examwise for installing, configuring, and administering microsoft windows 2000 directory service...

ExamWise For

Installing, Configuring, and Administering Microsoft Windows 2000

Directory Services Infrastructure

Examination 70-217

Online practice exam provided by BeachFront Quizzer, Inc., Friendswood, Texas

www.bfqonline.com

Author Patrick Simpson

MCSE, MCT, MCNI, MCNE Published by

1103 Middlecreek TotalRecall Publications, Inc.

Friendswood, TX 77546 281-992-3131

NOTE: THIS IS BOOK IS GUARANTEED:

See details at www.TotalRecallPress.com

TotalRecall Publications, Inc.

This Book is sponsored by BeachFront Quizzer, Inc.

Copyright 2003 by TotalRecall Publications, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the United States Copyright Act of 1976, No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic or mechanical or by photocopying, recording, or otherwise without the prior permission of the publisher.

The views expressed in this book are solely those of the author, and do not represent the views of any other party or parties.

Printed in United States of America Printed and bound by Data Duplicators of Houston Texas Printed and bound by Lightning Source, Inc. in the USA and UK

ISBN: 1-59095-618-4 UPC: 6-43977-03217-1

The sponsoring editor is Bruce Moran and the production supervisor is Corby R. Tate.

Worldwide eBook distribution by:

This publication is not sponsored by, endorsed by, or affiliated with Microsoft, Inc. The “Windows® 2000, MCSE™, MCSD™, MCSE+I™, MCT™” Microsoft logos are trademarks or registered trademarks of Microsoft, Inc. in the United States and certain other countries. All other trademarks are trademarks of their respective owners. Throughout this book, trademarked names are used. Rather than put a trademark symbol after every occurrence of a trademarked name, we used names in an editorial fashion only and to the benefit of the trademark owner. No intention of infringement on trademarks is intended.

Disclaimer Notice: Judgments as to the suitability of the information herein for purchaser’s purposes are necessarily the purchaser’s responsibility. BeachFront Quizzer, Inc. and TotalRecall Publications, Inc. extends no warranties, makes no representations, and assumes no responsibility as to the accuracy or suitability of such information for application to the purchaser’s intended purposes or for consequences of its use.

This book is dedicated to my wife Joy, and my children Lucas, Bethany and

Alexander, for their patience and support. Thanks also to Bruce for the

encouragement and support. Lastly, but mostly, thanks be to God, from whom all

gifts proceed

Patrick Simpson

ExamWise™ For

Installing, Configuring, and Administering Microsoft® Windows® 2000 Directory Services Infrastructure

Examination 70-217

BY Patrick Simpson

MCSE, MCT, MCNI, MCNE

About the Author

Patrick Simpson has been a networking professional for more than a decade. Already an

MCSE under Windows NT 4.0, he was an early adopter of Windows 2000, having earned

his Windows 2000 MCSE in May 2001. He is also certified as a Microsoft Certified

Trainer and teaches other networking professionals around the country. Along with his

Microsoft experience, Patrick is a Master CNE and a Master CNI, with expertise in

NetWare 3.x to NetWare 6, GroupWise, ZenWorks, BorderManager, etc. Along with

teaching and consulting, Patrick has authored numerous certification study aids, and

another BFQ Press Book, Designing Security for a Windows 2000 Network.

Patrick lives in Green Bay, WI along with his wife, Joy and three children, Lucas,

Bethany and Alexander. He enjoys playing guitar, camping and boating with the family

and follows the Green Bay Packers with enthusiasm.

About the Contributing Author

Travis Kelly has worked in computer repair and helpdesk for over 7 years and is

currently CIW Certifiable. His computer background is quite varied and he has an

intense interest in the current and future state of technology.

Travis is working towards his bachelor’s degree in Houston, TX.

About The Book

Part of TotalRecall, The Question Book Series, this new Self Help and Interactive Exam

Study Aid with 30-day voucher for online testing is now available for candidate’s

preparing to sit the Microsoft 70-217 Windows 2000 Directory Services Infrastructure

certification exam. The book covers the information associated with each of the exam

topics in detail and includes information found in no other book.

Using the book will help readers determine if they are ready for the Microsoft 70-217

Windows 2000 Directory Services Infrastructure certification exam. This book explains

the concepts in a clear and easy-to-understand manner to help you not only pass the

exam, but to apply the knowledge later in a real-world situation. Helpful tips and time

management techniques will alleviate pre-exam jitters and put you in control.

About Online Testing

www.bfqonline.com practice tests include SelfStudy sessions with instant feed back,

simulative and adaptive testing with detailed explanations. Register at

www.TotalRecallPress.com or send an email Located in the back of the book is a 30-day

voucher for online testing.

NOTE: THIS BOOK IS GUARANTEED: See details at www.TotalRecallPress.com

Table of Contents VII

Table of Contents

About the Author ......................................................................................IV

About the Contributing Author..................................................................IV

About The Book ........................................................................................V

About Online Testing ................................................................................V

About 70-217 Certification .....................................................................VIII

Credit Toward Certification ....................................................................VIII

Audience Profile .....................................................................................VIII

Skills Being Measured .............................................................................IX

Chapter 1: Active Directory 1 Introduction ............................................................................................. 14

Chapter 2: Using DNS With Active Directory Service 101 Introduction ........................................................................................... 100

Chapter 3: Configuration Management 143 Introduction ........................................................................................... 142

Chapter 4: Components of Active Directory 245 Introduction ........................................................................................... 244

Chapter 5: Security in a Directory Services Infrastructure 287 Introduction ........................................................................................... 286

Chapter 6: Remote Installation Services Configuration 315 Introduction ........................................................................................... 314

Chapter 7: Terminology Questions 379 Introduction ........................................................................................... 378

Money Back Book Guarantee 469

Free Practice Exam Online 470

VIII About 70-217 Certification

About 70-217 Certification

Exam 70-217:Installing, Configuring, and Administering Microsoft® Windows 2000

Directory Services Infrastructure

http://www.microsoft.com/traincert/exams/70-217.asp

Information you will find in their document will include the following.

Credit Toward Certification

When you pass the Implementing and Administering a Microsoft® Windows® 2000

Directory Services Infrastructure exam, you achieve Microsoft Certified Professional

status. You also earn credit toward the following certifications:

Core credit toward Microsoft Certified Systems Engineer on Microsoft Windows 2000

certification

Audience Profile

Candidates for this exam operate in medium to very large computing environments that

use the Windows 2000 network operating system. They have a minimum of one year's

experience implementing and administering network operating systems in environments

that have the following characteristics:

• Supported users range from 200-26,000+

• Physical locations range from 5-150+

• Typical network services and applications include file and print, database,

messaging, proxy server or firewall, dial-in server, desktop management, and Web

hosting.

• Connectivity needs include connecting individual offices and users at remote

locations to the corporate network and connecting corporate networks to the Internet.

About 70-217 Certification IX

Skills Being Measured

This certification exam measures your ability to install, configure, and troubleshoot the

Windows 2000 Active Directory™ components, DNS for Active Directory, and Active

Directory security solutions. In addition, this test measures the skills required to manage,

monitor, and optimize the desktop environment by using Group Policy. Before taking the

exam, you should be proficient in the job skills listed below.

A. Installing and Configuring Active Directory

1. Install forests, trees, and domains.

• Automate domain controller installation.

2. Create sites, subnets, site links, and connection objects.

3. Configure server objects. Considerations include site membership and

global catalog designation.

4. Transfer operations master roles.

5. Verify and troubleshoot Active Directory installation.

6. Implement an organizational unit (OU) structure.

B. Installing, Configuring, Managing, Monitoring, and Troubleshooting

DNS for Active Directory

1. Install and configure DNS for Active Directory.

• Integrate Active Directory DNS zones with existing DNS

infrastructure.

• Configure zones for dynamic updates and secure dynamic updates.

• Create and configure DNS records.

2. Manage, monitor, and troubleshoot DNS.

C. Configuring, Managing, Monitoring, Optimizing, and

Troubleshooting Change and Configuration Management

1. Implement and troubleshoot Group Policy.

• Create and modify a Group Policy object (GPO).

• Link to an existing GPO.

• Delegate administrative control of Group Policy.

• Configure Group Policy options.

• Filter Group Policy settings by using security groups.

• Modify Group Policy prioritization.

X About 70-217 Certification

2. Manage and troubleshoot user environments by using Group Policy.

3. Install, configure, manage, and troubleshoot software by using Group

Policy.

4. Manage network configuration by using Group Policy.

5. Configure Active Directory to support Remote Installation Services (RIS).

• Configure RIS options to support remote installations.

• Configure RIS security.

D. Managing, Monitoring, and Optimizing the Components of Active

Directory

1. Manage Active Directory objects.

• Move Active Directory objects.

• Publish resources in Active Directory.

• Locate objects in Active Directory.

• Create and manage objects manually or by using scripting.

• Control access to Active Directory objects.

• Delegate administrative control of objects in Active Directory.

2. Monitor, optimize, and troubleshoot Active Directory performance and

replication.

3. Back up and restore Active Directory.

• Perform an authoritative and a nonauthoritative restore of Active

Directory.

• Recover from a system failure.

• Seize operations master roles.

E. Configuring, Managing, Monitoring, and Troubleshooting Security in

a Directory Services Infrastructure

1. Apply security policies by using Group Policy.

2. Create, analyze, and modify security configurations by using the Security

Configuration and Analysis snap-in and the Security Templates snap-in.

3. Implement an audit policy.

4. Monitor and analyze security events.

Networking Terminology XI

F. Networking Terminology

There are a lot of different terms and acronyms that you will be learning in this book. It

must be assumed that you have a certain amount of networking experience or you may

find it necessary to supplement this material with some other books on the subject of

networks in general. Before we go very far we will need to define some of the common

network terms that we will be using often throughout our text.

• Access control entry (ACE) – A single permissions designation that identifies,

through the use of a SID, a user or groups rights to a given resource.

• Access control list (ACL) – A grouping of different ACEs that is associated with an

object. The ACL tells the operating system what permissions are associated with the

object.

• Active Directory – The directory service architecture that’s included with the

Windows 2000 Server operating system. It provides the basis for Microsoft’s new

distributed network architecture. It allows users to locate objects more easily while

allowing for better network scalability.

• Attribute – The basic properties of an object.

• Container – A specific type of object that is used to hold other Active Directory

objects. Probably the most common container object in Active Directory is the

Organizational Unit (OU).

• Distinguished name (DN) – A naming convention that consists of the entire path

required to get to an object. Every object in Active Directory has a unique DN.

• Domain – The primary method of grouping objects in Active Directory. There is

always at least one domain in Active Directory. Domains represent a single security

boundary in Windows NT and 2000. In Active directory multiple domains that share

a common namespace are referred to as a tree.

• Domain controller – A Windows 2000 Server that maintains a copy of the Active

Directory database. In Windows 2000 all domain controllers are multimaster

enabled. Simply put this means that all domain controllers contain a copy of the

Active Directory database that is editable.

• Domain Name System (DNS) – A hierarchical database used to translate computer

names to IP addresses. It is the primary method of name resolution used on the

Internet as well as in Active Directory.

XII Networking Terminology

• Forest – A grouping of one or more Active Directory. All domains in a forest share

a common schema and global catalog. Trees within a forest trust each other through

two-way transitive trusts.

• Global Catalog – Contains a partial copy of the Active Directory database. The

items found in the Global Catalog are the ones that are most often accessed.

• Group – An object that can contain users, computers or other groups. They are used

by Active Directory as an easy method to assign permissions to different groupings

of objects. In Windows 2000 there are three different types of groups: domain local,

global and universal.

• Group Policy – A method of applying different configuration settings to Active

Directory containers and the objects within them. Collections of policies are referred

to as Group Policy objects (GPOs).

• Kerberos – The primary method of authenticating users in Windows 2000.

• Knowledge Consistency Checker (KCC) – The service that runs on all Active

Directory domain controllers that is responsible for intrasite replication objects.

• Mixed mode – The default mode that domains are created in. This mode allows for

down level compatibility with Windows NT domain controllers.

• Native mode – The mode in which all domain controllers in a given domain are

running the Windows 2000 Server operating system. This mode allows for

additional features that are not available in mixed mode.

• Object – A single unit in Active Directory that is defined by a set of attributes. An

object might be a user, computer or printer.

• Organizational Unit (OU) – An Active Directory container object that can be used

to better categorize objects as well as delegate authority to them.

• Policy – A given set of rules that are applied to a particular object.

• Relative distinguished name (RDN) – The part of the Distinguished Name (DN)

that refers to the name of the object itself.

• Replication – The process of synchronizing a distributed database. Active Directory

uses a method called multi-master replication.

• Schema – The component of Active Directory that defines all of the objects and

attributes within the Active Directory database.

• Site – One or more well-connected subnets that contain Active directory servers.

• Tree – A collection of one or more domains that have two-way transitive trusts and

are part of a contiguous namespace. Multiple trees that trust each other are called a

forest.

Networking Terminology XIII

• Trust – Relationships that are established between domains, trees or forests. In

Windows 2000 these trusts are transitive by default. This means that they are two-

way and that they allow trust to be inherited by others who are trusted. This means

that if A trust B and B trusts C then A will trust C.

• Well-connected – By Microsoft’s reasoning, a network path that is 10MB/sec or

faster

Chapter 1:

Introduction

The purpose of this first chapter is to help familiarize you with the basic concepts of

Active Directory. How quickly you are able to master these concepts will depend on

your background in the computer industry. Those who have an extensive Novell

background will find many of the features of Windows 2000 Active Directory familiar.

As will those of you who have worked with Microsoft Exchange server. A good

fundamental understanding of Windows NT will also be helpful as you strive to learn

these topics.

Regardless of your background, please make sure to spend as much time in Chapter One

as necessary for you to feel comfortable with these ideas. They form the foundation upon

which the understanding of all Active Directory concepts are built. While all of the

concepts in Chapter One are covered much more in depth throughout the rest of the book,

it’s still important to spend the appropriate time in this section.

You might have heard the parable about the man who built his house on sand. Likewise,

if you simply skim through the first chapter you could be building a foundation for

yourself that isn’t solid at all. Now that the ominous warning is out of the way, let’s

move on. Without further ado, let’s begin our journey together into the realm of Active

Directory.

Active Directory 1

Chapter 1: Active Directory

1.

4.

5.

6.

7.

The objective of this chapter is to provide the reader with an understanding of

the following:

Install forests, trees, and domains.

2. Automate domain controller installation.

3. Create sites, subnets, site links, and connection objects.

Configure server objects. Considerations include site membership and global

catalog designation.

Transfer operations master roles.

Verify and troubleshoot Active Directory installation.

Implement an organizational unit (OU) structure.

1. What are two special designations given to domain controllers in Active Directory?

(Choose 2)

A. PDC

B. Global Catalog Server

C. Master Catalog Server

D. Operations Master

2. What are two important functions that a Global Catalog Server performs for users in

Active Directory? (Choose 2)

A. A Global Catalog Server enables a user to search the entire forest to find directory

information.

B. A Global Catalog Server maintains a list of the user's resources.

C. A Global Catalog Server enables the logon process by providing universal group

membership information to the domain controller.

D. A Global Catalog Server allows users to find services anywhere in the world.

Chapter 1:

1. What are two special designations given to domain controllers in Active Directory?

(Choose 2)

A. PDC

*B. Global Catalog Server C. Master Catalog Server

*D. Operations Master Explanation: One of the most significant changes in Windows 2000 is the introduction

of Active Directory. The installation of Active Directory on a domain controller is

invoked by the dcpromo.exe file or choosing the Active Directory Installation

Wizard. As you install Active Directory, you can either specify that this domain

controller will be a domain controller for a new domain or an additional domain

controller for an existing domain. There are no longer PDC and BDC servers in

Windows 2000, just domain controllers and member servers. There are two other

Windows 2000 Server roles that may be assigned to domain controllers: Global

Catalog Server and Operations Master.

2. What are two important functions that a Global Catalog Server performs for users in


*A. A Global Catalog Server enables a user to search the entire forest to find

directory information. B. A Global Catalog Server maintains a list of the user's resources.

*C. A Global Catalog Server enables the logon process by providing universal group

membership information to the domain controller. D. A Global Catalog Server allows users to find services anywhere in the world.

Explanation: There are no longer PDC and BDC servers in Windows 2000, just domain

controllers and member servers. There are two other Windows 2000 Server roles that

may be assigned to domain controllers: that of Global Catalog Server and that of

Operations Master. A Global Catalog Server contains information on all objects in

Active Directory, and will respond to queries from clients attempting to locate

resources. An Operations Master is a domain controller that has been assigned to fill

one of five special roles: Schema Master, Domain Naming Master, RID Master, PDC

Emulator and Infrastructure Master.

Active Directory 3

3. What are three of the five Operations Master roles for domain controllers in Active

Directory? (Choose 3)

A. PDC

B. Domain Naming Master

C. Schema Master

D. DNS Master

E. Relative Identifier (RID) Master

Chapter 1:

3. What are three of the five Operations Master roles for domain controllers in Active


A. PDC

*B. Domain Naming Master

*C. Schema Master D. DNS Master

*E. Relative Identifier (RID) Master Explanation: There are no longer PDC and BDC servers in Windows 2000, just domain







Emulator and Infrastructure Master.

Active Directory 5

4. What type of domain controller in Windows 2000 provides for support of a mixed

mode network containing both Windows 2000 and Windows NT servers?

A. Schema Master

B. Infrastructure Master

C. PDC Emulator

D. RID Master

Chapter 1:

4. What type of domain controller in Windows 2000 provides for support of a mixed

mode network containing both Windows 2000 and Windows NT servers?

A. Schema Master

B. Infrastructure Master

*C. PDC Emulator D. RID Master

Explanation: There are no longer PDC and BDC servers in Windows 2000, just domain







Emulator and Infrastructure Master. There can only be one Schema Master in a

forest, and it controls all updates to the Active Directory database schema. There can

only be one Domain Naming Master and it controls the addition or removal of

domains in the forest. There can be one RID Master in each domain and it is

responsible for allocating sequences of RIDs to each of the domain controllers in its

domain. PDC Emulators are necessary in networks with Windows NT servers or

computers not yet running Windows 2000 client software. Each domain also needs

an Infrastructure Master to coordinate changes to user accounts and group

memberships.

Active Directory 7

5. How is Active Directory installed in Windows 2000?

A. Active Directory is installed using the Administrative Tool named Active Directory

Manager.

B. Active Directory is installed using the Active Directory Installation Wizard.

C. Active Directory must be installed during the installation of Windows 2000.

D. Active Directory is installed automatically when Windows 2000 is installed.

6. What are three requirements for the installation of Active Directory? (Choose 3)

A. The server needs at least 1 Gb of hard drive space available.

B. The network must be running TCP/IP and using DNS.

C. All workstations must be running Windows 2000 Professional.

D. Your network must have a DNS server that supports SRV records and Dynamic DNS

(DDNS) updates.

E. All servers must be running Windows 2000 Server, Advanced Server or Datacenter

Server.

Chapter 1:

5. How is Active Directory installed in Windows 2000?

A. Active Directory is installed using the Administrative Tool named Active

Directory Manager.

*B. Active Directory is installed using the Active Directory Installation Wizard. C. Active Directory must be installed during the installation of Windows 2000.

D. Active Directory is installed automatically when Windows 2000 is installed.

Explanation: One of the most significant changes in Windows 2000 is the introduction





controller for an existing domain.

6. What are three requirements for the installation of Active Directory? (Choose 3)

*A. The server needs at least 1 Gb of hard drive space available.

*B. The network must be running TCP/IP and using DNS. C. All workstations must be running Windows 2000 Professional.

*D. Your network must have a DNS server that supports SRV records and Dynamic

DNS (DDNS) updates. E. All servers must be running Windows 2000 Server, Advanced Server or

Datacenter Server.

Explanation: One of the most significant changes in Windows 2000 is the introduction





controller for an existing domain. Before you install Active Directory, you must have

a server running Windows 2000 Server, Advanced Server or Datacenter Server, an

NTFS volume with 1Gb of space, TCP/IP installed with DNS and a DNS server that

supports SRV records and the Dynamic DNS (DDNS) update protocol. The answer

"All servers must be running Windows 2000 Server, Advanced Server or Datacenter

Server. " would not be correct because not all servers need be Windows 2000.

Active Directory 9

7. What happens when you install Active Directory for the first time in your network?

A. You create the first domain controller and three Active Directory consoles are added

to the Administrative Tools menu.

B. You create the PDC and three Active Directory consoles are added to the

Administrative Tools menu.

C. You create the first domain controller and three Active Directory consoles are added

to the MMC menu.

D. You create the PDC and three Active Directory consoles are added to the MMC menu.

8. What are the two options presented to you by the Active Directory Installation Wizard

when it is first launched? (Choose 2)

A. Create a new domain tree

B. Add a domain controller in an existing domain

C. Join existing forest

D. Create a domain controller for new domain

E. Create a new forest

Chapter 1:

7. What happens when you install Active Directory for the first time in your network?

*A. You create the first domain controller and three Active Directory consoles are

added to the Administrative Tools menu. B. You create the PDC and three Active Directory consoles are added to the

Administrative Tools menu.

C. You create the first domain controller and three Active Directory consoles are

added to the MMC menu.

D. You create the PDC and three Active Directory consoles are added to the MMC

menu.

Explanation: As you install Active Directory, you can either specify that this domain


controller for an existing domain. If you are installing Active Directory for the first

time on your network, then you will create the first domain controller in the forest

and establish the root domain. At the same time, three new consoles are added to

your Windows 2000 Server to aid in Active Directory management: Active Directory

Users and Computers, Active Directory Domains and Trusts, and Active Directory

Sites and Services.

8. What are the two options presented to you by the Active Directory Installation Wizard

when it is first launched? (Choose 2)

A. Create a new domain tree

*B. Add a domain controller in an existing domain C. Join existing forest

*D. Create a domain controller for new domain E. Create a new forest




time on your network you will create the first domain controller in the forest and

establish the root domain. At the same time, three new consoles are added to your

Windows 2000 Server to aid in Active Directory management: Active Directory

Users and Computers, Active Directory Domains and Trusts, and Active Directory

Sites and Services.

Active Directory 11

9. What must you configure when creating a new Active Directory domain so that pre-

Windows 2000 workstations can find the domain?

A. DNS

B. New Domain Name

C. Domain NetBIOS Name

D. Domain WINS Name

10. What are the three consoles automatically added to Administrative Tools on the

domain controller during the installation of Active Directory? (Choose 3)

A. Active Directory Users and Groups

B. Active Directory Users and Computers

C. Active Directory Domains and Trusts

D. Active Directory Sites and Services

E. Active Directory Computers and Servers

Chapter 1:

9. What must you configure when creating a new Active Directory domain so that pre-

Windows 2000 workstations can find the domain?

A. DNS

B. New Domain Name

*C. Domain NetBIOS Name D. Domain WINS Name





establish the root domain. To make this domain visible to pre-Windows 2000 clients

and servers, you need to specify a Domain NetBIOS Name. At the same time, three

new consoles are added to your Windows 2000 Server to aid in Active Directory

management: Active Directory Users and Computers, Active Directory Domains and

Trusts, and Active Directory Sites and Services.

10. What are the three consoles automatically added to Administrative Tools on the

domain controller during the installation of Active Directory? (Choose 3)

A. Active Directory Users and Groups

*B. Active Directory Users and Computers

*C. Active Directory Domains and Trusts

*D. Active Directory Sites and Services E. Active Directory Computers and Servers






and servers, you need to specify a Domain NetBIOS Name. At the same time, three

new consoles are added to your Windows 2000 Server to aid in Active Directory

management: Active Directory Users and Computers, Active Directory Domains and

Trusts, and Active Directory Sites and Services.

Active Directory 13

11. In relation to BFQ.COM, what is SALES.BFQ.COM called?

A. A sub-domain

B. A secondary zone

C. A child domain

D. A parent domain

12. What object is used to centralize control of traffic generated by Active Directory in

networks with multiple subnets connected with links of varying capacity?

A. Replication Manager Object

B. Connection Objects

C. Site Object

D. Site Link Bridge Object

Chapter 1:

11. In relation to BFQ.COM, what is SALES.BFQ.COM called?

A. A sub-domain

B. A secondary zone

*C. A child domain D. A parent domain






and servers, you need to specify a Domain NetBIOS Name. As you create new

domains, they join the forest as child domains of either the root domain or another

pre-existing domain. In this example the SALES domain has been added beneath the

domain BFQ.COM, thus SALES is said to be a child domain of BFQ.COM.

12. What object is used to centralize control of traffic generated by Active Directory in

networks with multiple subnets connected with links of varying capacity?

