedence. D. Allowed permissions always take precedence.
262 Chapter 4 13. What are three of the standard permissions in Active Directory security? (Choose 3) *A. Full Control B. Write All Properties *C. Read *D. Write E. Administer Explanation: Every object in Active Directory has an attribute called the Discretionary Access Control List (DACL). Objects on this list have access either granted or denied to the object. Permissions can be set using standard permissions, which include Full Control, Read, Write, Create All Child Objects, and Delete All Child Objects. Permissions can be granted or denied, and deny takes precedence over the granting of a permission. When permissions are set in Active Directory, the administrator can decide how the permission should inherit down the AD structure. This can allow the administrator to set fewer permissions and let the inheritance process continue to grant access.
14. When allowing and denying permissions conflict, which takes precedence? A. The permissions allowed for a group always takes precedence over user denied permissions. B. The user allowed permissions always takes precedence over the group denied permissions. *C. Denied permissions always take precedence. D. Allowed permissions always take precedence. Explanation: Every object in Active Directory has an attribute called the Discretionary Access Control List (DACL). Objects on this list have access either granted or denied to the object. Permissions can be set using standard permissions, which include Full Control, Read, Write, Create All Child Objects, and Delete All Child Objects. Permissions can be granted or denied, and deny takes precedence over the granting of a permission. When permissions are set in Active Directory, the administrator can decide how the permission should inherit down the AD structure. This can allow the administrator to set fewer permissions and let the inheritance process continue to grant access.
Active Directory Components 263 15. What is the process through which permissions are passed on to child objects from their parent in Active Directory? A. Transitive permissions B. Inheritance C. There is no such process. Permissions must be applied at each level in the tree. D. Universal permissions
16. Where are permissions for Active Directory objects applied? A. In Active Directory Users and Computers -