A. Replication Manager Object

B. Connection Objects

*C. Site Object D. Site Link Bridge Object

Explanation: The process of updating from one domain controller to another is called

replication. The physical structure of the network, especially the capacity between

subnetworks, has a great impact on this process. To control replication more

effectively, Active Directory provides sites. A site is defined as one or more well-

connected IP subnets. The term well-connected is relative to the speed of the link and

the traffic on the link. When you create the first domain controller in Active

Directory, the Active Directory Installation Wizard creates the Default-First-Site-

Name and assigns the domain controller to the site. This default site will contain all

IP subnets by default, unless you specify otherwise in the creation process.

Active Directory 15

13. What name is given to the Site object created when you install Active Directory for

the first time in your network?

A. Default-First-Site-Name

B. Default-Site

C. First-Site

D. Default-Site-Name

14. What are three objects used by the Knowledge Consistency Checker to configure the

connections between domain controllers? (Choose 3)

A. Server Object

B. KCC Settings Object

C. NTDS Settings Object

D. Connection Object

E. NTDS Link Object

Chapter 1:

13. What name is given to the Site object created when you install Active Directory for

the first time in your network?

*A. Default-First-Site-Name B. Default-Site

C. First-Site

D. Default-Site-Name

Explanation: The process of updating from one domain controller to another is called

replication. The physical structure of the network, especially the capacity between

subnetworks, has a great impact on this process. To control replication more

effectively, Active Directory provides sites. A site is defined as one or more well-

connected IP subnets. The term well-connected is relative to the speed of the link and

the traffic on the link. When you create the first domain controller in Active

Directory the Active Directory Installation Wizard creates the Default-First-Site-

Name and assigns the domain controller to the site. This default site will contain all

IP subnets by default, unless you specify otherwise in the creation process.

14. What are three objects used by the Knowledge Consistency Checker to configure the

connections between domain controllers? (Choose 3)

*A. Server Object B. KCC Settings Object

*C. NTDS Settings Object

*D. Connection Object E. NTDS Link Object

Explanation: A site is defined as one or more well-connected IP subnets. The term well-

connected is relative to the speed of the link and the traffic on the link. When you

create the first domain controller in Active Directory the Active Directory

Installation Wizard creates the Default-First-Site-Name and assigns the domain

controller to the site. This default site will contain all IP subnets by default, unless

you specify otherwise in the creation process. When you add domain controllers to a

site, a process called the Knowledge Consistency Checker (KCC) automatically

configures connections between controllers for replication. The KCC creates

connection objects to represent a one-way replication path between domain

controllers. The connection objects are children of NTDS Settings objects, which are

children of server objects, which represent the actual domain controller.

Active Directory 17

15. What are two situations for which Connection objects need to exist and be

configured? (Choose 2)

A. For workstations to be able to connect for authentication

B. For domain controllers within a site to be able to maintain replication

C. For BDCs to be able to replicate with PDCs

D. For domain controllers in different sites to be able to maintain replication

16. What service is not available when you configure replication between two sites?

A. Change Notification

B. Compressed Traffic

C. Urgent Replication

D. Replication Scheduling

Chapter 1:

15. What are two situations for which Connection objects need to exist and be

configured? (Choose 2)

A. For workstations to be able to connect for authentication

*B. For domain controllers within a site to be able to maintain replication C. For BDCs to be able to replicate with PDCs

*D. For domain controllers in different sites to be able to maintain replication Explanation: When you add domain controllers to a site, a process called the Knowledge

Consistency Checker (KCC) automatically configures connections between

controllers for replication. The KCC creates connection objects to represent a one-

way replication path between domain controllers. The connection objects are

children of NTDS Settings objects, which are children of server objects, which

represent the actual domain controller. The connection objects are necessary for

domain controllers within a site or domain controllers between different sites to

maintain replication.

16. What service is not available when you configure replication between two sites?

A. Change Notification

B. Compressed Traffic

*C. Urgent Replication D. Replication Scheduling

Explanation: When you add domain controllers to a site, a process called the Knowledge







maintain replication. Replication within a site occurs through a change notification

process, whereby a domain controller waits for a configurable interval (by default 5

minutes) and then informs replication partners of changes. Within a site replication

traffic is uncompressed and urgent replication, consisting of security-sensitive

updates, is available. Between sites, replication is defined based on a schedule and an

interval and traffic is always compressed. Urgent replication is not available for

replication between sites.

Active Directory 19

17. What is the name of the process that waits a configurable amount of time after a

change has been made to an object and then sends a notification message to its

replication partners?

A. Replication Scheduling

B. Urgent Replication

C. Change Notification

D. Replication Between Sites

18. What protocol does Active Directory use for replication within a site?

A. TCP/IP

B. RPC over IP

C. SMTP

D. SNMP

Chapter 1:

17. What is the name of the process that waits a configurable amount of time after a

change has been made to an object and then sends a notification message to its

replication partners?

A. Replication Scheduling

B. Urgent Replication

*C. Change Notification D. Replication Between Sites

Explanation: Replication within a site occurs through a change notification process,

whereby a domain controller waits for a configurable interval (by default 5 minutes)

and then informs replication partners of changes. Within a site replication traffic is

uncompressed and urgent replication, consisting of security-sensitive updates, is

available. Between sites, replication is defined based on a schedule and an interval

and traffic is always compressed. Urgent replication is not available for replication

between sites.

18. What protocol does Active Directory use for replication within a site?

A. TCP/IP

*B. RPC over IP C. SMTP

D. SNMP





available. Active Directory uses remote procedure calls (RPC) over IP for replication

within a site. Between sites, replication is defined based on a schedule and an


replication between sites. Active directory replication between sites can be

accomplished either through RPC over IP or SMTP (Simple Mail Transfer Protocol).

Active Directory 21

19. What are the two protocols used for replication between sites by Active Directory?

(Choose 2)

A. NetBIOS

B. RPC over IP

C. SMTP

D. SNMP

20. What are two additional objects in Active Directory for use in configuring replication

between sites? (Choose 2)

A. Site Links

B. Site Bridges

C. Link Bridges

D. Site Link Bridges

Chapter 1:

19. What are the two protocols used for replication between sites by Active Directory?

(Choose 2)

A. NetBIOS

*B. RPC over IP

*C. SMTP D. SNMP





available. Active Directory uses remote procedure calls (RPC) over IP for replication

within a site. Between sites, replication is defined based on a schedule and an




20. What are two additional objects in Active Directory for use in configuring replication

between sites? (Choose 2)

*A. Site Links B. Site Bridges

C. Link Bridges

*D. Site Link Bridges Explanation: When you add domain controllers to a site, a process called the Knowledge







maintain replication. Between sites, replication is defined based on a schedule and an




For configuration of replication between sites there are two additional objects: site

link objects and site link bridge objects.

Active Directory 23

21. What are three values that you can configure in the Site Link Properties box? (Choose

3)

A. Protocol (RPC over IP or SMTP)

B. Replication Cost

C. Replication Interval

D. Replication Schedule

E. Replication Compression

22. What two setting are required to create a new site in Active Directory? (Choose 2)

A. Site Name

B. Site Cost

C. Association with a Site Link

D. Association with a Domain Controller

Chapter 1:

21. What are three values that you can configure in the Site Link Properties box? (Choose

3)

A. Protocol (RPC over IP or SMTP)

*B. Replication Cost

*C. Replication Interval

*D. Replication Schedule E. Replication Compression

Explanation: Between sites, replication is defined based on a schedule and an interval

and traffic is always compressed. Urgent replication is not available for replication

between sites. Active directory replication between sites can be accomplished either

through RPC over IP or SMTP (Simple Mail Transfer Protocol). For configuration of

replication between sites there are two additional objects: site link objects and site

link bridge objects. Site links contain three values that can be used to configure

replication: cost, interval and schedule. Cost is an arbitrary value, interval defines

how frequently replication should occur and schedule says when the site link is

available for replication to occur at all.

22. What two setting are required to create a new site in Active Directory? (Choose 2)

*A. Site Name B. Site Cost

*C. Association with a Site Link D. Association with a Domain Controller

Explanation: A site is defined as one or more well-connected IP subnets, where the term

well-connected is relative to the speed of the link and the traffic on the link. When

you create the first domain controller in Active Directory the Active Directory



you specify otherwise in the creation process. To manually create a site, simply open

Active Directory Sites and Services, click create new site, then name the site and

associate it with a site link.

Active Directory 25

23. After creating sites in Active Directory, what is the next step in implementing the

physical structure?

A. The next step involves creating Site Links.

B. The next step involves setting replication configuration.

C. The next step involves creating IP subnets.

D. The next step involves creating a Global Catalog.

Chapter 1:

23. After creating sites in Active Directory, what is the next step in implementing the

physical structure?

A. The next step involves creating Site Links.

B. The next step involves setting replication configuration.

*C. The next step involves creating IP subnets. D. The next step involves creating a Global Catalog.






you specify otherwise in the creation process. To manually create a site, simply open

Active Directory Sites and Services, click create new site, then name the site and

associate it with a site link. After you have created sites, the next step in creating the

physical structure in Active Directory is creating subnets.

Active Directory 27

24. You are the administrator of BFQ, Inc., and have just installed Active Directory and 8

additional Domain Controllers. After you create sites and subnets, where will the

server objects corresponding to the Domain Controllers reside in Active Directory?

A. The server objects for the Domain Controllers will reside in their respective subnets.

B. The server objects for the Domain Controllers will reside in the sites you specify when

you create the site object.

C. The server objects for the Domain Controllers will reside in the Default-First-Site-

Name site and will need to be moved to the correct site using Active Directory Sites

and Services.

D. The server objects for the Domain Controllers will not yet exist and can now be

created in the appropriate site.

Chapter 1:

24. You are the administrator of BFQ, Inc., and have just installed Active Directory and 8

additional Domain Controllers. After you create sites and subnets, where will the

server objects corresponding to the Domain Controllers reside in Active Directory?

A. The server objects for the Domain Controllers will reside in their respective

subnets.

B. The server objects for the Domain Controllers will reside in the sites you specify

when you create the site object.

*C. The server objects for the Domain Controllers will reside in the Default-First-

Site-Name site and will need to be moved to the correct site using Active

Directory Sites and Services. D. The server objects for the Domain Controllers will not yet exist and can now be

created in the appropriate site.






you specify otherwise in the creation process. Additionally, the Default-First-Site-

Name will be associated with all domain controller server objects unless you specify

otherwise. If you have created your domain controllers before defining sites, you will

need to use Active Directory Sites and Services console to move the domain

controller server objects to the appropriate site.

Active Directory 29

25. What must you do to move a server object in Active Directory?

A. Server objects cannot be moved. You must delete the object and re-create it.

B. Server objects cannot be moved. You must reinstall Active Directory on the Domain

Controller.

C. In Active Directory Sites and Services, right click the server object and choose move,

then drag and drop it.

D. You can move the server object from within the Site object by browsing in Active

Directory and choosing the server object.

26. What are two properties that need to be identified when creating a Site Link?

(Choose 2)

A. Site Link Name

B. Site Link Subnet

C. Site Link Protocol

D. Site Link Sites

Chapter 1:

25. What must you do to move a server object in Active Directory?

A. Server objects cannot be moved. You must delete the object and re-create it.

B. Server objects cannot be moved. You must reinstall Active Directory on the

Domain Controller.

*C. In Active Directory Sites and Services, right click the server object and choose

move, then drag and drop it. D. You can move the server object from within the Site object by browsing in

Active Directory and choosing the server object.






you specify otherwise in the creation process. Additionally, the Default-First-Site-

Name will be associated with all domain controller server objects unless you specify

otherwise. If you have created your domain controllers before defining sites, you will

need to use Active Directory Sites and Services console to move the domain

controller server objects to the appropriate site.

26. What are two properties that need to be identified when creating a Site Link?

(Choose 2)

*A. Site Link Name B. Site Link Subnet

C. Site Link Protocol

*D. Site Link Sites Explanation: For configuration of replication between sites there are two additional

objects: site link objects and site link bridge objects. Site links contain three values

that can be used to configure replication: cost, interval and schedule. Cost is an

arbitrary value, Interval defines how frequently replication should occur and

schedule says when the site link is available for replication to occur at all. The

creation of a site link in Active Directory Sites and Services requires a name and two

or more sites to be linked. Configuration of the site link then consists of specifying

the replication protocol and setting the cost, interval and schedule values.

Active Directory 31

27. What must you do if your network is not fully routed and you need to create site link

bridges?

A. You must first enable routing across your network.

B. You must disable the default bridging of site links.

C. You must enable routing in the protocol section of the site links.

D. You must first disable the default routing of all site links.

Chapter 1:

27. What must you do if your network is not fully routed and you need to create site link

bridges?

A. You must first enable routing across your network.

*B. You must disable the default bridging of site links. C. You must enable routing in the protocol section of the site links.

D. You must first disable the default routing of all site links.

Explanation: For configuration of replication between sites there are two additional







the replication protocol and setting the cost, interval and schedule values. Site link

bridges represent sets of site links that all use the same replication protocol. If your

network is routed, then site links are bridged by default and you need not create site

link bridges. Otherwise, to create a site link bridge, you must open Site in Active

Directory Sites and Services and choose Inter-Site Transports - New Site Link

Bridge. Then you simply name the bridge and assign two or more site links and click

Add.

Active Directory 33

28. As the administrator for BFQ, Inc. what can you do to decrease the traffic created by

queries to the Global Catalog across sites?

A. You can limit Global Catalog searches to the local site only.

B. You can create separate forests so that searches will remain local.

C. You can create additional Global Catalog Servers so that the catalog is available

locally.

D. You can create a local catalog, and then searches will not cross WAN links.

Chapter 1:

28. As the administrator for BFQ, Inc. what can you do to decrease the traffic created by

queries to the Global Catalog across sites?

A. You can limit Global Catalog searches to the local site only.

B. You can create separate forests so that searches will remain local.

*C. You can create additional Global Catalog Servers so that the catalog is available

locally. D. You can create a local catalog, and then searches will not cross WAN links.

Explanation: For configuration of replication between sites there are two additional







the replication protocol and setting the cost, interval and schedule values. To reduce

traffic further between sites, you can create a separate Global Catalog Server at each

site, so that queries will not cross slow network links. This is done in the NTDS

Settings tab under Sites in Active Directory Sites and Services.

Active Directory 35

29. What are the two main types of network traffic affected by the existence of sites?

(Choose 2)

A. Routing traffic

B. Logon traffic

C. Replication traffic

D. IP broadcast traffic

30. You are the administrator of BFQ, Inc., a company with offices in Dallas, London

and New York City. New York City has T-1 lines to both of the other locations,

while they have only a 56KBps between them. How many sites will need to be

created for this network?

A. 2 sites

B. 3 sites

C. 4 sites

D. None

E. 6 sites

Chapter 1:

29. What are the two main types of network traffic affected by the existence of sites?

(Choose 2)

A. Routing traffic

*B. Logon traffic

*C. Replication traffic D. IP broadcast traffic

Explanation: Clearly, of the answers presented, only replication and logon traffic are

reasonable. Routing traffic on large IP internetworks is already well optimized

through the use of OSPF, and IP broadcasts are not forwarded across routers by

default.

30. You are the administrator of BFQ, Inc., a company with offices in Dallas, London

and New York City. New York City has T-1 lines to both of the other locations,

while they have only a 56KBps between them. How many sites will need to be

created for this network?

A. 2 sites

*B. 3 sites C. 4 sites

D. None

E. 6 sites

Explanation: 3 Sites will need to be created for this network. One for Dallas, one for

London, and one for New York City.

Active Directory 37

31. What do you use to create Organizational Unit objects in Active Directory?

A. Active Directory Users and Computers

B. Active Directory Sites and Services

C. Active Directory Domains and Forests

D. Active Directory Tree

32. What are the three scopes available for groups in Active Directory? (Choose 3)

A. Domain Local

B. Global

C. Security

D. Distribution

E. Universal

Chapter 1:

31. What do you use to create Organizational Unit objects in Active Directory?

*A. Active Directory Users and Computers B. Active Directory Sites and Services

C. Active Directory Domains and Forests

D. Active Directory Tree

Explanation: Organizational Unit objects are container objects in Active Directory, and

can contain other AD objects such as user, computer, and group objects. To create an

Organizational Unit object below another OU, the user must have the Read, List

Contents and Create Organizational Unit Objects permissions. Certainly, members of

the Administrators group can create OUs anywhere in the forest by default. To create

an OU, open Active Directory Users and Computers, then right-click the container in

which you wish to create an OU, select New, and name the new OU.

32. What are the three scopes available for groups in Active Directory? (Choose 3)

*A. Domain Local

*B. Global C. Security

D. Distribution

*E. Universal Explanation: Organizational Unit objects are container objects in Active Directory and

can contain other AD objects such as user, computer, and group objects. In Active

Directory there are two basic group types: Security groups and Distribution groups.

Security groups are used to grant or deny rights or permissions while Distribution

groups are used for sending e-mails with e-mail applications. Both types of groups

have an attribute called scope, which determines who can be a member and where

the group can be used. The three scopes are domain local, global and universal.

Domain Local groups (in a native mode domain) can contain user accounts, Global

groups and Universal groups from any domain in the forest, and other domain Local

groups from the same domain. In a mixed mode domain, domain Local groups can

contain user accounts and Global groups from any domain. Global groups, in a

native domain, can contain user accounts and Global groups from the domain in

which the Global group exists. In mixed mode the Global group can contain only

user accounts from the domain in which it exists. Universal groups can only be

created in domains operating in native mode. They can contain user accounts, Global

groups and other Universal groups from any domain in the forest.

Active Directory 39

33. As the administrator in your domain you are trying to troubleshoot your domain's

replication topology. The first step in the troubleshooting process is to determine the

number of replication topologies that exist within your single Windows 2000 Active

Directory domain structure. Which of the following represent a replication topology

naming context? (Choose three.)

A. Schema naming context

B. Domain naming context

C. Configuration naming context

D. Site naming context

E. Global Catalog naming context

Chapter 1:

33. As the administrator in your domain you are trying to troubleshoot your domain's

replication topology. The first step in the troubleshooting process is to determine the

number of replication topologies that exist within your single Windows 2000 Active

Directory domain structure. Which of the following represent a replication topology

naming context? (Choose three.)

*A. Schema naming context

*B. Domain naming context

*C. Configuration naming context D. Site naming context

E. Global Catalog naming context

Explanation: The Configuration naming context is an enterprise-wide naming context

that includes information about all the sites, domain and domain controllers in the

forest and the domain controller replication connections. The Schema naming

context is also an enterprise-wide naming context that contains the definitions of the

objects and attributes that can be created within the Active Directory namespace. The

Domain naming context is only replicated within the domain to other domain

controllers in that domain. A naming context is a specific region within the Active

directory namespace and defines the boundary of replication. There are no site or

global catalog naming contexts.

Active Directory 41

34. As the domain administrator you are responsible for the creation of multiple user

accounts. You have established the naming convention of the first letter of the user's

first name, and first six characters of the last name. As you begin to add users, you

get an error message indicating that an object with that username already exists.

What is responsible for preventing user objects with the same name from being

created in the Active Directory?

A. Active Directory Users and Computers prevent the creation of user objects with

identical object names within the same domain.

B. Active Directory Sites and Services prevent the creation of user objects with identical

object names within the same domain.

C. The Active Directory polices itself, preventing the creation of user objects with


D. The Schema prevents the creation of user objects with identical object names within

the same domain.

Chapter 1:

34. As the domain administrator you are responsible for the creation of multiple user

accounts. You have established the naming convention of the first letter of the user's

first name, and first six characters of the last name. As you begin to add users, you

get an error message indicating that an object with that username already exists.

What is responsible for preventing user objects with the same name from being

created in the Active Directory?

*A. Active Directory Users and Computers prevent the creation of user objects with

identical object names within the same domain. B. Active Directory Sites and Services prevent the creation of user objects with


C. The Active Directory polices itself, preventing the creation of user objects with


D. The Schema prevents the creation of user objects with identical object names

within the same domain.

Explanation: Active Directory Users and Computers prevent the creation of user objects

with identical object names. If you use an alternative method of adding users to the

domain, such as scripting, you should incorporate duplication checking into your

script. Active Directory Sites and Services are used to add sites and replication

connections. The Active Directory does not police itself. The schema defines the

object classes and object attributes that can be created within the Active Directory

but does not prevent against object duplication.

Active Directory 43

35. You are the administrator responsible for the implementation of the AD logical

structure. What tools can you use to add objects to the Active Directory? (Choose

four.)



C. ADSI

D. Movetree

E. LDIFDE.exe

36. As the administrator you have been asked to move users from one domain to another

domain within the same forest. What tool would you use to accomplish this?

A. Movetree

B. Cloneprincipal

C. Active Directory Users and Computers


Chapter 1:

35. You are the administrator responsible for the implementation of the AD logical

structure. What tools can you use to add objects to the Active Directory? (Choose

four.)

*A. Active Directory Users and Computers B. Active Directory Sites and Services

*C. ADSI

*D. Movetree

*E. LDIFDE.exe Explanation: Active Directory Users and Computers, ADSI scripts, Movetree, and

LDIFDE.exe can all be used to add objects to the Active Directory. Active Directory

Users and Computers is one of the default Administrative tools included with the

operating system. It is also possible to write an Active Directory Scripting Interface

(ADSI) script to add objects. Movetree is a Resource Kit utility that can be used to

move users from one domain to another within the same forest. LDIFDE.exe is a

Resource Kit utility that can be used perform bulk imports or exports of users into

the Active Directory. Xcopy is a DOS utility that is used for copying files, not Active

Directory objects. Usrmgr is the Windows NT 4 User Manager utility and can not be

used to add objects to the Active Directory.

36. As the administrator you have been asked to move users from one domain to another

domain within the same forest. What tool would you use to accomplish this?

*A. Movetree B. Cloneprincipal



Explanation: Movetree is a utility found on the Windows 2000 Resource Kit that allows

you to move users between different domains in the same forest. Cloneprincipal is

also a utility found on the Windows 2000 Resource Kit but it is used to move users

and groups between domains in different forests and only works between different

domains in different forests. Active Directory Users and Computers can be used to

create, modify and delete users in a domain but not move them. Active Directory

Sites and Services does not allow you to manage users and groups.

Active Directory 45

37. As the administrator you have been asked to move users from one domain in one

forest to another domain in a second forest. What tool would you use to accomplish

this?

A. Movetree

B. Cloneprincipal



38. NASA spent millions of dollars on a space program project that involved trying to

design a pen that works in a zero gravity environment. At the same time the Russian

space program decided to use a pencil in zero gravity environments. Which of the

following planning guidelines best represents the Russians' methodology?

A. Keep it simple

B. Aim for the ideal design

C. Evaluate multiple alternatives

D. Anticipate change

Chapter 1:

37. As the administrator you have been asked to move users from one domain in one

forest to another domain in a second forest. What tool would you use to accomplish

this?

A. Movetree

*B. Cloneprincipal C. Active Directory Users and Computers


Explanation: Cloneprincipal is a utility found on the Windows 2000 Resource Kit and is

used to move users and groups between domains in different forests but only works

between different domains in different forests. Movetree is also a utility found on the

Windows 2000 Resource Kit that allows you to move users between different

domains in the same forest. Active Directory Users and Computers can be used to

create, modify and delete users in a domain but not move them. Active Directory

Sites and Services does not allow you to manage users and groups.

38. NASA spent millions of dollars on a space program project that involved trying to

design a pen that works in a zero gravity environment. At the same time the Russian

space program decided to use a pencil in zero gravity environments. Which of the

following planning guidelines best represents the Russians' methodology?

*A. Keep it simple B. Aim for the ideal design



Explanation: Keeping it simple best represents the Russians' methodology. Aiming for

the ideal design would be the methodology used by the Americans. Evaluating

multiple alternatives could have applied to both countries in this example but not

enough information was given to make that assumption. Anticipate change too could

have applied to both countries but again not enough information was given to make

that assumption.

Active Directory 47

39. NASA spent millions of dollars to do with a space program project that involved

trying to design a pen that works in a zero gravity environment. At the same time the

Russian space program decided to use a pencil in a zero gravity environment. Which

of the following planning guidelines best represents the Americans' methodology?

A. Keep it simple

B. Aim for the ideal design



40. As the administrator of the mcsejobs.net Windows 2000 directory service you are

responsible for the creation, management and deletion of all the objects in the

directory. You have recently hired a summer student named Chloe Ward to assist

you in your responsibilities, and are trying to explain the concept of a distinguished

name to help Chloe locate the correct object in the directory service. To demonstrate

this, you open Active Directory Users and Computers and create an account for

Chloe with a username of "cward" in the Users container. What is the distinguished

name of Chloe's user object?

A. CN=Chloe Ward,CN=Users,DC=mcsejobs,DC=net

B. CN=Cward,CN=Users,DC=mcsejobs, DC=net

C. CN=Chloe Ward,OU=Users,DC=mcsejobs,DC=net

D. CN=Cward,CN=Users,DC=mcsejobs.net

Chapter 1:

39. NASA spent millions of dollars to do with a space program project that involved

trying to design a pen that works in a zero gravity environment. At the same time the

Russian space program decided to use a pencil in a zero gravity environment. Which

of the following planning guidelines best represents the Americans' methodology?

A. Keep it simple

*B. Aim for the ideal design C. Evaluate multiple alternatives


Explanation: Aiming for the ideal design represents the Americans' methodology in this

case. Obviously one of the problems with aiming for the ideal design is that it is

possible that you can get caught up in the pursuit of excellence and lose sight of

other important decision criteria. Keeping it simple best represents the Russians'

methodology. Evaluating multiple alternatives could have applied to both countries

in this example but not enough information was given to make that assumption.

Anticipate change too could have applied to both countries but again not enough

information was given to make that assumption.

40. As the administrator of the mcsejobs.net Windows 2000 directory service you are


directory. You have recently hired a summer student named Chloe Ward to assist

you in your responsibilities, and are trying to explain the concept of a distinguished

name to help Chloe locate the correct object in the directory service. To demonstrate

this, you open Active Directory Users and Computers and create an account for

Chloe with a username of "cward" in the Users container. What is the distinguished

name of Chloe's user object?

*A. CN=Chloe Ward,CN=Users,DC=mcsejobs,DC=net B. CN=Cward,CN=Users,DC=mcsejobs, DC=net

C. CN=Chloe Ward,OU=Users,DC=mcsejobs,DC=net

D. CN=Cward,CN=Users,DC=mcsejobs.net

Explanation: Every object in the Active Directory has a distinguished name that

identifies the domain in which the object is located and the complete path by which

the object is reached. The path consists of common names (CN), organizational units

(OU) and domain components (DC). The correct distinguished name in this example

points to the common name Chloe Ward, followed by the common name Users, the

container where the Chloe Ward object resides. Next are the domain components

mcsejobs and net which indicate the correct domain that the object is located in.

Active Directory 49

41. As the administrator you have been asked to move computers from one domain in one

forest to another domain in a different forest. What tool would you use to accomplish

this?

A. Movetree

B. Cloneprincipal


D. Netdom

42. As the administrator of your organization's Active Directory domain, you have

learned through working with the directory service that certain names and identifiers

are required to be unique in the Active Directory. Which of the following names and

identifiers are required to be unique within a forest? (Choose four.)

A. Distinguished name

B. Relative distinguished name

C. Globally Unique Identifier (GUID)

D. User Principal Name

E. Object Identifier (OID)

Chapter 1:

41. As the administrator you have been asked to move computers from one domain in one

forest to another domain in a different forest. What tool would you use to accomplish

this?

A. Movetree

B. Cloneprincipal


*D. Netdom Explanation: Netdom.exe is a Resource Kit utility that can be used to move computers

from one domain in one forest to another domain in another forest. Cloneprincipal is

a Resource Kit utility that can be used to move users and groups between domains,

but only if the domains are in different forests. Movetree is a Resource Kit utility

that can be used to move users and groups between domains in the same forest.

Active Directory Users and Computers can not be used to move computers between

domains, only between OUs within the same domain.



are required to be unique in the Active Directory. Which of the following names and

identifiers are required to be unique within a forest? (Choose four.)

*A. Distinguished name B. Relative distinguished name

*C. Globally Unique Identifier (GUID)

*D. User Principal Name

*E. Object Identifier (OID)Explanation: A distinguished name is guaranteed to be unique in a forest as the Active

Directory does not allow two objects with the same relative distinguished name

within the same container. The Relative Distinguished Name only has to be unique

within its parent container, not within the forest. An example of this would be two

users named Jane Smith existing in the forest but in different containers. The first

Jane Smith could be created in the Users container and the second Jane Smith could

be created within an OU named Sales. A GUID is a 128-bit hexadecimal

representation that Windows 2000 assigns to an object when created and is required

to be unique. An OID is also required to be unique. An OID is required when adding

object classes or object attributes to the schema.

Active Directory 51



are required to be unique in the Active Directory. Of the following names and

identifiers which two could be duplicated within a forest even though they are

required to be unique? (Choose two.)


B. Relative distinguished name

C. Globally Unique Identifier (GUID)

D. User Principal Name

E. Object Identifier (OID)

44. In designing your Active Directory structure, you have decided to replace some

existing NT 4.0 domains with organizational units in Windows 2000. Within which

of the following logical and physical components can an organizational unit be

created? (Choose two.)

A. Domain

B. Organizational Unit

C. Schema

D. Site

Chapter 1:



are required to be unique in the Active Directory. Of the following names and

identifiers which two could be duplicated within a forest even though they are

required to be unique? (Choose two.)


*B. Relative distinguished name C. Globally Unique Identifier (GUID)

*D. User Principal Name E. Object Identifier (OID)

Explanation: A Relative Distinguished Name only has to be unique within its parent

container, not within the forest. The creation of users simultaneously on different

domain controllers could allow for two users with identical Relative Distinguished

names to be created. The same is true of User Principal Names. If two users were

created simultaneously, two identical UPNs could be created. A distinguished name

is guaranteed to be unique in a forest as the Active Directory does not allow two

objects with the same relative distinguished name within the same container. A

GUID is a 128-bit hexadecimal representation that Windows 2000 assigns to an

object when created and is required to be unique. An OID is also required to be

unique. An OID is required when adding object classes or object attributes to the

schema.

44. In designing your Active Directory structure, you have decided to replace some

existing NT 4.0 domains with organizational units in Windows 2000. Within which

of the following logical and physical components can an organizational unit be

created? (Choose two.)

*A. Domain

*B. Organizational Unit C. Schema

D. Site

Explanation: An organizational unit can be created in both a domain and in another

organizational unit. An organizational unit cannot be created within the schema or at

the site level. The schema allows for organizational units to be created but the

schema is an object itself within the Active Directory. A domain can be a member of

a site, and an organizational unit can be created within a domain, but an OU can not

be created directly within a site.

Active Directory 53

45. There are two modes that the Active Directory service can be set to run in. What

mode is the domain in after you install Active Directory and establish a domain?

A. native mode

B. mixed mode

C. primary mode

D. default mode

46. You have just been hired by mcsejobs.net to work as an administrator of the

company's Windows 2000 network. One of the first questions you have upon joining

is whether the domain is in mixed or native mode. Before asking, you decide to open

Active Directory Users and Computers and create a group to determine what mode

the domain is in. What type of group will you be unable to create if the domain is in

mixed mode?

A. Universal Security

B. Universal Distribution

C. Global Security

D. Global Distribution

E. Domain Local Security

Chapter 1:

45. There are two modes that the Active Directory service can be set to run in. What

mode is the domain in after you install Active Directory and establish a domain?

A. native mode

*B. mixed mode C. primary mode

D. default mode

Explanation: Mixed mode is the default mode that all domains are in after the

installation of Active Directory. Mixed mode allows for both Windows 2000 domain

controllers and Windows NT 4.0 domain controllers to exist and participate in the

domain. An Administrator must convert the domain to native mode. Switching to

native mode allows the administrator to take advantage of more features of the

Windows 2000 operating system.

46. You have just been hired by mcsejobs.net to work as an administrator of the

company's Windows 2000 network. One of the first questions you have upon joining

is whether the domain is in mixed or native mode. Before asking, you decide to open

Active Directory Users and Computers and create a group to determine what mode

the domain is in. What type of group will you be unable to create if the domain is in

mixed mode?

*A. Universal Security B. Universal Distribution

C. Global Security

D. Global Distribution

E. Domain Local Security

Explanation: Universal Security groups can only be created when the domain is in

native mode, not is mixed mode. All other types of groups can be created in both

domain modes.

Active Directory 55

47. You are the network administrator of Great Lava Plc., which consists of one domain tree broken into a root domain called greatlava.com and four child domains named Europe, Asia, NA and SA. The root domain has a total of four domain controllers, two of which are running Windows 2000, and the other two are configured as BDC's running Windows NT 4. The administrator of the Europe child domain would like to change his domain to native mode. What would be the correct procedure to change the Europe domain to native mode?

A. Upgrade the two remaining BDC's in the root domain to Windows 2000, and upgrade the root domain. Then upgrade the Europe domain to native mode.

B. Upgrade the Europe domain to native mode.

C. Upgrade the root domain to native mode and prepare the other child domains for the upgrade, then upgrade the Europe domain and all other domains in the tree will be upgraded automatically.

D. Upgrade the two remaining BDC's in the root domain to Windows 2000, and upgrade the root domain. Upgrading the root domain will upgrade all the child domains.

Chapter 1:

47. You are the network administrator of Great Lava Plc., which consists of one domain

tree broken into a root domain called greatlava.com and four child domains named

Europe, Asia, NA and SA. The root domain has a total of four domain controllers,

two of which are running Windows 2000, and the other two are configured as BDC's

running Windows NT 4. The administrator of the Europe child domain would like to

change his domain to native mode. What would be the correct procedure to change

the Europe domain to native mode?

A. Upgrade the two remaining BDC's in the root domain to Windows 2000, and

upgrade the root domain. Then upgrade the Europe domain to native mode.

*B. Upgrade the Europe domain to native mode. C. Upgrade the root domain to native mode and prepare the other child domains for

the upgrade, then upgrade the Europe domain and all other domains in the tree

will be upgraded automatically.

D. Upgrade the two remaining BDC's in the root domain to Windows 2000, and

upgrade the root domain. Upgrading the root domain will upgrade all the child

domains.

Explanation: Domains can be upgraded to native mode individually without concern for

the state of other domains in the tree or forest. Upgrading a domain only upgrades

that one domain and not any others in the tree or forest.

Active Directory 57

48. In implementing your Active Directory structure, you have decided to collapse a number of existing Windows NT 4.0 resource domains into a single Windows 2000 domain and replace them with organizational units. Management has asked you to explain the reasoning behind your decision. In order to do that, you have outlined a number of reasons for using organizational units. Which of the following statements about organizational units are true? (Choose three.)

A. Organizational units can be nested in other organizational units.

B. Objects can be moved between organizational units within a domain.

C. Objects can be moved between organizational units within a forest.

D. Organizational units can be used instead of groups to assign permissions.

E. Organizational units can contain printers, users, groups, and computers.

Chapter 1:

48. In implementing your Active Directory structure, you have decided to collapse a

number of existing Windows NT 4.0 resource domains into a single Windows 2000

domain and replace them with organizational units. Management has asked you to

explain the reasoning behind your decision. In order to do that, you have outlined a

number of reasons for using organizational units. Which of the following statements

about organizational units are true? (Choose three.)

*A. Organizational units can be nested in other organizational units.

*B. Objects can be moved between organizational units within a domain. C. Objects can be moved between organizational units within a forest.

D. Organizational units can be used instead of groups to assign permissions.

*E. Organizational units can contain printers, users, groups, and computers. Explanation: Organizational units can be nested in other organizational units, and

objects within one OU can be moved to another OU within the same domain but not

between domains. Organizational units can not be used instead of groups and

assigned permissions. An OU is a logical grouping of objects that can be delegated

control of for task based administration but can not be used as a replacement to

security groups. Printers, users, groups and computers can be placed in an OU.

Active Directory 59

49. As one of the network administrators in your organization, you sit on the design

committee and are trying to decide on reasons to or not to use multiple domains. Of

the reasons below, which of the following is not a valid reason for creating multiple

domains?

A. Politics

B. Different security requirements

C. Large number of objects

D. Better control of replication

E. Decentralized administration

50. As one of the network administrators in your Windows 2000 domain you are

explaining the concept of transitive trusts to a colleague. Which of the following

statements best represents the concept of a transitive trust?

A. If domain A trusts domain B and domain B trusts domain C then domain A trusts

domain C.

B. If domain A trusts domain C and domain B trusts domain C then domain A and

domain B trust domain C.

C. If domain A trusts domain B and domain B trusts domain A then domain A is trusted

by domain B.

D. If domain A trusts domain B and domain B trusts domain C then domain C trusts

domain B.

Chapter 1:


committee and are trying to decide on reasons to or not to use multiple domains. Of

the reasons below, which of the following is not a valid reason for creating multiple

domains?

A. Politics

B. Different security requirements

*C. Large number of objects D. Better control of replication

E. Decentralized administration

Explanation: Politics, different security requirements like password policy, control, or

replication, and decentralized administration are all valid reasons for choosing a

multiple model. Having a large number of objects is not a valid reason. The

scalability of a domain is not limited to the domain but to the forest. It is the global

catalog that is forest-wide and must be able to store all the objects of the forest.

Domain controllers store all the objects and their respective attributes within their

domain. Global catalog servers store all the objects from all domains in the forest but

only selected properties of objects not within the domain the global catalog is a

member of. Global catalog servers are also domain controllers, so they are also

responsible for storing all the objects and object attributes of the objects within their

own domain.

50. As one of the network administrators in your Windows 2000 domain you are

explaining the concept of transitive trusts to a colleague. Which of the following

statements best represents the concept of a transitive trust?

*A. If domain A trusts domain B and domain B trusts domain C then domain A

trusts domain C. B. If domain A trusts domain C and domain B trusts domain C then domain A and

domain B trust domain C.

C. If domain A trusts domain B and domain B trusts domain A then domain A is

trusted by domain B.

D. If domain A trusts domain B and domain B trusts domain C then domain C trusts

domain B.

Explanation: Transitive trusts mean that if one domain trusts a second domain and that

second domain trusts a third domain, then the first domain also trusts the third

domain due to the trusts.

Active Directory 61

51. You are the network administrator for your organization. Your Windows 2000

domain consists of a forest of two trees. The root of the forest is called gotcha.com

and has two child domains called east and west. The second tree's root is called

voodoo.com and also has two child domains named east and west. As the

administrator of east.voodoo.com you would like to make changes to the schema. In

which domain would you need to be added to the Schema Admins group?

A. East.voodoo.com

B. Voodoo.com

C. Gotcha.com

D. Voodoo.com and East.voodoo.com

52. As the administrator of your organization's Windows 2000 domain, you are interested

in measuring the size of the Active Directory database. What is the name of the

Active Directory database file and where is it stored?

A. %windir%\system32\ntds.dit

B. %windir%\ntds\ntds.dit

C. %windir%\system32\edb.chk

D. %windir%\ntds\edb.chk

E. %windir%\security\database\secedit.sdb

Chapter 1:

51. You are the network administrator for your organization. Your Windows 2000

domain consists of a forest of two trees. The root of the forest is called gotcha.com

and has two child domains called east and west. The second tree's root is called

voodoo.com and also has two child domains named east and west. As the

administrator of east.voodoo.com you would like to make changes to the schema. In

which domain would you need to be added to the Schema Admins group?

A. East.voodoo.com

B. Voodoo.com

*C. Gotcha.com D. Voodoo.com and East.voodoo.com

Explanation: The Schema Admins group only exists in the root domain of the forest,

which in this case is gotcha.com. Therefore that is the domain in which you will have

to be added to the Schema Admins group.

52. As the administrator of your organization's Windows 2000 domain, you are interested

in measuring the size of the Active Directory database. What is the name of the

Active Directory database file and where is it stored?

A. %windir%\system32\ntds.dit

*B. %windir%\ntds\ntds.dit C. %windir%\system32\edb.chk

D. %windir%\ntds\edb.chk

E. %windir%\security\database\secedit.sdb

Explanation: The correct path to the Active Directory database is %windir%\ntds\ and

the name of the file is ntds.dit. There is a second ntds.dit file in the system32

directory but that file is the original that gets copied when Active Directory is

installed and moved to its new located in the ntds directory on the domain controller.

The edb.chk files are the checkpoint files that track the transactions that have or have

not been committed to the database.

Active Directory 63


committee and are trying to decide on reasons to or not to use multiple sites. Of the

reasons below, what are two valid reasons to use multiple sites?

A. To optimize replication traffic

B. To optimize authentication traffic

C. To allow for faster searches of the Active Directory

D. To optimize administration

E. To optimize operations masters

54. You are one of the administrators responsible for making schema changes in your

organization. You launch the MMC from the Run command and try to add the

Schema management snap-in, but it's not in the list of available snap-ins. What can

you do to get the schema management snap-in to appear in the list?

A. At the Run command type regsvr32 schmmgmt.dll

B. At the Run command type regedt32

C. At the Run command type runas /user:america\administrator "mmc

%windir%\system32\schmgmt.msc"

D. At the Run command type runas /user:mcsejobs.net\administrator "mmc


Chapter 1:


committee and are trying to decide on reasons to or not to use multiple sites. Of the

reasons below, what are two valid reasons to use multiple sites?

*A. To optimize replication traffic

*B. To optimize authentication traffic C. To allow for faster searches of the Active Directory

D. To optimize administration

E. To optimize operations masters

Explanation: Sites are used for two primary reasons; to optimize replication and

authentication traffic. By creating sites, as an administrator you can govern when the

connections between sites are used for replication and you can force your users to try

to authenticate to a domain controller within their own site before using a costly

connection to authenticate to a distant domain controller.

54. You are one of the administrators responsible for making schema changes in your

organization. You launch the MMC from the Run command and try to add the

Schema management snap-in, but it's not in the list of available snap-ins. What can

you do to get the schema management snap-in to appear in the list?

*A. At the Run command type regsvr32 schmmgmt.dll B. At the Run command type regedt32

C. At the Run command type runas /user:america\administrator "mmc


D. At the Run command type runas /user:mcsejobs.net\administrator "mmc


Explanation: The Schema Management snap-in is not available in the list of available

add-ins until the adminpak.msi, which contains all the administrative tools, is

installed or the schema management .dll is registered. Using the runas command will

not register the schema management .dll by itself. Running the regedt32 utility will

not register the .dll.

Active Directory 65

55. You are the administrator of the Canada OU in the America domain of your

organization's Windows 2000 Active Directory network. You have created a number

of user accounts in the OU under the following naming convention: the first initial of

the user's first name and the first 6 characters of the last name. You are now

interested in creating computer accounts in the same OU for the Windows 2000

Professional computers. Of the following naming conventions, which one will not

work in the Canada OU?

A. First initial of the computer user's first name, and first 6 characters of the last name

B. First initial of the computer user's last name, and first 6 characters of the first name

C. First initial of the computer user's first name, and first 6 characters of the last name

followed by and number 1

D. First initial of the computer user's last name, and first 6 characters of the first name

followed by the users department id

56. As the administrator of your Windows 2000 network, you are trying to decide upon a

group strategy that will minimize replication between global catalog servers in your

Active Directory multiple domain structure. Which of the following strategies will

minimize the replication between global catalog servers?

A. Place users into global groups and add global groups to universal groups.

B. Place users into both global groups and universal groups.

C. Place users into universal groups and add universal groups to global groups.

D. Place users into universal groups and add universal groups to domain local groups.

Chapter 1:

55. You are the administrator of the Canada OU in the America domain of your

organization's Windows 2000 Active Directory network. You have created a number

of user accounts in the OU under the following naming convention: the first initial of

the user's first name and the first 6 characters of the last name. You are now

interested in creating computer accounts in the same OU for the Windows 2000

Professional computers. Of the following naming conventions, which one will not

work in the Canada OU?

*A. First initial of the computer user's first name, and first 6 characters of the last

name B. First initial of the computer user's last name, and first 6 characters of the first

name

C. First initial of the computer user's first name, and first 6 characters of the last

name followed by and number 1

D. First initial of the computer user's last name, and first 6 characters of the first

name followed by the users department id

Explanation: The naming convention used for computers can not be the same as the user

account naming convention because of the requirements of distinguished names.

Distinguished names must be unique in the Active Directory. The naming

conventions could be the same if used in different organizational units but not in the

same organizational unit.

56. As the administrator of your Windows 2000 network, you are trying to decide upon a

group strategy that will minimize replication between global catalog servers in your

Active Directory multiple domain structure. Which of the following strategies will

minimize the replication between global catalog servers?

*A. Place users into global groups and add global groups to universal groups. B. Place users into both global groups and universal groups.

C. Place users into universal groups and add universal groups to global groups.

D. Place users into universal groups and add universal groups to domain local

groups.

Explanation: Placing users into global groups and global groups into universal groups

will minimize the replication between global catalog servers. If a universal group's

membership is made up of individual user accounts, replication will occur whenever

the universal groups membership changes. By adding global groups to universal

groups, the membership of a global group can change without affecting the

membership of the universal group.

Active Directory 67

57. Your manager has been attending a number of Microsoft Windows 2000 briefings

and hearing about the idea of delegating administration and how with Windows 2000

it is possible to collapse your multiple domain structures into fewer domains. What

component of the logical structure allows you as the administrator to do all this?

A. The creation of organizational units

B. The creation of group policy

C. The creation of sites

D. The creation of universal groups

58. Your organization's Windows 2000 network consists of one root domain named

planet.com and two child domains named east and west. You currently have one

global catalog server in the planet.com domain and would like to configure a second

in the east.planet.com domain. Which criteria do you have to meet in order to

configure a global catalog server?

A. Must be a member of the Enterprise Administrators group

B. Must be a member of the Domain Administrators group

C. Must be a member of the Schema Administrators group

D. Must be a member of the planet.com domain administrators group

Chapter 1:


and hearing about the idea of delegating administration and how with Windows 2000

it is possible to collapse your multiple domain structures into fewer domains. What

component of the logical structure allows you as the administrator to do all this?

*A. The creation of organizational units B. The creation of group policy

C. The creation of sites

D. The creation of universal groups

Explanation: Organizational units allow for administration to be delegated in whole or in

part to a user or a group of users for a specific organizational unit. Task-based

delegation would include such things as the ability to change passwords. The

creation of group policies does not allow for administration to be delegated, but

rather a set of rules to be applied at various levels in the logical structure. The

creation of sites is useful for the administration of replication and authentication

traffic.




in the east.planet.com domain. Which criteria do you have to meet in order to

configure a global catalog server?

A. Must be a member of the Enterprise Administrators group

*B. Must be a member of the Domain Administrators group C. Must be a member of the Schema Administrators group

D. Must be a member of the planet.com domain administrators group

Explanation: In order to configure a domain controller to be a global catalog server you

must be a member of the domain administrators group.

Active Directory 69




in the east.planet.com domain. Which utility can be used to configure a domain

controller to be a global catalog server?



C. Dcpromo /gc

D. Schema Management

E. Security Templates


and hearing about the idea of global catalog servers. He is not sure what these

servers are used for. He suggests a number of features of a global catalog server

below. Which of the following are global catalog features? (Choose three.)

A. Allow for easier searching of objects.

B. Can use universal group membership information to log on to the network.

C. Allow a domain to be switched to Native mode.

D. Allow for more than one million objects to be stored in the Active Directory.

E. Contains the access permissions for each object and attribute in the forest.

Chapter 1:




in the east.planet.com domain. Which utility can be used to configure a domain

controller to be a global catalog server?


*B. Active Directory Sites and Services C. Dcpromo /gc

D. Schema Management

E. Security Templates

Explanation: Active Directory Sites and Services. When you get into this utility, you

expand the Servers folder, then you expand the NTDS settings of the particular

server. You then right-click on NTDS Settings and click on properties. There you

will see the check box labeled "Global Catalog" that you would check.


and hearing about the idea of global catalog servers. He is not sure what these

servers are used for. He suggests a number of features of a global catalog server

below. Which of the following are global catalog features? (Choose three.)

*A. Allow for easier searching of objects.

*B. Can use universal group membership information to log on to the network. C. Allow a domain to be switched to Native mode.

D. Allow for more than one million objects to be stored in the Active Directory.

*E. Contains the access permissions for each object and attribute in the forest. Explanation: Global catalog servers store all of the objects in your forest and act as a

central repository that can be easily searched by your users. The global catalog can

also be used to allow users to log on via universal group memberships. A global

catalog also contains the access permissions for each object and attribute meaning

that only users with the permission to view the object they are searching for will see

that object in the result set. A global catalog doesn't have anything to do with the

number of objects that can be stored in the Active Directory and doesn't specifically

prevent or allow switching between domain modes.

Active Directory 71

61. As the administrator of your company's single domain model you are interested in

dividing the Operations Master roles amongst the four domain controllers in your

domain. What is the recommended method to do this?

A. Use NTDSUTIL to seize the roles from one domain controller to another.

B. Use Active Directory Sites and Services to transfer the roles from one domain

controller to another.

C. Use Active Directory Users and Computers to transfer the roles from one domain


D. Use NTDSUTIL to transfer the roles from one domain controller to another.

62. You and another administrator are adding users to your organization's single domain

on two different domain controllers. A third administrator changes a password of a

domain user account. During the next replication cycle, how will the password

change replicate between domain controllers?

A. The entire user object and all properties will be replicated between domain controllers.

B. The entire object and all properties will be replicated to the domain controller's

replication partners.

C. The object's password property will be replicated between domain controllers.

D. The object's password property will be replicated to the domain controller's replication

partners.

Chapter 1:

61. As the administrator of your company's single domain model you are interested in

dividing the Operations Master roles amongst the four domain controllers in your

domain. What is the recommended method to do this?

A. Use NTDSUTIL to seize the roles from one domain controller to another.

B. Use Active Directory Sites and Services to transfer the roles from one domain


*C. Use Active Directory Users and Computers to transfer the roles from one

domain controller to another. D. Use NTDSUTIL to transfer the roles from one domain controller to another.

Explanation: Active Directory Users and Computers should be used to transfer the roles

amongst the domain controllers. Seizing the roles is only recommended when the

domain controller that has the role has crashed and is unrecoverable. NTDSUTIL is

the utility used to seize but not transfer the operations master roles.

62. You and another administrator are adding users to your organization's single domain

on two different domain controllers. A third administrator changes a password of a

domain user account. During the next replication cycle, how will the password

change replicate between domain controllers?

A. The entire user object and all properties will be replicated between domain

controllers.

B. The entire object and all properties will be replicated to the domain controller's

replication partners.

C. The object's password property will be replicated between domain controllers.

*D. The object's password property will be replicated to the domain controller's

replication partners. Explanation: Replication occurs at the attribute level in Windows 2000, so only the

password change itself would be replicated, not all the properties of the object. The

attribute will be replicated to the domain controller's replication partners, not all

domain controllers.

Active Directory 73

63. As the administrator of your company's Windows 2000 domain you are required to

import all of the users and groups from another LDAP compliant directory. What

tool will you use to do this?

A. LDIFDE


C. CSVDE

D. NTDSUTIL

64. You are the administrator of your organization's newly migrated Windows 2000

network. The network currently consists of both Windows NT domain controllers

and Windows 2000 domain controllers. Your users and groups have been

successfully migrated to the Users container. During the migration, you decided that

some reengineering of your organization's existing groups was in order to take

advantage of some of the new features of Windows 2000. As you begin to make

some changes to the groups, you find that you are unable to nest global groups

within other global groups. What is preventing you from doing this?

A. You must be a member of the enterprise administrators group to nest groups.

B. Nesting of groups is a special right that must be assigned to a user to allow them to

perform that task.

C. The domain must be in native mode to nest groups.

D. Group nesting must be performed at the global catalog server, not just any domain

controller.

Chapter 1:

63. As the administrator of your company's Windows 2000 domain you are required to

import all of the users and groups from another LDAP compliant directory. What

tool will you use to do this?

*A. LDIFDE B. Active Directory Users and Computers

C. CSVDE

D. NTDSUTIL

Explanation: LDIFDE is a command line utility that can be used to import and export

directory information. Active Directory Users and Computers and NTDSUTIL both

cannot be used to importing from another LDAP compliant directory. CSVDE is

used to import or export data from comma-separated value (csv) formatted files like

those used in Excel.

64. You are the administrator of your organization's newly migrated Windows 2000

network. The network currently consists of both Windows NT domain controllers

and Windows 2000 domain controllers. Your users and groups have been

successfully migrated to the Users container. During the migration, you decided that

some reengineering of your organization's existing groups was in order to take

advantage of some of the new features of Windows 2000. As you begin to make

some changes to the groups, you find that you are unable to nest global groups

within other global groups. What is preventing you from doing this?

A. You must be a member of the enterprise administrators group to nest groups.

B. Nesting of groups is a special right that must be assigned to a user to allow them

to perform that task.

*C. The domain must be in native mode to nest groups. D. Group nesting must be performed at the global catalog server, not just any

domain controller.

Explanation: In order to nest groups, the domain must be in native mode, not mixed

mode. You do not have to be a member of the enterprise administrators group and

there is no special right to nest groups that would allow for nesting in native mode.

The nesting of groups can be performed on any domain controller or even remotely

with the administrative tools installed on a Windows 2000 professional computer.

Active Directory 75

65. You are one of five administrators in your organization and are part of the Windows

2000 system administration team. You originally migrated your five Windows NT 4

domains to Windows 2000 domains but have now collapsed all five into one

Windows 2000 domain. When you removed the four existing domains you did not

choose the option that specified that this domain controller was the last domain

controller in the domain, hence the domains did not get deleted. How can you delete

the domains?

A. Use Active Directory Domains and Trusts to remove the domains

B. Use eseutil to remove the domains

C. Use ntdsutil to remove the domains

D. Use Active Directory Users and Computers to remove the domains

66. You are the senior Windows 2000 system administrator in your organization and are

guiding a junior administrator through the process of installing a domain controller

in an existing Windows 2000 domain. What two choices will you inform the junior

administrator are available?

A. During the installation of Windows 2000 Server, choose the role of the computer to be

a domain controller.

B. After the installation of Active Directory, at the Run command, have the junior

administrator type dcpromo and answer the prompts in the Wizard.

C. After the installation of Active Directory, from the Administrative Tools menu, select

to Configure the Computer, choose the Active Directory hyperlink, select to install

and answer the prompts in the Wizard.

D. From the Command Prompt, type dcpromote and answer the prompts in the Wizard.

Chapter 1:

65. You are one of five administrators in your organization and are part of the Windows

2000 system administration team. You originally migrated your five Windows NT 4

domains to Windows 2000 domains but have now collapsed all five into one

Windows 2000 domain. When you removed the four existing domains you did not

choose the option that specified that this domain controller was the last domain

controller in the domain, hence the domains did not get deleted. How can you delete

the domains?

A. Use Active Directory Domains and Trusts to remove the domains

B. Use eseutil to remove the domains

*C. Use ntdsutil to remove the domains D. Use Active Directory Users and Computers to remove the domains

Explanation: ntdsutil is a command line utility that can be used to add and remove

domains. Domains cannot be removed with Active Directory Domains and Trusts or

Active Directory Users and Computers. Eseutil is a command line utility that can be

used to repair, check, move, compact, and dump the directory database files and is

often called by ntdsutil to perform these various operations.


guiding a junior administrator through the process of installing a domain controller

in an existing Windows 2000 domain. What two choices will you inform the junior

administrator are available?

A. During the installation of Windows 2000 Server, choose the role of the computer

to be a domain controller.

*B. After the installation of Active Directory, at the Run command, have the junior

administrator type dcpromo and answer the prompts in the Wizard.

*C. After the installation of Active Directory, from the Administrative Tools menu,

select to Configure the Computer, choose the Active Directory hyperlink, select

to install and answer the prompts in the Wizard. D. From the Command Prompt, type dcpromote and answer the prompts in the

Wizard.

Explanation: The dcpromo command and the Configure Your Server selection on the

Administrative Tools menu are the two ways in which you can promote a Windows

2000 member server to be a Windows 2000 Active Directory domain controller.

Unlike NT 4.0, there is no longer a choice during the installation of the operating

system to choose a role for the server.

Active Directory 77


about to demote one of your original Windows 2000 domain controllers to a

Windows 2000 member server. What is the correct procedure to do this?

A. Log on to the domain as a user that is a member of the Enterprise Admins group. At

the Run Command type dcpromo and answer the prompts from the wizard.

B. Log on to the domain as a user that is a member of the Schema Admins group. At the

Run Command type dcpromo and answer the prompts from the wizard.

C. Log on to the domain as a user that is a member of the Domain Admins group. At the

Run Command type dcpromo and answer the prompts from the wizard.

D. Log on to the computer as local Administrator. At the Run Command type dcpromo

and answer the prompts from the wizard.

E. Reinstall the operating system and choose the Domain Controller role during setup.

Chapter 1:


about to demote one of your original Windows 2000 domain controllers to a

Windows 2000 member server. What is the correct procedure to do this?

*A. Log on to the domain as a user that is a member of the Enterprise Admins

group. At the Run Command type dcpromo and answer the prompts from the

wizard. B. Log on to the domain as a user that is a member of the Schema Admins group. At


C. Log on to the domain as a user that is a member of the Domain Admins group. At


D. Log on to the computer as local Administrator. At the Run Command type

dcpromo and answer the prompts from the wizard.

E. Reinstall the operating system and choose the Domain Controller role during

setup.

Explanation: In order to demote a Windows 2000 domain controller to a member server,

you must be logged on as a user that is a member of the Enterprise Admins group.

The Enterprise Admins group only exists in the root domain of the Forest. Logging

on locally to a domain controller is not possible except as a member of the Domain

Administrators group and even in this case, the option would not be available from

the logon dialog box. Reinstalling the operating system is no longer required as it

was in NT 4.0 to change a domain controller to a member server or vice versa.

Active Directory 79

68. As the senior Windows 2000 administrator in your organization, you are responsible

for the planning and implementation of the Active Directory site, domain and

organizational unit structures. In your design, you have created a root domain named

mcsejobs.net and two child domains, America and Europe. You have also create a

second tree named techiejobs.com with two child domains, America and Europe.

Your organization has just gone through a leveraged buyout and the name of the

company is going to be changing to mcsejobs.com. How can you rename the root

domain?

A. Install a new domain controller in the new root domain named mcsejobs.com and then

reinstall all the other domain controllers in both the root and child domains and the

second tree.

B. Rename the exiting root domain controller first to the new root domain named

mcsejobs.com. Then rename all of the other domain controllers in the root domain

followed by all the domain controllers in the child domains and the second tree.

C. Create a new DNS zone for the new Active Directory root named mcsejobs.com. Next,

rename the exiting root domain controller to the new root domain named

mcsejobs.com. Then rename all of the other domain controllers in the root domain

followed by all the domain controllers in the child domains and the second tree.

D. Create a new DNS zone for the new Active Directory root named mcsejobs.com. Then

demote the domain controller acting as the global catalog server in the root domain

and re-promote it to the new root domain.

Chapter 1:

68. As the senior Windows 2000 administrator in your organization, you are responsible

for the planning and implementation of the Active Directory site, domain and

organizational unit structures. In your design, you have created a root domain named

mcsejobs.net and two child domains, America and Europe. You have also create a

second tree named techiejobs.com with two child domains, America and Europe.

Your organization has just gone through a leveraged buyout and the name of the

company is going to be changing to mcsejobs.com. How can you rename the root

domain?

*A. Install a new domain controller in the new root domain named mcsejobs.com

and then reinstall all the other domain controllers in both the root and child

domains and the second tree. B. Rename the exiting root domain controller first to the new root domain named

mcsejobs.com. Then rename all of the other domain controllers in the root

domain followed by all the domain controllers in the child domains and the

second tree.

C. Create a new DNS zone for the new Active Directory root named mcsejobs.com.

Next, rename the exiting root domain controller to the new root domain named

mcsejobs.com. Then rename all of the other domain controllers in the root

domain followed by all the domain controllers in the child domains and the

second tree.

D. Create a new DNS zone for the new Active Directory root named mcsejobs.com.

Then demote the domain controller acting as the global catalog server in the root

domain and re-promote it to the new root domain.

Explanation: If the root domain controller needs to be renamed, your entire Active

directory structure must be recreated. There is no way at this time to rename the root

domain controller without reinstalling all domain controllers in your forest.

Active Directory 81

69. You are installing Active Directory on your first domain controller in your

organization. The computer has five physical disks and you want to optimize the

performance of the Active Directory. What is the best choice you can make during

installation to optimize performance?

A. Install the Active Directory database on a separate physical disk than the Winnt folder.

B. Install the Active Directory database on a separate physical disk than the database log

files.

C. Install the Active Directory database on a separate physical disk than the Sysvol

folder.

D. Install the Sysvol folder on a separate physical disk than Winnt folder.

70. As the Windows 2000 system administrator for your organization, you are going over

your Active Directory installation checklist before you begin your installation.

Which of the following should be on your checklist for Active Directory to install

correctly? (Choose three.)

A. A partition or volume formatted with the NTFS file system is required for the Sysvol

folder.

B. A partition or volume formatted with the NTFS file system is required for the Winnt

folder.

C. The username and password of an account that is a member of the Enterprise Admins

group.

D. The username and password of an account that is a member of the Domain Admins

group.

E. The DNS service is installed on the computer to be promoted to a domain controller.

Chapter 1:

69. You are installing Active Directory on your first domain controller in your

organization. The computer has five physical disks and you want to optimize the

performance of the Active Directory. What is the best choice you can make during

installation to optimize performance?

A. Install the Active Directory database on a separate physical disk than the Winnt

folder.

*B. Install the Active Directory database on a separate physical disk than the

database log files. C. Install the Active Directory database on a separate physical disk than the Sysvol

folder.

D. Install the Sysvol folder on a separate physical disk than Winnt folder.

Explanation: Installing the Active Directory database on a separate physical disk than

the database log files will improve the performance of the domain controller.

70. As the Windows 2000 system administrator for your organization, you are going

over your Active Directory installation checklist before you begin your

installation. Which of the following should be on your checklist for Active

Directory to install correctly? (Choose three.)

*A. A partition or volume formatted with the NTFS file system is required for the

Sysvol folder. B. A partition or volume formatted with the NTFS file system is required for the

Winnt folder.

*C. The username and password of an account that is a member of the Enterprise

Admins group.

*D. The username and password of an account that is a member of the Domain

Admins group. E. The DNS service is installed on the computer to be promoted to a domain

controller.

Explanation: Before you install Active Directory, you should confirm that you have

access to a username and password of an account that is a member of either the

Enterprise Admins or Domain Admins group and that there is an NTFS partition or

volume that the Sysvol folder can be created on. It is recommended that the Winnt

folder be placed on an NTFS partition but not required. A DNS server that supports

SRV records must be available in the domain but does not have to be on the

computer configured as a domain controller.

Active Directory 83

71. As the Windows 2000 system administrator for your organization, you are planning

your Active Directory installation and want to ensure fault tolerance. How can you

create a fault tolerant environment?

A. Add a second domain controller to the domain.

B. Add a second domain controller in a child domain and configure that it as a global

catalog server.

C. Configure an existing domain controller in a child domain as a global catalog server.

D. Configure Windows load balancing.

72. You have just installed a computer named Tordc1 and configured it as the first

domain controller in the mcsejobs.net domain. You want to confirm that the Active

Directory installation was successful. Where would you look for the server object

that is created when a server is promoted to a domain controller?

A. Look in the Domain Controllers organizational unit in the Mcsejobs.net domain with

Active Directory Users and Computers.

B. Look in the Server container under the Default-First-Site-Name site with Active

Directory Sites and Services.

C. Look in the Computers container in the Mcsejobs.net domain with Active Directory

Users and Computers.

D. Look in the NTDS Settings object in the Default-First-Site-Name site with Active

Directory Sites and Services.

Chapter 1:

71. As the Windows 2000 system administrator for your organization, you are planning

your Active Directory installation and want to ensure fault tolerance. How can you

create a fault tolerant environment?

*A. Add a second domain controller to the domain. B. Add a second domain controller in a child domain and configure that it as a

global catalog server.

C. Configure an existing domain controller in a child domain as a global catalog

server.

D. Configure Windows load balancing.

Explanation: Adding a second domain controller to the domain will create a fault-

tolerant environment. Adding a second domain controller in a child domain and

configuring it as a global catalog server will not create a fault tolerant environment.

As a global catalog server, all forest objects will be replicated but not all attributes of

the objects of the parent domain. Configuring Windows load balancing will not work

with the basic Server operating system, only Windows 2000 Advanced Server.

72. You have just installed a computer named Tordc1 and configured it as the first

domain controller in the mcsejobs.net domain. You want to confirm that the Active

Directory installation was successful. Where would you look for the server object

that is created when a server is promoted to a domain controller?

*A. Look in the Domain Controllers organizational unit in the Mcsejobs.net domain

with Active Directory Users and Computers.

*B. Look in the Server container under the Default-First-Site-Name site with Active

Directory Sites and Services. C. Look in the Computers container in the Mcsejobs.net domain with Active

Directory Users and Computers.

D. Look in the NTDS Settings object in the Default-First-Site-Name site with

Active Directory Sites and Services.

Explanation: A server object is created for each domain controller in the Default-First-

Site-Name site container. You can confirm this with the Active Directory Sites and

Services snap-in.

Active Directory 85

73. You are attempting to add a domain controller to an existing Windows 2000 Active

Directory domain and are prompted during the promotion for a user's credentials

with sufficient permissions. What is the correct combination or combinations of user

credentials to choose?

A. Username, password, domain name

B. User Principle Name, password, domain name

C. Username, password, Fully Qualified Domain Name

D. User Principle Name, password, Fully Qualified Domain Name

74. As the administrator of your company's Windows 2000 domain, you have noticed

some differences in how a domain controller gets added to a site. The first domain

controller you installed was placed in one site, but the second domain controller you

installed had a server object created in a second site. Which of the following

explanations most accurately describe the reasoning behind this? (Choose two.)

A. The first domain controller created in a new Active Directory domain is added to the

Default-First-Name-Site.

B. Additional domain controllers are added to sites based on the domain controller's IP

address.

C. The first domain controller created in a new Active Directory domain is added to the

site that the administrator specifies during the domain controller's installation.

D. Additional domain controllers are added to sites based on the domain controller's host

name.

Chapter 1:

73. You are attempting to add a domain controller to an existing Windows 2000 Active

Directory domain and are prompted during the promotion for a user's credentials

with sufficient permissions. What is the correct combination or combinations of user

credentials to choose?

*A. Username, password, domain name B. User Principle Name, password, domain name

C. Username, password, Fully Qualified Domain Name

D. User Principle Name, password, Fully Qualified Domain Name

Explanation: The correct information to specify is a username, password and domain

name. A User Principle Name is not accepted as valid credentials. Only the domain

for which the username you are specifying is required, not the fully qualified domain

name.

74. As the administrator of your company's Windows 2000 domain, you have noticed

some differences in how a domain controller gets added to a site. The first domain

controller you installed was placed in one site, but the second domain controller you

installed had a server object created in a second site. Which of the following

explanations most accurately describe the reasoning behind this? (Choose two.)

*A. The first domain controller created in a new Active Directory domain is added

to the Default-First-Name-Site.

*B. Additional domain controllers are added to sites based on the domain

controller's IP address. C. The first domain controller created in a new Active Directory domain is added to

the site that the administrator specifies during the domain controller's

installation.

D. Additional domain controllers are added to sites based on the domain controller's

host name.

Explanation: The first domain controller created in a new Active Directory domain is

added to the Default-First-Name-Site, which is the default site created during the

installation of Active Directory. Additional domain controllers are added to sites

based on their IP address. A site consists of one or more IP subnets connected by a

high-speed connection. When a site is created, subnets should be associated with that

site for site membership to be determined. If a site with a subnet object is found

during the installation of Active Directory and the domain controller's IP address is

within that subnet then the server object is created in the associated site.

Active Directory 87

75. After the promotion of a member server to a domain controller, you want to confirm

that the three directory partitions have been created successfully on the new domain

controller. You use ADSIEdit to look for what three partitions? (Choose three.)

A. The domain directory partition

B. The configuration directory partition

C. The Schema directory partition

D. The Site directory partition

E. The Forest directory partition

76. The first domain controller in the root domain is required to have its system time

synchronized with an external time source. What command would you schedule to

run daily to perform this synchronization?

A. net time /setsntp://server.domain.domain

B. net time /set /sntp:\\server.domain.domain

C. net time /sntpset:\\server.domain.domain

D. net time /sntp /set://server.domain.domain

Chapter 1:

75. After the promotion of a member server to a domain controller, you want to confirm

that the three directory partitions have been created successfully on the new domain

controller. You use ADSIEdit to look for what three partitions? (Choose three.)

*A. The domain directory partition

*B. The configuration directory partition

*C. The Schema directory partition D. The Site directory partition

E. The Forest directory partition

Explanation: The domain, configuration, and schema directory partitions are the three

partitions that get created on a domain controller. The domain directory partition

contains the domain objects and their attributes for a single domain. The

configuration directory partition contains information about the sites, services, and

domains within the forest. The schema directory partition contains class and attribute

definitions for all existing and possible Active Directory objects.

76. The first domain controller in the root domain is required to have its system time

synchronized with an external time source. What command would you schedule to

run daily to perform this synchronization?

*A. net time /setsntp://server.domain.domain B. net time /set /sntp:\\server.domain.domain

C. net time /sntpset:\\server.domain.domain

D. net time /sntp /set://server.domain.domain

Explanation: The correct command for the time synchronization service is net time

/setsntp://server.domain.domain.

Active Directory 89

77. You are one of the administrators on the Web Team at a large Internet Service

Provider. The ISP is evaluating whether to install Windows 2000 Server or

Advanced Server as a Web hosting platform to support the use of FrontPage Server

Extensions for their clients. In the evaluation process, you have been asked to design

an Active Directory logical structure that best represents the needs of the ISP. The

ISP's customers are broken into two groups; residential and commercial. From an

administrative standpoint there is no difference but from a marketing standpoint,

different levels of service are available to the two groups. How would you design

your Active Directory logical structure?

A. Create a single domain and within that domain create a single organizational unit

within the Users container called customers.

B. Create an empty root domain and two child domains. Name the child domains

residential and commercial.

C. Create an empty root domain and a single child domain with two organizational units

called residential and commercial.

D. Create a single domain and within that domain an organizational unit named

customers. Within the customers organizational unit create two other organizational

units named residential and commercial.

78. Which of the following single master operations roles are forest-wide?

A. RID Master

B. Schema Master

C. PDC Emulator

D. Domain Naming Master

E. Backup Domain Controller

Chapter 1:

77. You are one of the administrators on the Web Team at a large Internet Service

Provider. The ISP is evaluating whether to install Windows 2000 Server or

Advanced Server as a Web hosting platform to support the use of FrontPage Server

Extensions for their clients. In the evaluation process, you have been asked to design

an Active Directory logical structure that best represents the needs of the ISP. The

ISP's customers are broken into two groups; residential and commercial. From an

administrative standpoint there is no difference but from a marketing standpoint,

different levels of service are available to the two groups. How would you design

your Active Directory logical structure?

A. Create a single domain and within that domain create a single organizational unit

within the Users container called customers.

B. Create an empty root domain and two child domains. Name the child domains

residential and commercial.

C. Create an empty root domain and a single child domain with two organizational

units called residential and commercial.

*D. Create a single domain and within that domain an organizational unit named

customers. Within the customers organizational unit create two other

organizational units named residential and commercial. Explanation: The recommended strategy for an organizational design in this case would

be to create an organizational unit called customers within a single domain and two

sub-OUs within that. There is no need now to differentiate the customers into

different OUs but that need may arise in the future. Using a single domain is useful

because it minimizes the administration required and can offer the scalability

required. An OU cannot be created with the Users container, making that in invalid

option. Multiple domains are also not required, eliminating those options.

78. Which of the following single master operations roles are forest-wide?

A. RID Master

*B. Schema Master C. PDC Emulator

*D. Domain Naming Master E. Backup Domain Controller

Active Directory 91

79. You have just finished the installation of Active Directory on a member server and

reboot the computer as a domain controller. You would like to verify that the SRV

records were created and use nslookup to do this. Nslookup reports a time-out when

you run it at the command prompt. What is causing the time outs?

A. A reverse lookup zone is not configured.

B. The DNS server you are querying does not support SRV records.

C. A forward lookup zone is not configured.

D. The DNS server you are querying does not support dynamic update.

80. Which version of Windows 2000 includes Windows Clustering and load balancing?

A. Windows 2000 Server

B. Windows 2000 Advanced Server

C. Windows 2000 Professional

D. Windows 2000 Datacenter

Chapter 1:

79. You have just finished the installation of Active Directory on a member server and

reboot the computer as a domain controller. You would like to verify that the SRV

records were created and use nslookup to do this. Nslookup reports a time-out when

you run it at the command prompt. What is causing the time outs?

*A. A reverse lookup zone is not configured. B. The DNS server you are querying does not support SRV records.

C. A forward lookup zone is not configured.

D. The DNS server you are querying does not support dynamic update.

Explanation: You will receive time-outs when running nslookup if a reverse lookup

zone is not configured. Nslookup generates a reverse lookup to find the host name of

the DNS server based on its IP address and if a reverse lookup zone is not

configured, it will report a time out.

80. Which version of Windows 2000 includes Windows Clustering and load balancing?

A. Windows 2000 Server

*B. Windows 2000 Advanced Server C. Windows 2000 Professional

*D. Windows 2000 Datacenter

Explanation: Windows 2000 Advanced Server, designed for use in a large enterprise

network, contains all the features available in Windows 2000 Server, in addition to

Windows Clustering and load balancing. Windows 2000 Datacenter Server also

includes these features.

Active Directory 93

81. You have successfully upgraded all of your company's Windows NT 4.0 domain

controllers to Windows 2000 and would like to take advantage of all of the new

features that Windows 2000 has to offer by switching domain modes. How will you

switch modes?

A. In Active Directory Users and Computers, right click the domain, click the change

button and confirm your choice.

B. In Active Directory Users and Computers, right click the domain controllers OU, click

the change button, and confirm your choice.

C. In Active Directory Sites and Services, right click the server object named after the

domain controller, click the change button, and confirm your choice.

D. In Active Directory Sites and Services, right click the domain controller's NTDS

Settings object, click the change button, and confirm your choice.

E. At the Run command, type change mode /native.

82. As the domain administrator you would like to grant a user, Chloe Ward, the

permissions to create OUs within the Musicians OU but only that OU. What would

be the recommended way to grant Chloe the permission to do this?

A. Add Chloe to the Administrators group.

B. Grant Chloe List and Create Child OU permissions within the domain.

C. Grant Chloe List, Read, and Create Child OU permissions within the Musicians OU.

D. Grant Chloe Read, and Manage Child OU permissions within the Musicians OU.

Chapter 1:

81. You have successfully upgraded all of your company's Windows NT 4.0 domain

controllers to Windows 2000 and would like to take advantage of all of the new

features that Windows 2000 has to offer by switching domain modes. How will you

switch modes?

*A. In Active Directory Users and Computers, right click the domain, click the

change button and confirm your choice. B. In Active Directory Users and Computers, right click the domain controllers OU,

click the change button, and confirm your choice.

C. In Active Directory Sites and Services, right click the server object named after

the domain controller, click the change button, and confirm your choice.

D. In Active Directory Sites and Services, right click the domain controller's NTDS

Settings object, click the change button, and confirm your choice.

E. At the Run command, type change mode /native.

Explanation: The mode of the domain can be changed from Mixed to Native mode with

the Active Directory Users and Computers snap-in by right-clicking the domain and

selecting the change button.

82. As the domain administrator you would like to grant a user, Chloe Ward, the

permissions to create OUs within the Musicians OU but only that OU. What would

be the recommended way to grant Chloe the permission to do this?

A. Add Chloe to the Administrators group.

B. Grant Chloe List and Create Child OU permissions within the domain.

*C. Grant Chloe List, Read, and Create Child OU permissions within the Musicians

OU. D. Grant Chloe Read, and Manage Child OU permissions within the Musicians OU.

Explanation: To create OUs, a user must be a member of the Domain Admins or

Enterprise Admins groups or have Read, and Create Child OU permissions. List

permission is not required to create OUs, but without it, the user is not able to see the

new Child OU after it is created.

Active Directory 95

83. As you are installing the first Windows 2000 domain controller in your domain. You

have upgraded your Windows NT 4.0 PDC to Windows 2000 and during the

promotion to a domain controller you receive an Access Denied message. What is

the most likely cause of the problem?

A. You are not logged on as an Administrator.

B. DNS is not configured properly to allow for authentication.

C. The default permissions on the Winnt folder are preventing you from proceeding with

the promotion to a domain controller.

D. The partition that you have selected to install the Sysvol folder on is not formatted

with the NTFS file system.

84. One of the domain controllers in your Windows 2000 domain is going to be demoted

to a member server because a newer computer was brought online last week. In the

demotion, what will happen to the user accounts?

A. The user accounts will be deleted and only the default user accounts for the

administrator and the guest will exist.

B. The user accounts will be removed from the Active Directory database and created in

the local computers security account manager database.

C. During the demotion you will be prompted to delete or create the user accounts as

local accounts.

D. All domain local groups become local groups, all global groups are deleted, and all

users become local computer accounts.

Chapter 1:

83. As you are installing the first Windows 2000 domain controller in your domain. You

have upgraded your Windows NT 4.0 PDC to Windows 2000 and during the

promotion to a domain controller you receive an Access Denied message. What is

the most likely cause of the problem?

*A. You are not logged on as an Administrator. B. DNS is not configured properly to allow for authentication.

C. The default permissions on the Winnt folder are preventing you from proceeding

with the promotion to a domain controller.

D. The partition that you have selected to install the Sysvol folder on is not

formatted with the NTFS file system.

Explanation: You must be logged on as the Administrator to create the first domain

controller in a new forest. An improperly configured DNS server would generate an

error but not an Access Denied message. The Sysvol folder must also be located on a

partition or volume formatted with the NTFS file system but not doing that would

not generate an access denied message. The default permissions on the Winnt folder

would not result in an Access Denied message.

84. One of the domain controllers in your Windows 2000 domain is going to be demoted

to a member server because a newer computer was brought online last week. In the

demotion, what will happen to the user accounts?

*A. The user accounts will be deleted and only the default user accounts for the

administrator and the guest will exist. B. The user accounts will be removed from the Active Directory database and

created in the local computers security account manager database.

C. During the demotion you will be prompted to delete or create the user accounts as

local accounts.

D. All domain local groups become local groups, all global groups are deleted, and

all users become local computer accounts.

Explanation: During the demotion from a domain controller to a member server, all user

accounts other than the default accounts are removed from the computer. Only the

administrator and guest account as well as the other default local groups remain.

Active Directory 97

85. YCorp has hired you as a consultant to help install 300 Windows 2000 servers on

their 25,000-node network. The company has already hired a team study the network

and an installation task list has been created. The distribution and placements of the

servers has already been decided as shown in the table below:

Location Number of servers OS types Number of clients

Koh Samui 2 Windows NT 30

Workstation 4.0

Penang 2 Windows NT 30

Server 4.0

Narita 100 Mix of Windows NT 10000

4.0 Server and

Windows NT 3.51

Server

Songtan 45 Mix of Windows NT 2440

4.0 Workstation

and Windows NT

4.0 Server

Mallersdorf 25 Windows 98 and 1800

Windows 95

Utrecht 100 Windows NT 4.0 10000

Server

Flagstaff 26 Mix of Windows NT 700

4.0 Server and

Windows 98

Which of the following operating systems will be able to upgrade instead of requiring a

fresh installation?

A. Windows 95

B. Windows 98

C. Windows NT 4.0 Workstation

D. Windows NT 4.0 Server

E. Windows NT 3.51 Server

Chapter 1:

85. YCorp has hired you as a consultant to help install 300 Windows 2000 servers on

their 25,000-node network. The company has already hired a team study the network

and an installation task list has been created. The distribution and placements of the

servers has already been decided as shown in the table below:

Location Number of servers OS types Number of clients

Koh Samui 2 Windows NT 30

Workstation 4.0

Penang 2 Windows NT 30

Server 4.0

Narita 100 Mix of Windows NT 10000

4.0 Server and

Windows NT 3.51

Server

Songtan 45 Mix of Windows NT 2440

4.0 Workstation

and Windows NT

4.0 Server

Mallersdorf 25 Windows 98 and 1800

Windows 95

Utrecht 100 Windows NT 4.0 10000

Server

Flagstaff 26 Mix of Windows NT 700

4.0 Server and

Windows 98

Which of the following operating systems will be able to upgrade instead of requiring a

fresh installation?

A. Windows 95

B. Windows 98

C. Windows NT 4.0 Workstation

*D. Windows NT 4.0 Server

*E. Windows NT 3.51 Server Explanation: The only operating systems that can be upgraded to Windows 2000 are the

existing Windows NT Servers (either 3.51 or 4.0). However, assuming that all the

above computers meet the hardware standards for Windows 2000 installation, the

systems that are not already installed as Windows NT Servers can be given fresh

Windows 2000 installations.

Notes:

100 Chapter 2

In

Introduction

this section we will examine Microsoft’s DNS service in Windows 2000, its

configuration and optimization, and its relationship to Active Directory. DNS is used by

Windows 2000 in place of the older WINS service, necessary for the discovery of servers

in the enterprise. In Windows 2000, a client will use DNS to discover the location of

servers, in the initial access to the network, during the process we used to call logon but

now call authentication. To install Active Directory, the version of DNS running in the

network must support SRV (Service Resource Records) records. As their name indicates,

these DNS records provide the location of services. Their format is

service.protocol.name.ttl.class.SRV.priority.weight.port.target

So that a server named BFQ-1 providing telnet services would have a record something

like _telnet._tcp.BFQ-Site.BFQ.msft 600 IN SRV 0 100 23 BFQ-1.BFQ.msft.

In addition to supporting SRV records, Microsoft recommends that your version of DNS

support dynamic updates and incremental zone transfers. Dynamic updates allow records

to be created automatically in DNS, rather than having to create them manually as was in

the case in traditional DNS implementations. Incremental zone transfers allows

secondary DNS servers to only update their zone database with the changes in the

database since the last update, rather than transferring the entire zone as in older DNS

implementations.

Using DNS with Active Directory Service 101

Chapter 2: Using DNS With Active Directory Service

1.

2.

3.

4.

5.


the following:

Install and configure DNS for Active Directory.

Integrate Active Directory DNS zones with existing DNS infrastructure.

Configure zones for dynamic updates and secure dynamic updates.

Create and configure DNS records.

Manage, monitor, and troubleshoot DNS.

1. What two things must you do before installing DNS service on a Windows 2000

server? (Choose 2)

A. Install Active Directory on the server.

B. Configure the computer with a static IP address.

C. Configure the computer with a DNS domain name.

D. Install DHCP services on the computer.

2. What are the three types of zones supported by DNS in Windows 2000? (Choose 3)

A. Primary zones

B. Active Directory integrated zones

C. Standard primary zones

D. Secondary zones

E. Standard secondary zones

102 Chapter 2

1. What two things must you do before installing DNS service on a Windows 2000

server? (Choose 2)

A. Install Active Directory on the server.

*B. Configure the computer with a static IP address.

*C. Configure the computer with a DNS domain name. D. Install DHCP services on the computer.

Explanation: Before the administrator can install DNS on a Windows 2000 Server, the

server must be assigned a static IP address and must be given a host name and a

domain name. The DNS service install then installs the DNS server service, starts the

service and installs the DNS console. Additionally, the appropriate registry entry is

made for the startup of the DNS service and DNS database files are placed in the

newly created folder systemroot\System32\DNS. There are two ways to install the

DNS service: during the Windows 2000 installation or using Add/Remove

Programs-/Add/Remove Windows Components-Networking Services. DNS must be

installed prior to Active Directory.

2. What are the three types of zones supported by DNS in Windows 2000? (Choose 3)

A. Primary zones

*B. Active Directory integrated zones

*C. Standard primary zones D. Secondary zones

*E. Standard secondary zones Explanation: Before the administrator can install DNS on a Windows 2000 Server, the


domain name. There are two ways to install the DNS service: during the Windows

2000 installation or using Add/Remove Programs-/Add/Remove Windows

Components-Networking Services. DNS must be installed prior to Active Directory.

DNS services in Windows 2000 support three types of zones: standard primary,

standard secondary and Active Directory integrated. A standard primary zone is the

master copy of the zone database and is stored as a standard text file. A standard

secondary is a copy (or replica) of the master database and are read-only. Active

Directory integrated zones are zones that are stored in Active Directory and so are

replicated during AD replication.


3. What two events can trigger a zone transfer in DNS? (Choose 2)

A. The secondary server queries a master server for changes in the zone database.

B. The secondary server sends a notification of a change to the master server.

C. The master server queries its secondary servers for changes in the zone database.

D. The master server notifies the secondary servers about a change in the zone database.

4. Where is the zone database stored for a standard primary zone in Windows 2000?

A. In an Active Directory object

B. In the systemroot\System32\DNS folder

C. In the DNS server Active Directory object

D. In the systemroot\System32\etc folder

104 Chapter 2

3. What two events can trigger a zone transfer in DNS? (Choose 2)

*A. The secondary server queries a master server for changes in the zone database. B. The secondary server sends a notification of a change to the master server.

C. The master server queries its secondary servers for changes in the zone database.

*D. The master server notifies the secondary servers about a change in the zone

database. Explanation: DNS services in Windows 2000 support three types of zones: standard

primary, standard secondary and Active Directory integrated. A standard primary

zone is the master copy of the zone database and is stored as a standard text file and

in the newly created folder systemroot\System32\DNS. A standard secondary is a

copy (or replica) of the master database and are read-only. Active Directory

integrated zones are zones that are stored in Active Directory and so are replicated

during AD replication. Zone transfers in DNS are triggered two ways: a master

server sends a change notification to the secondary servers, or the secondary server

queries the master for changes in the master database.

4. Where is the zone database stored for a standard primary zone in Windows 2000?


*B. In the systemroot\System32\DNS folder C. In the DNS server Active Directory object


Explanation: DNS services in Windows 2000 support three types of zones: standard










5. Where is the zone database stored for an Active Directory integrated zone in Windows

2000?


B. In the systemroot\System32\DNS folder

C. In the Active Directory DNS Zone object


6. What two events occur in Dynamic DNS (DDNS)? (Choose 2)

A. The client computer automatically queries DNS for a dynamic domain name.

B. The DHCP client automatically updates an A resource record.

C. The DHCP server obtains a domain or host name for the DHCP client.

D. The DHCP server updates the PTR record in DNS.

106 Chapter 2

5. Where is the zone database stored for an Active Directory integrated zone in Windows

2000?

*A. In an Active Directory object B. In the systemroot\System32\DNS folder

C. In the Active Directory DNS Zone object











6. What two events occur in Dynamic DNS (DDNS)? (Choose 2)

A. The client computer automatically queries DNS for a dynamic domain name.

*B. The DHCP client automatically updates an A resource record. C. The DHCP server obtains a domain or host name for the DHCP client.

*D. The DHCP server updates the PTR record in DNS. Explanation: DNS services in Windows 2000 support three types of zones: standard








queries the master for changes in the master database. Windows 2000 includes in

DNS the ability to accept dynamic updates rather than just manual updates to the

zone database. When a DHCP server leases an address, the client updates the A

record in DNS and the server updates the PTR record in DNS - automatically.


7. What types of zones in Windows 2000 can be configured for secure dynamic updates?

A. Standard primary zone

B. Standard secondary zone

C. Active Directory integrated zone

D. Master zone

8. What is the zone replication method that is new with Windows 2000 and allows for

replication of only the changes made to the authoritative database?

A. AXFR (Full-zone transfer)

B. IXFR (Incremental zone transfer)

C. DDNS (Dynamic DNS)

D. Replication Services

108 Chapter 2

7. What types of zones in Windows 2000 can be configured for secure dynamic updates?

A. Standard primary zone

B. Standard secondary zone

*C. Active Directory integrated zone D. Master zone












record in DNS and the server updates the PTR record in DNS - automatically. Secure

dynamic updates can only be provided in Active Directory integrated zones.

8. What is the zone replication method that is new with Windows 2000 and allows for

replication of only the changes made to the authoritative database?

A. AXFR (Full-zone transfer)

*B. IXFR (Incremental zone transfer) C. DDNS (Dynamic DNS)

D. Replication Services









queries the master for changes in the master database. Zone transfers may occur

using AXFR, which is a full-zone transfer or IXFR (incremental zone transfer),

which only replicates the changes to the secondary zone. IXFR is new in Windows

2000.


9. What are two utilities for testing the DNS service in Windows 2000? (Choose 2)

A. DNS Console


C. Nslookup

D. DNS Manager

110 Chapter 2

9. What are two utilities for testing the DNS service in Windows 2000? (Choose 2)

*A. DNS Console B. Active Directory Users and Computers

*C. Nslookup D. DNS Manager













Finally, there are two types of queries supported in Windows 2000 DNS: simple

queries, which use a DNS client to query a local DNS server, and recursive where

the client request must be forwarded from one DNS server to another to complete the

query. DNS can be tested either using Nslookup, which supports both interactive and

noninteractive modes, and the DNS console.


10. What utility is used to manage DNS on a Windows 2000 server?


B. Active Directory Servers and Services

C. DNS Console

D. DNS Manager

112 Chapter 2

10. What utility is used to manage DNS on a Windows 2000 server?



*C. DNS Console D. DNS Manager











replicated during AD replication. When DNS is installed a shortcut is added to

Administrative Tools for the DNS console.


11. What default setting of Windows 2000 computers must be changed prior to the

installation of DNS?

A. Windows 2000 servers by default do not have Active Directory installed; therefore the

administrator must first install AD.

B. By default, Windows 2000 servers do not install TCP/IP, but NetBEUI. The

administrator must first install TCP/IP.

C. The administrator must change the default DHCP setting from Automatically Obtain

an Address to a statically assigned address.

D. The administrator must enable IP forwarding, which is disabled by default in

Windows 2000.

114 Chapter 2

11. What default setting of Windows 2000 computers must be changed prior to the

installation of DNS?

A. Windows 2000 servers by default do not have Active Directory installed;

therefore the administrator must first install AD.

B. By default, Windows 2000 servers do not install TCP/IP, but NetBEUI. The

administrator must first install TCP/IP.

*C. The administrator must change the default DHCP setting from Automatically

Obtain an Address to a statically assigned address. D. The administrator must enable IP forwarding, which is disabled by default in

Windows 2000.











replicated during AD replication.


12. What resource record type in Windows 2000 enables integration of Active Directory

and DNS?

A. A records

B. PTR records

C. SRV records

D. In.addr.arpa records

116 Chapter 2

12. What resource record type in Windows 2000 enables integration of Active Directory

and DNS?

A. A records

B. PTR records

*C. SRV records D. In.addr.arpa records

Explanation: SRV records in DNS allow Active Directory domain controllers to be

located with DNS. DNS services in Windows 2000 support three types of zones:

standard primary, standard secondary and Active Directory integrated. A standard

primary zone is the master copy of the zone database and is stored as a standard text

file and in the newly created folder systemroot\System32\DNS. A standard



replicated during AD replication. Zone transfers in DNS are triggered two ways: a

master server sends a change notification to the secondary servers, or the secondary

server queries the master for changes in the master database. Windows 2000 includes

in DNS the ability to accept dynamic updates rather than just manual updates to the



Finally, there are two types of queries supported in Windows 2000 DNS: simple

queries, which use a DNS client to query a local DNS server, and recursive where

the client request must be forwarded from one DNS server to another to complete the

query.


13. As the administrator of BFQ, Inc you wish to convert an existing DNS standard

primary zone to an Active Directory integrated zone, however you do not have that

option in the Change Zone Type dialog box. What have you failed to do properly?

A. You did not change the server's DHCP setting from dynamic to static for IP

addressing.

B. You have not installed DNS on the domain controller.

C. You installed DNS, but did not specify that Active Directory integrated zones would

be available.

D. You have not implemented Active Directory.

14. What is a Windows 2000 server requirement for converting a standard primary zone

to an Active Directory integrated zone?

A. The server running DNS must be a domain controller.

B. The server holding the standard primary zone must be also a DHCP server.

C. The partition holding the zone file must be formatted with NTFS.

D. The server must be configured for full zone transfers.

118 Chapter 2

13. As the administrator of BFQ, Inc you wish to convert an existing DNS standard

primary zone to an Active Directory integrated zone, however you do not have that

option in the Change Zone Type dialog box. What have you failed to do properly?

A. You did not change the server's DHCP setting from dynamic to static for IP

addressing.

B. You have not installed DNS on the domain controller.

C. You installed DNS, but did not specify that Active Directory integrated zones

would be available.

*D. You have not implemented Active Directory. Explanation: DNS services in Windows 2000 support three types of zones: standard






during AD replication. Standard primary zones can be converted to Active Directory

integrated zones, providing that Active Directory has been installed, and that the

server running DNS is a domain controller.

14. What is a Windows 2000 server requirement for converting a standard primary zone

to an Active Directory integrated zone?

*A. The server running DNS must be a domain controller. B. The server holding the standard primary zone must be also a DHCP server.

C. The partition holding the zone file must be formatted with NTFS.

D. The server must be configured for full zone transfers.









server running DNS is a domain controller.


15. You are configuring DNS for dynamic updates, but the Allow Only Secure Updates

choice does not appear in the Dynamic update list. What have you failed to configure

correctly?

A. The server must be running DHCP.

B. The zone must be converted to an Active Directory integrated zone.

C. The zone must be a standard primary zone.

D. The DNS service must be stopped and restarted.

16. In what two modes will nslookup operate? (Choose 2)

A. Active

B. Nonactive

C. Interactive

D. noninteractive

E. Passive

120 Chapter 2

15. You are configuring DNS for dynamic updates, but the Allow Only Secure Updates

choice does not appear in the Dynamic update list. What have you failed to configure

correctly?

A. The server must be running DHCP.

*B. The zone must be converted to an Active Directory integrated zone. C. The zone must be a standard primary zone.

D. The DNS service must be stopped and restarted.









server running DNS is a domain controller. Once converted, the zone can then be

configured for secure dynamic updates, where the server will only accept updates

from authorized computers and DHCP servers.

16. In what two modes will nslookup operate ? (Choose 2)

A. Active

B. Nonactive

*C. Interactive

*D. noninteractive E. Passive

Explanation: Zone transfers in DNS are triggered two ways: a master server sends a

change notification to the secondary servers, or the secondary server queries the

master for changes in the master database. Windows 2000 includes in DNS the

ability to accept dynamic updates rather than just manual updates to the zone

database. When a DHCP server leases an address, the client updates the A record in

DNS and the server updates the PTR record in DNS - automatically. Finally, there

are two types of queries supported in Windows 2000 DNS: simple queries, which

use a DNS client to query a local DNS server, and recursive where the client request

must be forwarded from one DNS server to another to complete the query. DNS can

be tested either using Nslookup, which supports both interactive and noninteractive

modes, and the DNS console.


17. What must be present for Nslookup to work properly in Windows 2000 DNS?

A. A PTR resource record for the DNS name server must exist in the server's database.

B. A SRV record for the DNS name server must exist in the DNS server's database.

C. An Active Directory integrated zone database must exist on the server.

D. The name server must be a domain controller.

18. What type of zone transfer does Windows NT 4.0 support?

A. AXFR (Full)

B. IXFR (Incremental)

C. AD integrated

D. DHCP synchronized

122 Chapter 2

17. What must be present for Nslookup to work properly in Windows 2000 DNS?

*A. A PTR resource record for the DNS name server must exist in the server's

database. B. A SRV record for the DNS name server must exist in the DNS server's database.

C. An Active Directory integrated zone database must exist on the server.

D. The name server must be a domain controller.

Explanation: Zone transfers in DNS are triggered two ways: a master server sends a

change notification to the secondary servers, or the secondary server queries the

master for changes in the master database. Windows 2000 includes in DNS the

ability to accept dynamic updates rather than just manual updates to the zone

database. When a DHCP server leases an address, the client updates the A record in

DNS and the server updates the PTR record in DNS - automatically. Finally, there

are two types of queries supported in Windows 2000 DNS: simple queries, which

use a DNS client to query a local DNS server, and recursive where the client request

must be forwarded from one DNS server to another to complete the query. DNS can

be tested either using Nslookup, which supports both interactive and noninteractive

modes, and the DNS console. Nslookup requires a PTR record for the DNS name

server in the server's database.

18. What type of zone transfer does Windows NT 4.0 support?

*A. AXFR (Full) B. IXFR (Incremental)

C. AD integrated

D. DHCP synchronized












2000. Windows NT 4.0 only supports AXFR (full) zone transfers.


19. What do we call that portion of the domain namespace in Windows 2000 that is

defined by resource records stored in a database file?

A. Partition

B. Replica

C. Zone

D. Domain

20. As the administrator of a Windows 2000 Active Directory domain, you are

responsible for creating and maintaining both the DNS namespace and Active

Directory forest design. Which of the following statements best represents the DNS

requirements in a Windows 2000 Active Directory structure?

A. Each Active Directory domain requires a corresponding DNS domain.

B. Each DNS domain requires a corresponding Active Directory domain.

C. Each Active Directory domain requires a corresponding Active Directory zone.

D. Each DNS domain requires a corresponding Active Directory zone.

124 Chapter 2

19. What do we call that portion of the domain namespace in Windows 2000 that is

defined by resource records stored in a database file?

A. Partition

B. Replica

*C. Zone D. Domain












2000. Windows NT 4.0 only supports AXFR (full) zone transfers.

20. As the administrator of a Windows 2000 Active Directory domain, you are

responsible for creating and maintaining both the DNS namespace and Active

Directory forest design. Which of the following statements best represents the DNS

requirements in a Windows 2000 Active Directory structure?

*A. Each Active Directory domain requires a corresponding DNS domain. B. Each DNS domain requires a corresponding Active Directory domain.

C. Each Active Directory domain requires a corresponding Active Directory zone.

D. Each DNS domain requires a corresponding Active Directory zone.

Explanation: Each Active Directory domain requires a corresponding DNS domain for

resolution of the services and hosts within the directory structure. DNS is the

primary means of resolution in Windows 2000 domains and replaces the

functionality that was previously provided by WINS. An Active Directory domain is

not required for each DNS domain that exists. An example of this could be a

company with five registered Internet domain names but only one internal Active

Directory domain name. Creating five Active Directory domains for the external

Internet domain names is not necessary. There is no such thing as an Active

Directory zone, so those two answers are not correct.


21. As the DNS and Windows 2000 administrator in your company, you are planning the

DNS namespace. Because DNS is the primary means of resolution in Windows

2000, you are trying to remember the type of zone to create if you want to be able to

resolve a host to an IP address. What type of zone would you create?

A. Forward lookup zone

B. Reverse lookup zone

C. Standard Primary zone

D. Standard Secondary zone




resolve an IP address to a host name. What type of zone would you create?


B. Reverse lookup zone



E. Active Directory integrated zone

126 Chapter 2




resolve a host to an IP address. What type of zone would you create?

*A. Forward lookup zone B. Reverse lookup zone



Explanation: A forward lookup zone is used to resolve host names to IP addresses. A

reverse lookup zone is used to resolve IP addresses to names. A standard primary

zone is one of three types of zones that can be created and can be either forward or

reverse lookup zones, but alone do not discriminate between types of resolution. A

standard secondary is also one type of zone that can be created and can be used for

either forward or reverse lookup.




resolve an IP address to a host name. What type of zone would you create?


*B. Reverse lookup zone C. Standard Primary zone


E. Active Directory integrated zone

Explanation: A reverse lookup zone would be created to resolve an IP address to a host

name. A forward lookup zone is used to resolve host names to IP addresses. Standard

primary, Standard secondary, and Active Directory integrated zones are the three

types of zones that can be created. Each type can be configured as either a forward or

reverse lookup zone, but the type does not have anything to do with resolution.


23. Your current network has a BIND 8.1.0 server and you are planning an upgrade to

Windows 2000 for your NT 4 clients and servers. Which of the following strategies

will support the installation of Active Directory? (Choose three)

A. Upgrade your BIND server to 8.1.2 or higher.

B. Install a Windows 2000 server as standard primary DNS server to replace your BIND

server.

C. Delegate a zone for the Active Directory on your BIND server and install Windows

2000 server as a standard primary DNS server to support Active Directory.

D. Delegate a zone for the Active Directory on your BIND server and install Windows

2000 server as a standard secondary DNS server to support Active Directory.

E. Install a Windows 2000 server as standard secondary DNS server to replace your

BIND server.

128 Chapter 2

23. Your current network has a BIND 8.1.0 server and you are planning an upgrade to

Windows 2000 for your NT 4 clients and servers. Which of the following strategies

will support the installation of Active Directory? (Choose three)

*A. Upgrade your BIND server to 8.1.2 or higher.

*B. Install a Windows 2000 server as standard primary DNS server to replace your

BIND server.

*C. Delegate a zone for the Active Directory on your BIND server and install

Windows 2000 server as a standard primary DNS server to support Active

Directory. D. Delegate a zone for the Active Directory on your BIND server and install

Windows 2000 server as a standard secondary DNS server to support Active

Directory.

E. Install a Windows 2000 server as standard secondary DNS server to replace your

BIND server.

Explanation: Upgrading your BIND server to BIND 8.1.2 or higher is one solution to get

Active Directory installed. Another solution is to install a Windows 2000 server as a

standard primary to replace the BIND server. A third solution is to create a zone on

the BIND server and delegate authority to a Windows 2000 server configured as a

standard primary DNS server. Configuring Windows 2000 as a standard secondary

DNS server first requires a standard primary making this an invalid option.


24. As the administrator responsible for upgrading all of your current Windows NT

domain controllers to Windows 2000, you must plan for resolution. Your

organization currently uses a BIND implementation for resolution that supports SRV

records but not dynamic update and will not permit you to upgrade or use Windows

2000 DNS. What can you do to create the SRV records on your BIND server?

A. Print out the contents of cache.dns and manually enter the SRV records on the BIND

server.

B. Print out the contents of netlogon.dns and manually enter the SRV records on the

BIND server.

C. Print out the contents of the services file and manually enter the SRV records on the

BIND server.

D. Print out the contents of place.dns and manually enter the SRV records on the BIND

server.

130 Chapter 2

24. As the administrator responsible for upgrading all of your current Windows NT

domain controllers to Windows 2000, you must plan for resolution. Your

organization currently uses a BIND implementation for resolution that supports SRV

records but not dynamic update and will not permit you to upgrade or use Windows

2000 DNS. What can you do to create the SRV records on your BIND server?

A. Print out the contents of cache.dns and manually enter the SRV records on the

BIND server.

*B. Print out the contents of netlogon.dns and manually enter the SRV records on

the BIND server. C. Print out the contents of the services file and manually enter the SRV records on

the BIND server.

D. Print out the contents of place.dns and manually enter the SRV records on the

BIND server.

Explanation: The Netlogon.dns file is found in the path %windir%\system32\config and

contains all the required SRV entries and can be used to manually enter the records

on a BIND server that does not support dynamic update. The cache.dns file contains

all the default root servers but not SRV records. The services files contain a listing of

services and service ports used by specific services.


25. You are the DNS administrator in for your company. You are trying to identify which

port the global catalog service is listening on. When you open the DNS snap-in, you

see the following service record:

_ldap._tcp.gc._msdcs 600 IN SRV 0 100 3268 masterdc.learnix.com.

Based on the service record, which port is the global catalog listening on?

A. TCP port 600

B. TCP port 100

C. TCP port 3268

D. UDP port 600

E. UCP port 100

26. You are the DNS administrator in your organization and have been looking at your

DNS zone file after the installation of Active Directory. One of the SRV records that

you have identified is the following:

ldap._tcp.gc._msdcs 600 IN SRV 0 100 3268 masterdc.mcsejobs.net

Which of the following statements accurately describe this service record?

A. Provides the global catalog service

B. Provides the ldap service

C. Uses the UDP protocol

D. Uses the TCP protocol

E. Has a FQDN of masterdc.mcsejobs.net

132 Chapter 2

25. You are the DNS administrator in for your company. You are trying to identify which

port the global catalog service is listening on. When you open the DNS snap-in, you

see the following service record:

_ldap._tcp.gc._msdcs 600 IN SRV 0 100 3268 masterdc.learnix.com.

Based on the service record, which port is the global catalog listening on?

A. TCP port 600

B. TCP port 100

*C. TCP port 3268 D. UDP port 600

E. UCP port 100

Explanation: The global catalog listens for ldap communications on TCP port 3268. A

service record is broken into the following format: service._protocol.name ttl class

SRV priority weight port target

26. You are the DNS administrator in your organization and have been looking at your

DNS zone file after the installation of Active Directory. One of the SRV records that

you have identified is the following:

ldap._tcp.gc._msdcs 600 IN SRV 0 100 3268 masterdc.mcsejobs.net

Which of the following statements accurately describe this service record?

A. Provides the global catalog service

*B. Provides the ldap service C. Uses the UDP protocol

*D. Uses the TCP protocol

*E. Has a FQDN of masterdc.mcsejobs.net Explanation: The above service record provides the ldap service, using tcp in the

registered domain mcsejobs.net on the computer with a fully qualified domain name

of masterdc.mcsejobs.net. The service record does not use the udp protocol, nor does

it provide the global catalog service. A domain controller configured as a global

catalog server listens for and replies to ldap queries on tcp port 3268 but does not run

a global catalog service. The correct domain name is mcsejobs.net, not

masterdc.mcsejobs.net because masterdc is the host name, not a part of the domain

name.


27. As the DNS administrator in your organization's Windows 2000 domain, you are

responsible for maintaining DNS. You have just made a number of changes to your

Windows 2000 DNS settings in an effort to experiment with the new DNS

functionality. You are interested in seeing the changes that were recorded in the zone

database file from the changes you made through the GUI. Using Windows Explorer,

you open %windir%\system32\dns to view the zone database file but it is not there.

What change could have caused this to disappear?

A. The zone type was changed from Standard Primary to Standard Secondary.

B. The zone type was changed from Standard Secondary to Standard Primary.

C. The zone type was changed from Standard Primary to Active Directory Integrated.

D. The forward lookup zone was configured to allow dynamic updates.

134 Chapter 2

27. As the DNS administrator in your organization's Windows 2000 domain, you are

responsible for maintaining DNS. You have just made a number of changes to your

Windows 2000 DNS settings in an effort to experiment with the new DNS

functionality. You are interested in seeing the changes that were recorded in the zone

database file from the changes you made through the GUI. Using Windows Explorer,

you open %windir%\system32\dns to view the zone database file but it is not there.

What change could have caused this to disappear?

A. The zone type was changed from Standard Primary to Standard Secondary.

B. The zone type was changed from Standard Secondary to Standard Primary.

*C. The zone type was changed from Standard Primary to Active Directory

Integrated. D. The forward lookup zone was configured to allow dynamic updates.

Explanation: When the zone type is changed to Active Directory integrated, the DNS

zone file is added as an object to Active Directory and deleted from its original

location in the path %windir%\system32\dns. Changing the zone type from Standard

Primary to Standard Secondary or vice versa will not affect the location of the zone

database file. Configuring the zone to allow dynamic updates will not affect the

location of the zone database file.


28. You are the administrator of your organization's Windows NT 4 network. Your

network consists of three Windows NT 4 domains that you are planning on

upgrading to a single Windows 2000 domain. You are beginning the migration by

upgrading the two Windows NT 4 member servers that act as DNS servers to

Windows 2000. After the upgrade, you open the DNS snap-in to ensure that all your

resource records were preserved and to look at the new functionality. You notice that

the option to configure an Active Directory integrated zone is not available. What

would cause this?

A. Active Directory must first be installed to configure the zone as Active Directory

integrated.

B. You must be logged on as a member of the enterprise administrators group.

C. You must first stop and start the netlogon service.

D. An upgraded DNS service does not support configuring a zone as Active Directory

integrated. The DNS service should be removed before upgrading the operating

system and reinstalled after the upgrade.

136 Chapter 2

28. You are the administrator of your organization's Windows NT 4 network. Your

network consists of three Windows NT 4 domains that you are planning on

upgrading to a single Windows 2000 domain. You are beginning the migration by

upgrading the two Windows NT 4 member servers that act as DNS servers to

Windows 2000. After the upgrade, you open the DNS snap-in to ensure that all your

resource records were preserved and to look at the new functionality. You notice that

the option to configure an Active Directory integrated zone is not available. What

would cause this?

*A. Active Directory must first be installed to configure the zone as Active Directory

integrated. B. You must be logged on as a member of the enterprise administrators group.

C. You must first stop and start the netlogon service.

D. An upgraded DNS service does not support configuring a zone as Active

Directory integrated. The DNS service should be removed before upgrading the

operating system and reinstalled after the upgrade.

Explanation: Active Directory must first be installed to configure a zone as Active

Directory. As you have not yet installed Active Directory, there is no enterprise

administrators group to be a member of. Stopping and starting the netlogon service is

the recommended way of forcing the creation of the SRV records after the Active

Directory is installed but will not affect your ability to configure the zone as Active

Directory integrated. There are no restrictions on configuring an upgraded DNS

service as an Active Directory integrated zone.


29. As one of the team members of the Windows 2000 administrative team, you are

responsible for providing reasons to management why specific decisions were made.

Which of the following benefits only apply to Active Directory DNS and would have

influenced your decision to use Active Directory integrated DNS? (Choose two.)

A. Eliminates single point of failure

B. Allows for secure dynamic update

C. Allows zone transfers only to other Active Directory integrated zones on Windows

2000 servers running DNS

D. The zone file is stored as a text file in the path %windir%\system32\dns

30. Your organization is planning on installing Active Directory and you are working on

getting the DNS configured properly before the rollout. You currently have a BIND

server handling all resolution, and you have created a sub-zone named

ad.mcsejobs.net on the BIND server and delegated authority of that zone to the

Windows 2000 DNS server that will act as the Active directory domain. You would

like to verify that the Windows 2000 DNS server is authoritative for the newly

delegated zone. Which of the following nslookup commands would provide you with

that information?

A. nslookup -type=ns mscejobs.net

B. nslookup -type=auth mcsejobs.net

C. nslookup -type=ns ad.mcsejobs.net

D. nslookup -type=auth ad.mcsejobs.net

E. nslookup -type=server ad.mcsejobs.net

138 Chapter 2

29. As one of the team members of the Windows 2000 administrative team, you are

responsible for providing reasons to management why specific decisions were made.

Which of the following benefits only apply to Active Directory DNS and would have

influenced your decision to use Active Directory integrated DNS? (Choose two.)

*A. Eliminates single point of failure

*B. Allows for secure dynamic update C. Allows zone transfers only to other Active Directory integrated zones on

Windows 2000 servers running DNS

D. The zone file is stored as a text file in the path %windir%\system32\dns

Explanation: Active directory integrated zones eliminate the single point of failure

associated with a standard primary DNS server because the DNS zone file becomes

an object in Active Directory and replicates with the Active Directory to all domain

controllers within the domain. Being an object in Active Directory also allows

permissions to be set on records within zones to control which computers can update

their records. Active Directory integrated DNS zones can be transfers to any other

DNS server, not just Windows 2000 servers running DNS through a zone transfer.

30. Your organization is planning on installing Active Directory and you are working on

getting the DNS configured properly before the rollout. You currently have a BIND

server handling all resolution, and you have created a sub-zone named

ad.mcsejobs.net on the BIND server and delegated authority of that zone to the

Windows 2000 DNS server that will act as the Active directory domain. You would

like to verify that the Windows 2000 DNS server is authoritative for the newly

delegated zone. Which of the following nslookup commands would provide you with

that information?

A. nslookup -type=ns mscejobs.net

B. nslookup -type=auth mcsejobs.net

*C. nslookup -type=ns ad.mcsejobs.net D. nslookup -type=auth ad.mcsejobs.net

E. nslookup -type=server ad.mcsejobs.net

Explanation: The correct nslookup command is nslookup -type=ns ad.mcsejobs.net.

Nslookup specifies the utility to use as nslookup. -type=ns sets the type of record to

search for to name servers and ad.mcsejobs.net is the domain in which you want to

search for the information.


31. You are having problems with name resolution in your Windows 2000 Active

Directory domain named ad.mcsejobs.net. You want to confirm that your DNS

forward lookup zone file contains all the address records of your client computers.

What nslookup command would you run to see this information?

A. At the command prompt type nslookup and hit enter. Then type ls -t A

ad.mcsejobs.net

B. At the command prompt type nslookup and hit enter. Then type ls -t IN

ad.mcsejobs.net

C. At the command prompt type nslookup and hit enter. Then type ls -t=A

ad.mcsejobs.net

D. At the command prompt type nslookup ls -t A ad.mcsejobs.net

32. You have just configured a zone on a BIND server to handle resolution for your

Active Directory. The BIND server is version 8.2.2. What can you do to force the

registration of the SRV records?

A. At the Command Prompt type net stop netlogon, followed by net start netlogon.

B. At the Command Prompt type net stop dnssrv, followed by net start dnssrv.

C. At the Command Prompt type ipconfig /registerdns.

D. At the Command Prompt type ipconfig /flushdns

140 Chapter 2

31. You are having problems with name resolution in your Windows 2000 Active

Directory domain named ad.mcsejobs.net. You want to confirm that your DNS

forward lookup zone file contains all the address records of your client computers.

What nslookup command would you run to see this information?

*A. At the command prompt type nslookup and hit enter. Then type ls -t A

ad.mcsejobs.net B. At the command prompt type nslookup and hit enter. Then type ls -t IN

ad.mcsejobs.net

C. At the command prompt type nslookup and hit enter. Then type ls -t=A

ad.mcsejobs.net

D. At the command prompt type nslookup ls -t A ad.mcsejobs.net

Explanation: To list all of the address or host records in the domain, type nslookup at the

command prompt followed by enter. Then type ls to list, -t for type, and A for an

Address type of record followed by the domain name of the Active Directory

domain.

32. You have just configured a zone on a BIND server to handle resolution for your

Active Directory. The BIND server is version 8.2.2. What can you do to force the

registration of the SRV records?

*A. At the Command Prompt type net stop netlogon, followed by net start netlogon. B. At the Command Prompt type net stop dnssrv, followed by net start dnssrv.

C. At the Command Prompt type ipconfig /registerdns.

D. At the Command Prompt type ipconfig /flushdns

Explanation: Stopping and starting the netlogon service with the net stop and net start

commands is one way to force the registration of the SRV records in the DNS or

BIND database.

Notes:

142 Chapter 3

Introduction

Group Policy in Windows 2000 allows the administrator tremendous control over user

and computer configuration, as well as providing for automation of scripting and for

folder redirection. This is a major feature of Windows 2000 and a feature that Microsoft

has been trumpeting quite loudly. As such, you can expect this area of Windows 2000 to

be tested extensively. If you are not solid on the ins and outs of Group Policy, you will

not pass the test. Preliminary information about Group Policy is covered in other

Windows 2000 books and/or courses. Lastly, familiarity with earlier Windows System

Policy Editor and ntconfig.pol and config.pol configurations will save the reader some

time in learning this very rich area of Active Directory.

Change & Configuration Management 143

Chapter 3: Configuration Management

2.

3.

5.

8.

9.


the following:

1. Implement and troubleshoot Group Policy.

Create and modify a Group Policy object (GPO).

Link to an existing GPO.

4. Delegate administrative control of Group Policy.

Configure Group Policy options.

6. Filter Group Policy settings by using security groups.

7. Modify Group Policy prioritization.

Manage and troubleshoot user environments by using Group Policy.

Install, configure, manage, and troubleshoot software by using Group Policy.

10. Manage network configuration by using Group Policy.

11. Configure Active Directory to support Remote Installation Services (RIS).

12. Configure RIS options to support remote installations.

13. Configure RIS security.

1. What are three areas in which settings can be made to establish policy for user and

computer configurations? (Choose 3)

A. Administrative Templates

B. Folder Redirection

C. Taskbar Settings

D. Shell Restrictions

E. Software Installation

144 Chapter 3

1. What are three areas in which settings can be made to establish policy for user and

computer configurations? (Choose 3)

*A. Administrative Templates

*B. Folder Redirection C. Taskbar Settings

D. Shell Restrictions

*E. Software Installation Explanation: In Windows 2000 the concept of policies takes on new meaning and

increased power and flexibility. The Group Policy allows you to apply

configurations to computer and user accounts across your network, specifying

settings through five extensions: Administrative Templates, Security, Software

Installation, Scripts and Folder Redirection. The Group Policy object is an Active

Directory object that stores the various configuration settings for specified users and

computers. When you create a Group Policy object (GPO), a Group Policy container

is created that stores the version and status information for the GPO, while a folder

structure is created on a specified domain controller to store all of the detailed

information in the five areas named above.


2. Where are Group Policy settings saved in Active Directory?

A. Group Policy settings are a property of an OU object

B. Group Policy settings are a property of a group object

C. Group Policy settings are a property of a Group Policy object

D. Group Policy settings are saved as a file in My Documents on Domain Controllers

3. What two things are automatically created when you create a Group Policy object in

Active Directory?

A. Universal group object

B. Group Policy container

C. Group Policy settings

D. Group Policy template

146 Chapter 3

2. Where are Group Policy settings saved in Active Directory?

A. Group Policy settings are a property of an OU object

B. Group Policy settings are a property of a group object

*C. Group Policy settings are a property of a Group Policy object D. Group Policy settings are saved as a file in My Documents on Domain

Controllers

Explanation: In Windows 2000 the concept of policies takes on new meaning and










3. What two things are automatically created when you create a Group Policy object in

Active Directory?

A. Universal group object

*B. Group Policy container C. Group Policy settings

*D. Group Policy template Explanation: In Windows 2000 the concept of policies takes on new meaning and











4. What two steps must you take to implement Group Policies in Active Directory?

(Choose 2)

A. You must create a Group Policy object.

B. You must create a Group Policy template.

C. You must create a Group Policy container.

D. You must associate the Group Policy object with the appropriate container.

E. You must associate the Group Policy object with the appropriate Group Policy

template.

148 Chapter 3

4. What two steps must you take to implement Group Policies in Active Directory?

(Choose 2)

*A. You must create a Group Policy object. B. You must create a Group Policy template.

C. You must create a Group Policy container.

*D. You must associate the Group Policy object with the appropriate container. E. You must associate the Group Policy object with the appropriate Group Policy

template.

Explanation: The Group Policy object is an Active Directory object that stores the

various configuration settings for specified users and computers. When you create a

Group Policy object (GPO), a Group Policy container is created that stores the

version and status information for the GPO, while a folder structure is created on a

specified domain controller to store all of the detailed information in the five areas

named above. To implement policies using Group Policy, you must create a GPO

and then associate it with a specific container so that the policies will affect all users

or computers in that container and all child containers. It is possible for multiple

policies to affect a given object, so Active Directory applies policies in the order site,

then domain, then OU. This gives OU-level policies precedence. This "inheritance"

of policies from parent OU to child OU can be modified by setting either No

Override, which will prevent a child OU from overriding a parent OU setting, or

Block Inheritance, which will allow a child OU to block policies from its parent.


5. What GPO is applied last in Active Directory?

A. Site

B. Domain

C. Parent Container

D. Child Container

150 Chapter 3

5. What GPO is applied last in Active Directory?

A. Site

B. Domain

C. Parent Container

*D. Child Container Explanation: The Group Policy object is an Active Directory object that stores the














6. What setting can prevent child container policies from overriding parent container

policies?

A. Block Inheritance

B. No Override

C. No Inheritance

D. Block Override

152 Chapter 3

6. What setting can prevent child container policies from overriding parent container

policies?

A. Block Inheritance

*B. No Override C. No Inheritance

D. Block Override















7. What are two settings in Group Policies that are not refreshed periodically by

Windows 2000?


B. Software Installation

C. Security

D. Folder Redirection

E. Scripts

154 Chapter 3

7. What are two settings in Group Policies that are not refreshed periodically by

Windows 2000?


*B. Software Installation C. Security

*D. Folder Redirection E. Scripts

Explanation: Permissions in Active Directory are applied in Active Directory Users and

Computers - View - Advanced Features - Properties - Security. Permissions can be

set using standard permissions, which include Full Control, Read, Write, Create All

Child Objects, and Delete All Child Objects. Permissions can be granted or denied,

and deny takes precedence over the granting of a permission. When permissions are

set in Active Directory, the administrator can decide how the permission should

inherit down the AD structure. This can allow the administrator to set fewer

permissions and let the inheritance process continue to grant access. Windows 2000

will periodically refresh policies settings, by default every 90 minutes, except for

Software Installation and Folder Redirection, which only apply when the computer

starts, or when the user logs in to the network.


8. What are the steps for applying a Group Policy in Active Directory?

A. Go to the appropriate container, right click and choose Properties - Group Policy -

Properties-Security and then check the box for APPLY Group Policy.

B. Go to the appropriate Group Policy object, right click and choose Properties - Group

Policy - Security and then check the box for Allow Group Policy.

C. Go to the appropriate Group Policy container, right click and choose Properties

Group Policy - Security and then check the box for Allow Group Policy.

D. Open Active Directory Users and Computers and choose Properties - Group Policy

Security and then check the box for Allow Group Policy.

156 Chapter 3

8. What are the steps for applying a Group Policy in Active Directory?

*A. Go to the appropriate container, right click and choose Properties - Group

Policy - Properties-Security and then check the box for APPLY Group Policy. B. Go to the appropriate Group Policy object, right click and choose Properties


C. Go to the appropriate Group Policy container, right click and choose Properties


D. Open Active Directory Users and Computers and choose Properties - Group

Policy - Security and then check the box for Allow Group Policy.








or computers in that container and all child containers. When you first create a GPO

there are two sets of defaults: the Authenticated Users group will have Read and

Apply Group Policy permissions and the System account and Domain Admins and

Enterprise Admins will have Read, Create All Child Objects and Delete All Child

Objects permissions. The actual setting of the policy occurs in the appropriate

container, right click and choose Properties - Group Policy - Security and then check

the box for Allow Group Policy.


9. What are the two main ways to modify inheritance for Group Polices?

A. Set the "No Override" option

B. Change the order in which GPOs are processed.

C. Set an Inheritance Filter option

D. Set Block Group Policy option

E. Check the "Block Policy Inheritance" option on the Group Policies tab

10. What object in Active Directory enables filtering of GPOs?

A. The associated container object

B. Security groups

C. Universal groups

D. GPO Filters

158 Chapter 3

9. What are the two main ways to modify inheritance for Group Polices?

*A. Set the "No Override" option B. Change the order in which GPOs are processed.

C. Set an Inheritance Filter option

D. Set Block Group Policy option

*E. Check the "Block Policy Inheritance" option on the Group Policies tab Explanation: To implement policies using Group Policy, you must create a GPO and

then associate it with a specific container so that the policies will affect all users or

computers in that container and all child containers. It is possible for multiple






Additionally, you can modify the order in which the policies are processed by

changing the order of the GPOs on the Group Policy tab.

10. What object in Active Directory enables filtering of GPOs?

A. The associated container object

*B. Security groups C. Universal groups

D. GPO Filters

Explanation: To implement policies using Group Policy, you must create a GPO and


computers in that container and all child containers. It is possible for multiple






Additionally, you can modify the order in which the policies are processed by

changing the order of the GPOs on the Group Policy tab. Lastly you can filter who is

affected by a Group Policy by creating Security groups and granting them Apply

Group Policy and Read permissions or removing the permissions to remove them

from the policy.


11. What are the two areas of configuration displayed in the MMC when you use the

Group Policy console? (Choose 2)

A. Group Policy container

B. Computer Configuration

C. User Configuration

D. Group Policy template

12. What are the three default folders named that are created below the User and

Computer Configuration folders in the Group Policy console? (Choose 3)

A. Software Settings

B. Hardware Settings

C. Windows Settings

D. Administrative Settings

E. Administrative Templates

160 Chapter 3

11. What are the two areas of configuration displayed in the MMC when you use the

Group Policy console? (Choose 2)

A. Group Policy container

*B. Computer Configuration

*C. User Configuration D. Group Policy template



computers in that container and all child containers. Once created, GPOs can be

edited either in the properties of the associated OU, or by creating a custom MMC

using the Group Policy snap-in. Group Policy has two main sections, User

Configuration and Computer Configuration, within each of which are folders entitled

Software Settings, Windows Settings and Administrative Templates.

12. What are the three default folders named that are created below the User and

Computer Configuration folders in the Group Policy console? (Choose 3)

*A. Software Settings B. Hardware Settings

*C. Windows Settings D. Administrative Settings

*E. Administrative Templates Explanation: To implement policies using Group Policy, you must create a GPO and






Software Settings, Windows Settings and Administrative Templates.


13. What Windows 2000 server does the GPO MMC point to when you are configuring

Group Policies?

A. PDC

B. BDC

C. (PDC) Operations Master

D. Master Domain Controller

14. What are the three settings for policies in the Administrative Template? (Choose 3)

A. Allow

B. Deny

C. Enabled

D. Disabled

E. Not Configured

162 Chapter 3

13. What Windows 2000 server does the GPO MMC point to when you are configuring

Group Policies?

A. PDC

B. BDC

*C. (PDC) Operations Master D. Master Domain Controller







Software Settings, Windows Settings and Administrative Templates. While you are

configuring Group Policy, the console is always pointed to the domain controller

designated as the (PDC) Operations Master.

14. What are the three settings for policies in the Administrative Template? (Choose 3)

A. Allow

B. Deny

*C. Enabled

*D. Disabled

*E. Not Configured Explanation: To implement policies using Group Policy, you must create a GPO and






Software Settings, Windows Settings and Administrative Templates. Within these

folders, settings are made by modifying the state of check boxes, Enabled, Disabled

and Not Configured are the choices.


15. What is the last script to execute by default when Windows 2000 executes scripts

from Group Policy settings?

A. Computer/Startup

B. Computer/Shutdown

C. User/Logon

D. User/Logoff

16. What are three folders that can be redirected to network locations with Folder

Redirection in Group Policies? (Choose 3)

A. Application Data

B. Applications

C. Program Files

D. My Documents

E. Start Menu

164 Chapter 3

15. What is the last script to execute by default when Windows 2000 executes scripts

from Group Policy settings?

A. Computer/Startup

*B. Computer/Shutdown C. User/Logon

D. User/Logoff

Explanation: The Group Policy allows you to apply configurations to computer and user

accounts across your network, specifying settings through five extensions:

Administrative Templates, Security, Software Installation, Scripts and Folder

Redirection. Scripts in Windows 2000 can be associated with users or computers,

and so the last script to execute, if one exists, would be the last one listed in the

corresponding Properties dialog box, generally the shutdown script.

16. What are three folders that can be redirected to network locations with Folder

Redirection in Group Policies? (Choose 3)

*A. Application Data B. Applications

C. Program Files

*D. My Documents

*E. Start Menu Explanation: The Group Policy allows you to apply configurations to computer and user



Redirection. Folder Redirection allows for the redirection of Application Data,

Desktop, My Documents, My Pictures and Start Menu.


17. What are three guidelines for the implementation of Group Policies in Windows 2000

networks? (Choose 3)

A. Create one Group Policy object for all users in your network to simplify management.

B. Disable the unused portion of a GPO.

C. Limit the number of GPOs that affect a given user or computer.

D. Do not create separate GPOs for each domain.

E. Group related settings in the same GPO rather than in separate GPOs.

18. What are two technologies included in Windows 2000 to help deploy and manage

software throughout a company? (Choose 2)

A. ZAK

B. Windows Installer

C. Installation Wizard

D. Software Installation and Maintenance

166 Chapter 3

17. What are three guidelines for the implementation of Group Policies in Windows 2000

networks? (Choose 3)

A. Create one Group Policy object for all users in your network to simplify

management.

*B. Disable the unused portion of a GPO.

*C. Limit the number of GPOs that affect a given user or computer. D. Do not create separate GPOs for each domain.

*E. Group related settings in the same GPO rather than in separate GPOs. Explanation: Microsoft details a number of guidelines for the implementation of Group

Policy in Windows 2000. They suggest that you limit the use of Block Inheritance

and No Override, limit the number of GPOs, disable the unused portion of a GPO,

group related settings in a single GPO, and altogether consider the impact on your

network traffic and logon performance by the creation of GPOs.

18. What are two technologies included in Windows 2000 to help deploy and manage

software throughout a company? (Choose 2)

A. ZAK

*B. Windows Installer C. Installation Wizard

*D. Software Installation and Maintenance Explanation: Windows 2000 includes two technologies for deploying and managing

software throughout an organization: Windows Installer and the Software Installation

and Maintenance technology. Windows Installer replaces the old standby

SETUP.EXE with the Windows Installer package or .msi file. This technology

provides for optional features of software being visible in the user interface, but only

installed if used, thereby saving storage space and simplifying installation.

Additionally, Windows Installer can replace missing files automatically, and the

uninstall process is improved. Windows 2000 Software Installation and Maintenance

technology allows for software deployment and management to be integrated with

Active Directory and Group Policy. Working in coordination with Windows Installer

packages, this technology allows for association of Group Policy objects with .msi

packages. Thus, software deployment and maintenance can be automated through

Active Directory.


19. What Windows 2000 technology allows for the automatic install or update of

applications upon startup or logon?

A. Windows Installer

B. ZAK

C. Software Installation and Maintenance

D. Windows 2000 Installation Wizard

20. What are the four stages of the software life cycle? (Choose 4)

A. Preparation

B. Installation

C. Deployment

D. Maintenance

E. Removal

168 Chapter 3

19. What Windows 2000 technology allows for the automatic install or update of

applications upon startup or logon?

A. Windows Installer

B. ZAK

*C. Software Installation and Maintenance D. Windows 2000 Installation Wizard

Explanation: Windows 2000 includes two technologies for deploying and managing


and Maintenance technology. Windows Installer replaces the old standby

SETUP.EXE with the Windows Installer package or .msi file. This technology

provides for optional features of software being visible in the user interface, but only

installed if used, thereby saving storage space and simplifying installation.

Additionally, Windows Installer can replace missing files automatically, and the

uninstall process is improved. Windows 2000 Software Installation and Maintenance





Active Directory.

20. What are the four stages of the software life cycle? (Choose 4)

*A. Preparation B. Installation

*C. Deployment

*D. Maintenance

*E. Removal Explanation: The four phases of the software life cycle are Preparation, Deployment,

Maintenance and Removal. The Preparation phase in Windows 2000 involves

securing a Windows Installer package (.msi) for the application, and/or modifying

the file for deployment. The Deployment phase is centered around either assigning

applications, which will advertise the application on the user desktop, or publishing

applications, which will not advertise the application, but make the installation

available through Add/Remove Programs. The Maintenance phase involves the

delivery of service packs or upgrades, and the Removal phase involves either a

forced removal, where the software is automatically removed, or optional removal,

where the software is not uninstalled and new users cannot install the software.


21. What are three of the steps for deploying software using the Software Installation and

Maintenance technology in Windows 2000? (Choose 3)

A. Visit each workstation and take an inventory of software.

B. Create or acquire an .msi file and the related files for the application.

C. Place the .msi file and associated files on a shared folder.

D. Associate the shared folder with the appropriate OU.

E. Create or modify a GPO to facilitate delivery.

22. How would you deliver a software package using the Software Installation and

Maintenance technology for a department if the software was a primary tool for the

department users?

A. Create a GPO and publish the software to the users.

B. Create a GPO and assign the software to the users.

C. Create a GPO but do not advertise the software.

D. Create a GPO and publish it to the computers in that department.

170 Chapter 3

21. What are three of the steps for deploying software using the Software Installation and

Maintenance technology in Windows 2000? (Choose 3)

A. Visit each workstation and take an inventory of software.

*B. Create or acquire an .msi file and the related files for the application.

*C. Place the .msi file and associated files on a shared folder. D. Associate the shared folder with the appropriate OU.

*E. Create or modify a GPO to facilitate delivery. Explanation: The deployment phase is centered around either assigning applications,

which will advertise the application on the user desktop, or publishing applications,

which will not advertise the application, but make the installation available through

Add/Remove Programs. First the administrator needs to acquire the appropriate .msi

file, then place the file on a shared folder, create or modify a GPO, and finally

configure the GPO to specify whether the software is associated with users or

computers and whether to assign or publish the software.

22. How would you deliver a software package using the Software Installation and

Maintenance technology for a department if the software was a primary tool for the

department users?

A. Create a GPO and publish the software to the users.

*B. Create a GPO and assign the software to the users. C. Create a GPO but do not advertise the software.

D. Create a GPO and publish it to the computers in that department.

Explanation: The deployment phase is centered around either assigning applications,






computers and whether to assign or publish the software. If the use of the application

is required, then you will assign the software to the computers so that the software

will automatically be installed upon startup. If the software is published, it will show

up on the desktop and be installed when the user double-clicks on the icon.


23. You have a department with users who time-share the computers. What is the best

way to deploy software using Software Installation and Maintenance technology so

that the software will be available for all users?

A. Create a GPO and assign the software to the users.

B. Create a GPO and publish the software to the users.

C. Create a GPO and assign the software to the computers.

D. Create a GPO and force install the software on the computers using the Force Run

option.

24. When a software package is published using Software Installation and Maintenance,

how can a user then install the software?

A. The user can install the software by double-clicking on the icon.

B. The user can use Add/Remove Programs in Control Panel to install the software.

C. The user can install the software by simply double-clicking on a file associated with

the software.

D. The user cannot install the software, it will only run remotely.

172 Chapter 3

23. You have a department with users who time-share the computers. What is the best

way to deploy software using Software Installation and Maintenance technology so

that the software will be available for all users?

A. Create a GPO and assign the software to the users.

B. Create a GPO and publish the software to the users.

*C. Create a GPO and assign the software to the computers. D. Create a GPO and force install the software on the computers using the Force

Run option.











24. When a software package is published using Software Installation and Maintenance,

how can a user then install the software?

A. The user can install the software by double-clicking on the icon.

*B. The user can use Add/Remove Programs in Control Panel to install the

software. C. The user can install the software by simply double-clicking on a file associated

with the software.

D. The user cannot install the software, it will only run remotely.












25. What are two differences between assigning and publishing software using Software

Installation and Maintenance technology in Windows 2000? (Choose 2)

A. Published software is not advertised.

B. Assigned software is not advertised.

C. Software cannot be published to computers.

D. Software cannot be published to users.

174 Chapter 3

25. What are two differences between assigning and publishing software using Software

Installation and Maintenance technology in Windows 2000? (Choose 2)

*A. Published software is not advertised. B. Assigned software is not advertised.

*C. Software cannot be published to computers. D. Software cannot be published to users.

Explanation: The Deployment phase is centered around either assigning applications,










Publishing software can only be done through users, not through computers, while

assigning can be done through either.


26. What can an administrator use to publish applications when a Windows Installer

package is not available?

A. A Group Policy Object

B. A .zap file

C. An .msi file

D. An Administrative Template

176 Chapter 3

26. What can an administrator use to publish applications when a Windows Installer

package is not available?

A. A Group Policy Object

*B. A .zap file C. An .msi file

D. An Administrative Template







computers and whether to assign or publish the software. If a Windows Installer

package is not available, the administrator can create a .zap file, a text file that can be

executed by Windows 2000 Software Installation and Maintenance. These files have

limitations: they can only be published; they will not auto-repair software; they run

the software's SETUP.EXE and often will require users input, and finally, .zap files

require user rights to install the software, something users generally do not have on a

Windows 2000 workstation.


27. What are three limitations when using a .zap file to publish non-Windows Installer

applications? (Choose 3)

A. The applications cannot be assigned.

B. These applications do not show up in Add/Remove Programs in Control Panel.

C. These applications do not auto-repair when files have been deleted or damaged.

D. These applications generally cannot support user customization during the installation.

E. These programs seldom will support an unattended install.

178 Chapter 3

27. What are three limitations when using a .zap file to publish non-Windows Installer


*A. The applications cannot be assigned. B. These applications do not show up in Add/Remove Programs in Control Panel.

*C. These applications do not auto-repair when files have been deleted or damaged. D. These applications generally cannot support user customization during the

installation.

*E. These programs seldom will support an unattended install. Explanation: The deployment phase is centered around either assigning applications,






computers and whether to assign or publish the software. If a Windows Installer

package is not available, the administrator can create a .zap file, a text file that can be

executed by Windows 2000 Software Installation and Maintenance. These files have

limitations: they can only be published; they will not auto-repair software; they run

the software's SETUP.EXE and often will require users input, and finally, .zap files

require user rights to install the software, something users generally do not have on a

Windows 2000 workstation.


28. If a previous version of an application has been installed, what happens during logon

when the administrator has configured a mandatory upgrade in Software Installation

and Maintenance?

A. The software upgrade will proceed automatically.

B. The users will be prompted to upgrade the software at the time of logon.

C. The user will not be allowed to logon until the mandatory upgrade has been

completed.

D. Nothing

180 Chapter 3

28. If a previous version of an application has been installed, what happens during logon

when the administrator has configured a mandatory upgrade in Software Installation

and Maintenance?

A. The software upgrade will proceed automatically.

B. The users will be prompted to upgrade the software at the time of logon.

C. The user will not be allowed to logon until the mandatory upgrade has been

completed.

*D. Nothing Explanation: The four phases of the software life cycle are preparation, deployment,

maintenance and removal. The preparation phase in Windows 2000 involves

securing a Windows Installer package (.msi) for the application, and/or modifying

the file for deployment. The Maintenance phase involves the delivery of service

packs or upgrades. Upgrades can be deployed as optional or mandatory. Mandatory

upgrades are used to discontinue the use of a previous version of software and force

all users to the new version. This is done in the GPO for the new software,

specifying the original version and checking Required Upgrade for Existing

Packages. The next time the users launches the original software, the upgrade will

proceed. Optional upgrades follow the same process, however, the administrator will

clears the Required Upgrade for Existing Packages box.


29. What method is most effective in deploying a new service pack or software patch in

Software Installation and Maintenance?

A. Mandatory Upgrade

B. Optional Upgrade

C. Redeploy Application

D. Reinstall Application

30. What method would you use to uninstall applications from computers in your

Windows 2000 network?

A. Forced Removal

B. Optional Removal

C. Forced Uninstall

D. Optional Uninstall

182 Chapter 3

29. What method is most effective in deploying a new service pack or software patch in

Software Installation and Maintenance?

A. Mandatory Upgrade

B. Optional Upgrade

*C. Redeploy Application D. Reinstall Application

Explanation: The four phases of the software life cycle are Preparation, Deployment,

Maintenance and Removal. The Maintenance phase involves the delivery of service

packs or upgrades, and the Removal phase involves either a forced removal, where

the software is automatically removed, or optional removal, where the software is

not uninstalled and new users cannot install the software. Upgrades can be deployed

as optional or mandatory. Mandatory upgrades are used to discontinue the use of a

previous version of software and force all users to the new version. This is done in

the GPO for the new software, specifying the original version and checking Required

Upgrade for Existing Packages. The next time the users launches the original

software, the upgrade will proceed. Optional upgrades follow the same process,

however, the administrator will clears the Required Upgrade for Existing Packages

box. The Maintenance phase of software often involves applying a service pack to

the software. The service pack is placed in the same folder with the original .msi and

the original GPO is modified by checking the Redeploy Application box. The service

pack will then be applied in the same manner as the original application.

30. What method would you use to uninstall applications from computers in your

Windows 2000 network?

*A. Forced Removal B. Optional Removal

C. Forced Uninstall

D. Optional Uninstall

Explanation: The four phases of the software life cycle are Preparation, Deployment,

Maintenance and Removal. The Removal phase involves either a forced removal,

where the software is automatically removed, or optional removal, where the

software is not uninstalled and new users cannot install the software. Forced removal

causes the software to be automatically uninstalled, and the software cannot be

reinstalled. Optional removal allows the users to continue to use the software, but

does not allow any new installs. Once deleted manually, the application cannot be

reinstalled.


31. What are three capabilities that administrators have when using Software Installation

to manage software on their Windows 2000 network? (Choose 3)

A. The ability to associate file extensions with applications

B. Creating categories of software to prevent users from installing too many applications.

C. The ability to assign to computers based on operating system, for example, Windows

95/98, NT 4.0, 2000.

D. The ability to prevent application installation being invoked through associated

documents.

184 Chapter 3

31. What are three capabilities that administrators have when using Software Installation

to manage software on their Windows 2000 network? (Choose 3)

*A. The ability to associate file extensions with applications

*B. Creating categories of software to prevent users from installing too many

applications. C. The ability to assign to computers based on operating system, for example,

Windows 95/98, NT 4.0, 2000.

*D. The ability to prevent application installation being invoked through associated

documents. Explanation: Windows 2000 includes two technologies for deploying and managing


and Maintenance technology. Windows 2000 Software Installation and Maintenance





Active Directory. Additionally, administrators can associate file extensions with

programs in Software Installation, prevent installation through document invocation,

control what programs are listed in Add/Remove Programs, categorize programs in

Add/Remove Programs and have a program automatically uninstall when a GPO no

longer applies to a user.


32. What are three of the deployment options for an application using Windows 2000

Software Installation and Maintenance? (Choose 3)

A. Enable/Disable Auto-install

B. Force Run Yes/No

C. Choice of the Deployment Type

D. Choice of the Installation User Interface

186 Chapter 3

32. What are three of the deployment options for an application using Windows 2000

Software Installation and Maintenance? (Choose 3)

*A. Enable/Disable Auto-install B. Force Run Yes/No

*C. Choice of the Deployment Type

*D. Choice of the Installation User Interface Explanation: Windows 2000 includes two technologies for deploying and managing







Active Directory. Additionally, administrators can associate file extensions with

programs in Software Installation, prevent installation through document invocation,

control what programs are listed in Add/Remove Programs, categorize programs in

Add/Remove Programs and have a program automatically uninstall when a GPO no

longer applies to a user. Within the GPO the administrator can set options on the

Deployment tab of the package including changing deployment type from assigned

to published (or vice versa), setting auto-install upon document activation, causing

an uninstall when the GPO is no longer associated, not allowing the application to be

listed in Add/Remove Programs and choosing the user interface during installation.


33. As the administrator of BFQ, Inc., you have deployed an application using Windows

2000 Software Installation. What are two things that you can do to troubleshoot if the

deployment does not go as planned? (Choose 2)

A. Delete the Group Policy objects and recreate them.

B. Check to see that the application shows up in Add/Remove Programs.

C. Look for an icon on the user desktop.

D. Look for Group Policy conflicts.

34. In a typical software life cycle, what are the four primary tasks for software

management? (Choose 4)

A. Acquire software

B. Test software

C. Deploy Software

D. Maintain software

E. Remove software

188 Chapter 3

33. As the administrator of BFQ, Inc., you have deployed an application using Windows

2000 Software Installation. What are two things that you can do to troubleshoot if the

deployment does not go as planned? (Choose 2)

A. Delete the Group Policy objects and recreate them.

*B. Check to see that the application shows up in Add/Remove Programs. C. Look for an icon on the user desktop.

*D. Look for Group Policy conflicts. Explanation: Windows 2000 includes two technologies for deploying and managing




Active Directory and Group Policy. While this technology can streamline software

issues, troubleshooting can be troublesome. There are three things that can be

checked if software deployment is not proceeding as expected. First, verify that the

application appears in Add/Remove Programs to determine whether the software was

assigned or published. Secondly, verify that the user has access to the server hosting

the software distribution - that is, is the server available for anyone? Lastly, look for

potential conflicts with GPOs.

34. In a typical software life cycle, what are the four primary tasks for software

management? (Choose 4)

*A. Acquire software B. Test software

*C. Deploy Software

*D. Maintain software

*E. Remove software Explanation: The four primary tasks for software maintenance are: Acquisition,

Deployment, Maintenance, and Removal. The Acquisition phase in Windows 2000

involves securing a Windows Installer package (.msi) for the application, and/or

modifying the file for deployment, or creating a .zap file for deployment. The

Deployment phase is centered around either assigning applications, which will

advertise the application on the user desktop, or publishing applications, which will

not advertise the application, but make the installation available through

Add/Remove Programs. The Maintenance phase involves the delivery of service

packs or upgrades, and the Removal phase involves either a forced removal, where

the software is automatically removed, or optional removal, where the software is

not uninstalled and new users cannot install the software.


35. What are three types of files that can be used with Group Policy to deploy


A. .sif files

B. Native Windows Installer packages (.msi files)

C. .zip files

D. Repackaged applications (.msi files)

E. .zap files

36. What are two disadvantages of using repackaged application files (.msi) for

application deployment with Group Policies? (Choose 2)

A. Repackaged applications do not self-repair.

B. Repackaged applications will not install features on demand.

C. Repackaged applications cannot be used with an unattended install.

D. Repackaged applications actually cannot be deployed with Group Policies.

190 Chapter 3

35. What are three types of files that can be used with Group Policy to deploy


A. .sif files

*B. Native Windows Installer packages (.msi files) C. .zip files

*D. Repackaged applications (.msi files)

*E. .zap files Explanation: First the administrator needs to acquire the appropriate .msi file, then place

the file on a shared folder, create or modify a GPO, and finally configure the GPO to

specify whether the software is associated with users or computers and whether to

assign or publish the software. If a Windows Installer package is not available, the

administrator can repackage the application (creating a .msi file) or create a .zap file,

a text file that can be executed by Windows 2000 Software Installation and

Maintenance. These .zap files have limitations: they can only be published; they will

not auto-repair software; they run the software's SETUP.EXE and often will require

users input, and finally, .zap files require user rights to install the software,

something users generally do not have on a Windows 2000 workstation. Repackaged

(.msi) files also do not support auto-repair and do not install features on-demand.

36. What are two disadvantages of using repackaged application files (.msi) for

application deployment with Group Policies? (Choose 2)

*A. Repackaged applications do not self-repair.

*B. Repackaged applications will not install features on demand. C. Repackaged applications cannot be used with an unattended install.

D. Repackaged applications actually cannot be deployed with Group Policies.

Explanation: First the administrator needs to acquire the appropriate .msi file, then place












37. How does a .zap file improve the deployment process for applications that have

native Windows Installer packages (.msi)?

A. The .zap file provides the unattended information for the installation of the

application.

B. The .zap file contains instructions on how to publish the application, and is used to

point to the .msi file.

C. It does not, but the .zap file contains instructions on how to publish the application,

which is then installed using the setup.exe for the application.

D. The .zap file contains the application program code compressed so that the installation

can proceed more quickly.

192 Chapter 3

37. How does a .zap file improve the deployment process for applications that have

native Windows Installer packages (.msi)?

A. The .zap file provides the unattended information for the installation of the

application.

B. The .zap file contains instructions on how to publish the application, and is used

to point to the .msi file.

*C. It does not, but the .zap file contains instructions on how to publish the

application, which is then installed using the setup.exe for the application. D. The .zap file contains the application program code compressed so that the

installation can proceed more quickly.

Explanation: First the administrator needs to acquire the appropriate .msi file, then place












38. After you have acquired software and wish to deploy it using Windows 2000, what

are your next two steps? (Choose 2)

A. Install it on a source computer.

B. Copy the software to a distribution computer.

C. Create or edit an answer file for the deployment of the software.

D. Create or edit a Group Policy for the deployment of the software.

E. Create a CD-based image of the software for deployment.

194 Chapter 3

38. After you have acquired software and wish to deploy it using Windows 2000, what

are your next two steps? (Choose 2)

A. Install it on a source computer.

*B. Copy the software to a distribution computer. C. Create or edit an answer file for the deployment of the software.

*D. Create or edit a Group Policy for the deployment of the software. E. Create a CD-based image of the software for deployment.





file, then place or copy the file on a shared folder at a distribution point, create or

modify a GPO, and finally configure the GPO to specify whether the software is

associated with users or computers and whether to assign or publish the software. If

the use of the application is required, then you will assign the software to the

computers so that the software will automatically be installed upon startup. If the

software is published, it will show up on the desktop and be installed when the user

double-clicks on the icon. Publishing software can only be done through users, not

through computers, while assigning can be done through either.


39. What are three options available during the configuration of deployment options in a

Group Policy? (Choose 3)

A. Deployment type

B. Auto installs this application by file extension activation

C. Auto-repair this application

D. Uninstall this application when GPO no longer applies to users or computers

E. Custom deployment

40. When configuring deployment options in a Group Policy, what are two choices that

may be presented to a user during the installation of an application using an .msi

file? (Choose 2)

A. Basic

B. Compact

C. Custom

D. Maximum

196 Chapter 3

39. What are three options available during the configuration of deployment options in a

Group Policy? (Choose 3)

*A. Deployment type

*B. Auto installs this application by file extension activation C. Auto-repair this application

*D. Uninstall this application when GPO no longer applies to users or computers E. Custom deployment





file, then place or copy the file on a shared folder at a distribution point, create or

modify a GPO, and finally configure the GPO to specify whether the software is

associated with users or computers and whether to assign or publish the software. In

the configuration of the GPO, the administrator has five options for deployment: to

specify the deployment type (assigned or published), auto install by file activation,

uninstall when GPO no longer applies to users or computers, do not display in

Add/Remove Programs, and setting the user interface options.

40. When configuring deployment options in a Group Policy, what are two choices that

may be presented to a user during the installation of an application using an .msi

file? (Choose 2)

*A. Basic B. Compact

C. Custom

*D. Maximum Explanation: In the configuration of the GPO, the administrator has five options for

deployment: to specify the deployment type (assigned or published), auto install by

file activation, uninstall when GPO no longer applies to users or computers, do not

display in Add/Remove Programs, and setting the user interface options. Installations

involving an .msi file may support a Basic or Maximize installation; otherwise the

user interface options are meaningless.


41. In planning for the deployment of an application, you have learned that the vendor

does not have an .msi file, and the application cannot be repackaged. What is your

next alternative for deployment of this application using Group Policies?

A. Create a CD-based image.

B. Create a RIPrep image.

C. Create a .zap file.

D. Create a GPO boot disk.

42. What two parameters are required for the creation and use of a .zap file? (Choose 2)

A. [Ext]

B. FriendlyName

C. Publisher

D. SetupCommand

E. [Application]

198 Chapter 3

41. In planning for the deployment of an application, you have learned that the vendor

does not have an .msi file, and the application cannot be repackaged. What is your

next alternative for deployment of this application using Group Policies?

A. Create a CD-based image.

B. Create a RIPrep image.

*C. Create a .zap file. D. Create a GPO boot disk.

Explanation: The administrator needs to acquire the appropriate .msi file, then place the

file on a shared folder, create or modify a GPO, and finally configure the GPO to










42. What two parameters are required for the creation and use of a .zap file? (Choose 2)

A. [Ext]

*B. FriendlyName C. Publisher

*D. SetupCommand E. [Application]

Explanation: If a Windows Installer package is not available, the administrator can

repackage the application (creating a .msi file) or create a .zap file, a text file that can

be executed by Windows 2000 Software Installation and Maintenance. A .zap file is

a text file and has two main sections: [Application] and [Ext]. The [Application]

section contains parameters FriendlyName, to specify a descriptive name,

SetupCommand, for the UNC path to the setup.exe for installation, DisplayVersion,

for the application version number, Publisher, to specify the vendor and URL to

specify the vendor website location.


43. What can you create to make the published applications that appear in Add/Remove

Programs easier to locate?

A. .zap files

B. Categories

C. Program groups

D. .msi files

44. What are three tasks that can be automated through Group Policies to make

application deployment easier? (Choose 3)

A. Application upgrades

B. Service pack deployment

C. Menu customization

D. Software removal

200 Chapter 3

43. What can you create to make the published applications that appear in Add/Remove

Programs easier to locate?

A. .zap files

*B. Categories C. Program groups

D. .msi files

Explanation: The administrator needs to acquire the appropriate .msi file, then place the

file on a shared folder, create or modify a GPO, and finally configure the GPO to


assign or publish the software. If the administrator decides to publish the application

(and they will then appear in Add/Remove Programs), then these applications can be

further organized by logically grouping them in Add/Remove Programs into

categories.

44. What are three tasks that can be automated through Group Policies to make

application deployment easier? (Choose 3)

*A. Application upgrades

*B. Service pack deployment C. Menu customization

*D. Software removal Explanation: Maintaining and removing software involves the delivery of service packs

for applications, upgrades, and the eventual removal of the application. Upgrades can

be deployed as optional or mandatory. Mandatory upgrades are used to discontinue

the use of a previous version of software and force all users to the new version. This

is done in the GPO for the new software, specifying the original version and

checking Required Upgrade for Existing Packages. The next time the users launches

the original software, the upgrade will proceed. Optional upgrades follow the same

process, however, the administrator will clears the Required Upgrade for Existing

Packages box.


45. What are the two types of automatic upgrades available in Group Policy deployment?

(Choose 2)

A. Automatic

B. Mandatory

C. Custom

D. Optional

46. What two tasks must you perform to deploy a service pack or software update?

(Choose 2)

A. Place the service pack or software update in the same folder as the original .msi file

and also place an updated .msi or an .msp file for deployment.

B. Place the service pack or software update in the same folder as the original .msi file

and create a .zap file for deployment.

C. In the GPO that originally deployed the application, click Redeploy Application.

D. In the GPO that was originally used for deployment, click Service Pack or Software

Update.

202 Chapter 3

45. What are the two types of automatic upgrades available in Group Policy deployment?

(Choose 2)

A. Automatic

*B. Mandatory C. Custom

*D. Optional Explanation: Maintaining and removing software involves the delivery of service packs

for applications, upgrades, and the eventual removal of the application. Upgrades can

be deployed as optional or mandatory. Mandatory upgrades are used to discontinue

the use of a previous version of software and force all users to the new version. This

is done in the GPO for the new software, specifying the original version and

checking Required Upgrade for Existing Packages. The next time the users launches

the original software, the upgrade will proceed. Optional upgrades follow the same

process, however, the administrator needs to clear the Required Upgrade for Existing

Packages box.

46. What two tasks must you perform to deploy a service pack or software update?

(Choose 2)

*A. Place the service pack or software update in the same folder as the original .msi

file and also place an updated .msi or an .msp file for deployment. B. Place the service pack or software update in the same folder as the original .msi

file and create a .zap file for deployment.

*C. In the GPO that originally deployed the application, click Redeploy Application. D. In the GPO that was originally used for deployment, click Service Pack or

Software Update.

Explanation: Maintaining and removing software involves the delivery of service packs

for applications, upgrades, and the eventual removal of the application. The

deployment of service packs requires the administrator to acquire not only the

service pack, but also the new .msi or .msp file. These must be placed in the same

folder as the original .msi file, and then the original GPO must be modified to

Redeploy Application.


47. What are the two software removal options in software deployment using Group

Policy? (Choose 2)

A. Automatic

B. Forced

C. Custom

D. Optional

48. What are three strategies for assigning or publishing software? (Choose 3)

A. Assign the application to users

B. Publish the application to users

C. Assign the application to computers

D. Publish the application to computers

204 Chapter 3

47. What are the two software removal options in software deployment using Group

Policy? (Choose 2)

A. Automatic

*B. Forced C. Custom

*D. Optional Explanation: Maintaining and removing software involves the delivery of service packs

for applications, upgrades, and the eventual removal of the application. Software

removal allows for a forced or optional removal. With forced, the software is

automatically deleted, either the next time the user logs on or the next time the

computer is turned on (depending on whether the application was assigned to the

user or the computer). In optional removal, any new users or computers simply

cannot install the application. It is not automatically removed, and cannot be

reinstalled if it is manually removed.

48. What are three strategies for assigning or publishing software? (Choose 3)

*A. Assign the application to users

*B. Publish the application to users

*C. Assign the application to computers D. Publish the application to computers

Explanation: Deployment is centered on either assigning or publishing applications.

Assigning applications to users will advertise the application on the user Start menu,

while assigning applications to computers will cause the application install to start

immediately upon computer startup. Publishing applications to can only be done to

users and will not advertise the application but make the installation available

through Add/Remove Programs. If the use of the application is required, then you

will assign the software to the computers so that the software will automatically be

installed upon startup. If the software is published, it will show up on the desktop

and be installed when the user double-clicks on the icon.


49. You want an application to always appear on a user's Start menu. What strategy will

you use to accomplish this?


B. Assign the application to computers

C. Publish the application to users


50. You do not want users to be able to remove an application from their computers.

What strategy will you use to accomplish this?


B. Assign the application to computers



206 Chapter 3

49. You want an application to always appear on a user's Start menu. What strategy will

you use to accomplish this?

*A. Assign the application to users B. Assign the application to computers












50. You do not want users to be able to remove an application from their computers.

What strategy will you use to accomplish this?


*B. Assign the application to computers C. Publish the application to users












51. What are two strategies for applying software deployment policies in Active


A. Create OUs based on software needs

B. Deploy software in the lowest level OUs

C. Create OUs based on location

D. Deploy software high in the Active Directory tree

52. What are three recommendations for optimizing the software deployment process?

(Choose 3)

A. Use domain controllers for software distribution.

B. Assign applications to users rather than to computers.

C. Use member servers for software distribution.

D. Use DFS for software deployment.

E. Assign applications to computers rather than to users.

208 Chapter 3

51. What are two strategies for applying software deployment policies in Active


*A. Create OUs based on software needs B. Deploy software in the lowest level OUs

C. Create OUs based on location

*D. Deploy software high in the Active Directory tree Explanation: Microsoft recommends four strategies for deploying applications through

policies in Active Directory: create OUs based on software needs for targeted

applications, deploy software high in the AD tree for organizational-wide

applications, deploy one application for each GPO for more flexibility in maintaining

applications, or deploying multiple applications with a single GPO to reduce

administrative overhead.

52. What are three recommendations for optimizing the software deployment process?

(Choose 3)

A. Use domain controllers for software distribution.

*B. Assign applications to users rather than to computers.

*C. Use member servers for software distribution.

*D. Use DFS for software deployment. E. Assign applications to computers rather than to users.

Explanation: To optimize the performance of the actual deployment process,

administrators can use member servers as distribution points so that domain

controllers will not be burdened by the additional load, assign applications to users

rather than computers so that they will not be automatically installed when the

computer starts up, and use DFS (Distributed File System) to load balance the

software distribution.


53. What are two strategies for deploying software across slow network links? (Choose 2)

A. Disable software installation across slow links

B. Modify slow link detection for Group Policy

C. In Deployment Properties check the Auto-install this application by file extension

activation button.

D. Modify deployment options to prevent published software installation across slow

links.

54. What do you check when users cannot find an assigned application on their Start

menu or in Add/Remove Programs?

A. Verify that the user has logged on to the computer.

B. Verify that the users have access to the software distribution computer.

C. Make sure the appropriate .msi file is located in the application folder.

D. Verify that you deployed the application by using a UNC path rather than a local path.

E. Check for a lower-level GPO within its Block Policy Inheritance option set.

210 Chapter 3

53. What are two strategies for deploying software across slow network links? (Choose 2)

A. Disable software installation across slow links

*B. Modify slow link detection for Group Policy C. In Deployment Properties check the Auto-install this application by file extension

activation button.

*D. Modify deployment options to prevent published software installation across

slow links. Explanation: Software deployment across slow WAN links can be especially

troublesome. Try opening the Default Domain Policy GPPO and resetting the slow

link detection threshold (by default 500 Kbps). Administrators need to be aware that

policies are disable across slow links by default, and must be allowed to enable

installation at remote locations. Lastly, published applications can still be installed at

remote locations through Add/Remove Programs, unless the administrator sets the

application to not display in Add/Remove Programs and clears the Auto-install by

file extension activation box.

54. What do you check when users cannot find an assigned application on their Start

menu or in Add/Remove Programs?




D. Verify that you deployed the application by using a UNC path rather than a local

path.

*E. Check for a lower-level GPO within its Block Policy Inheritance option set. Explanation: Deployment is centered on either assigning or publishing applications.








and be installed when the user double-clicks on the icon. If an application does not

appear in Add/Remove Programs, then the administrator should check to see if a

lower-level GPO has Block Policy Inheritance set.


55. What do you check when users cannot install an application that you either assigned

or published to users?






212 Chapter 3

55. What do you check when users cannot install an application that you either assigned

or published to users?


*B. Verify that the users have access to the software distribution computer. C. Make sure the appropriate .msi file is located in the application folder.

D. Verify that you deployed the application by using a UNC path rather than a local

path.










and be installed when the user double-clicks on the icon. If users can see the

application, but cannot install it, then check their permissions to the distribution

point.


56. What do you check when Windows Installer cannot locate a package when users

attempt to install an application?






214 Chapter 3

56. What do you check when Windows Installer cannot locate a package when users

attempt to install an application?




*D. Verify that you deployed the application by using a UNC path rather than a

local path. E. Check for a lower-level GPO within its Block Policy Inheritance option set.









and be installed when the user double-clicks on the icon. If Windows Installer cannot

locate the application package when users attempt to install, then check to see if you

set the path to the .msi file using a local path or UNC (correct way!).


57. What are the two main uses for Administrative Templates? (Choose 2)

A. They define the rights and permissions that Administrators have in the appropriate

OU.

B. They define the user interface for the GPO console.

C. They determine the registry modifications that may be applied to anyone who uses the

template.

D. They can be used to create Administrative accounts with the same properties?

216 Chapter 3

57. What are the two main uses for Administrative Templates? (Choose 2)

A. They define the rights and permissions that Administrators have in the

appropriate OU.

*B. They define the user interface for the GPO console.

*C. They determine the registry modifications that may be applied to anyone who

uses the template. D. They can be used to create Administrative accounts with the same properties?

Explanation: Administrative Templates define the user interface for the Group Policy

console and also determine registry modifications that can be made whenever the

template is used. Each time a GPO is created, two default templates are added:

System.adm and Inetrs.adm. Rather than creating custom templates, administrators

should modify the System.adm and add their custom settings. Otherwise, a separate

custom template has to be added to each GPO separately as needed. Templates

written for Windows 2000 applications use Group Policy settings, which write to

either \Software\Policies or \Software\Microsoft\Windows\Current\Version\Policies,

and are automatically removed if the GPO is deleted or unlinked. Users cannot

override these Group Policy settings. For applications that are not written for

Windows 2000, the administrator will configure Administrative Templates using

preferences. Preferences write to the registry anywhere but the two locations above.

These registry modifications remain even if the GPO is unlinked or deleted and may

be modified by the users.


58. What are two differences between Group Policy settings and preferences? (Choose 2)

A. Settings create registry entries that users can modify, while preferences create entries

that cannot be modified.

B. Preferences create registry entries that users can modify, while settings create entries

that cannot be modified.

C. Settings write to \Software\Policies or

\Software\Microsoft\Windows\Current\Version\Policies while preferences write to

any registry key but these.

D. Preferences write to \Software\Policies or

\Software\Microsoft\Windows\Current\Version\Policies while settings write to any

registry key but these.

218 Chapter 3

58. What are two differences between Group Policy settings and preferences? (Choose 2)

A. Settings create registry entries that users can modify, while preferences create

entries that cannot be modified.

*B. Preferences create registry entries that users can modify, while settings create

entries that cannot be modified.

*C. Settings write to \Software\Policies or

\Software\Microsoft\Windows\Current\Version\Policies while preferences write

to any registry key but these. D. Preferences write to \Software\Policies or

\Software\Microsoft\Windows\Current\Version\Policies while settings write to

any registry key but these.






custom template has to be added to each GPO separately as needed. Templates

written for Windows 2000 applications use Group Policy settings, which write to

either \Software\Policies or \Software\Microsoft\Windows\Current\Version\Policies,

and are automatically removed if the GPO is deleted or unlinked. Users cannot

override these Group Policy settings. For applications that are not written for

Windows 2000, the administrator will configure Administrative Templates using

preferences. Preferences write to the registry anywhere but the two locations above.

These registry modifications remain even if the GPO is unlinked or deleted and may

be modified by the users.


59. What three things are required elements in Administrative Templates? (Choose 3)

A. Tags

B. Properties

C. Values

D. Settings

E. Controls

220 Chapter 3

59. What three things are required elements in Administrative Templates? (Choose 3)

*A. Tags B. Properties

*C. Values D. Settings

*E. Controls Explanation: Administrative Templates define the user interface for the Group Policy





custom template has to be added to each GPO separately as needed. Templates are

text files made up of Tags, Values and Controls. Tags provide and action or

command name, Values are variables that might appear in the user interface or might

be written to the registry, and Controls define user interface elements manipulated

within the Group Policy. The required Tags in creating an Administrative Template

are CLASS, which specifies which root key and has two Tags: CLASS USER for

HKEY_CURRENT_USER and CLASS MACHINE for

HKEY_LOCAL_MACHINE; CATEGORY, for naming registry-based policies that

are not the default policies; POLICY, KEYNAME, PART and VALUENAME.

Within controls, the most significant entry is specifying a CHECKBOX control

under PART. This defines a graphical toggle for enabling or disabling a policy-based

registry setting. Similar to the check box in the old System Policy Editor, this allows

the administrator to create checkboxes for controlling settings. Other important

control elements include EDITTEXT, COMBOBOX, DROPDOWNLIST,

NUMERIC and LISTBOX.


60. What are three elements in Administrative Templates that can provide interface

elements (controls) that can be manipulated in Group Policy? (Choose 3)

A. CHECKBOX

B. CLASS

C. EDITTEXT

D. CATEGORY

E. NUMERIC

222 Chapter 3

60. What are three elements in Administrative Templates that can provide interface

elements (controls) that can be manipulated in Group Policy? (Choose 3)

*A. CHECKBOX B. CLASS

*C. EDITTEXT D. CATEGORY

*E. NUMERIC Explanation: Administrative Templates define the user interface for the Group Policy





















61. What control is the recommended control for most policies when configuring

Administrative Templates?

A. CHECKBOX

B. EDITTEXT

C. COMBOBOX

D. DROPDOWNLIST

224 Chapter 3

61. What control is the recommended control for most policies when configuring

Administrative Templates?

*A. CHECKBOX B. EDITTEXT

C. COMBOBOX

D. DROPDOWNLIST






















62. What character(s) indicate the use of a variable in an Administrative Template string?

A. %

B. *

C. !!

D. %string%

226 Chapter 3

62. What character(s) indicate the use of a variable in an Administrative Template string?

A. %

B. *

*C. !! D. %string%








command name, values are variables that might appear in the user interface or might

be written to the registry, and controls define user interface elements manipulated

within the Group Policy. Strings are used to define variables used within the body of

the template and can be modified for templates that will be converted to other

languages (French, German, etc). Variables are indicated in the body of a template

by preceding the string with !!.


63. What are the two default Administrative Templates that are added to every GPO as it

is created? (Choose 2)

A. System.adm

B. Default.adm

C. Inetres.adm

D. Policy.adm

228 Chapter 3

63. What are the two default Administrative Templates that are added to every GPO as it

is created? (Choose 2)

*A. System.adm B. Default.adm

*C. Inetres.adm D. Policy.adm








command name, values are variables that might appear in the user interface or might

be written to the registry, and controls define user interface elements manipulated

within the Group Policy. Strings are used to define variables used within the body of

the template and can be modified for templates that will be converted to other

languages (French, German, etc). Variables are indicated in the body of a template

by preceding the string with !!.


64. You are the administrator of a small Windows 2000 domain that consists of 4

member servers and two domain controllers in one domain named Wazzoo.com. The

company has 45 users and is growing quickly. You would like to provide the 45

users with access to an inventory database on one of the Windows 2000 member

servers. What is the best way to grant all users access to the database?

A. Create a domain local group and add the Domain Users global group to the domain

local group. Grant the domain local group read and write permission to the database.

B. Create a local group on the member server and add the Domain Users global group to

the local group. Grant the local group read and write permission to the database.

C. Grant read and write permission to the Domain Users global group for the database.

D. Create a global security group called dbusers and add the Domain Users global group

to the dbusers group. Create a domain local group called database and add the

dbusers global group as a member. Grant the dbusers group read and write

permission to the database.

65. What are three security settings available in Group Policy to ensure network security?

(Choose 3)

A. Account Policies

B. Event Log

C. Application Data

D. Registry

230 Chapter 3

64. You are the administrator of a small Windows 2000 domain that consists of 4

member servers and two domain controllers in one domain named Wazzoo.com. The

company has 45 users and is growing quickly. You would like to provide the 45

users with access to an inventory database on one of the Windows 2000 member

servers. What is the best way to grant all users access to the database?

*A. Create a domain local group and add the Domain Users global group to the

domain local group. Grant the domain local group read and write permission to

the database. B. Create a local group on the member server and add the Domain Users global

group to the local group. Grant the local group read and write permission to the

database.

C. Grant read and write permission to the Domain Users global group for the

database.

D. Create a global security group called dbusers and add the Domain Users global

group to the dbusers group. Create a domain local group called database and add

the dbusers global group as a member. Grant the dbusers group read and write

permission to the database.

Explanation: Domain local groups are designed to be used to assign permissions to

resources. Global groups should contain users and should be added to domain local

groups to grant their members access to resources based on local group

memberships.

65. What are three security settings available in Group Policy to ensure network security?

(Choose 3)

*A. Account Policies

*B. Event Log C. Application Data

*D. Registry Explanation: The Group Policy allows you to apply configurations to computer and user



Redirection. The Security settings extension allows the administrator to configure

settings in the areas of Account policies, which can include password policies,

account lockout policies and Kerberos v5 policies, Local Policies, for computers and

mostly concerned with auditing policies, user rights etc, Event Log, specifying the

parameters for the logs, Restricted Group, allowing the management of built-in

groups and registry settings.


Note: The remaining questions in this chapter cover two pages each.

232 Chapter 3

66. Role:

You are the administrator of the mcsejobs.net Windows 2000 network.

Company:

Mcsejobs.net has been growing at an annual rate of 45% and anticipates sustained growth

for the next five years. The company's original focus was as a Web portal that

provided links to jobs for MCSEs on the Internet. It quickly grew into much more,

offering job seekers valuable information about the Windows 2000 operating system.

Network:

The network consists of one domain tree called mcsejobs.net and two child domains

named America and Europe. Administration of the domains is centralized and

located in the company's head office in Toronto, Canada. The company has offices in

New York City, San Francisco, London, and Vienna. The mcsejobs.net domain is an

empty root domain with only the default users and groups including the Enterprise

and Schema Admins.

The America domain contains all the companies North American users and groups and

the Europe domain contains all the European users and groups. Each office has a

RAS server named after the city it is located in. The servers' names are NYRAS,

SFRAS, LNRAS, VARAS, and TORAS. The mcsejobs.net domain has three domain

controllers, one located in Toronto, one located in San Francisco, and one in New

York City. The America domain has two domain controllers, one located in New

York and the other in San Francisco. The Europe domain has two domain controllers

as well, with one located in London and the other in Vienna. Both the American and

the European offices contain the following departments; Sales, Product Support,

Marketing, Human Resources, and Accounting.

Connectivity:

Each office has a 128Kbps connection to the Internet and a connection to the head office

via a VPN. Each office is located in its own site.


You are responsible for creating a group policy that establishes password and account

policy settings to employees of mcsejobs.net. You need to ensure that the group

policies are always available to users when they are logging on. Where would you

create and place the group policy that contains the password and account policy

settings?

A. Create one group policy in the mcsejobs.net domain.

B. Create one group policy for each domain with the same settings.

C. Create one group policy in the mcsejobs.net domain and create links from each

child domain to the parent domain.

D. Create one group policy in the mcsejobs.net domain and enable the No Override

option.

E. Create one group policy with the same settings in both the America and Europe

domains.

234 Chapter 3

66. Role:


Company:


for the next five years. The company's original focus was as a Web portal that



Network:






and Schema Admins.











Connectivity:




You are responsible for creating a group policy that establishes password and account

policy settings to employees of mcsejobs.net. You need to ensure that the group

policies are always available to users when they are logging on. Where would you

create and place the group policy that contains the password and account policy

settings?

A. Create one group policy in the mcsejobs.net domain.

B. Create one group policy for each domain with the same settings.

C. Create one group policy in the mcsejobs.net domain and create links from each

child domain to the parent domain.

D. Create one group policy in the mcsejobs.net domain and enable the No Override

option.

*E. Create one group policy with the same settings in both the America and Europe

domains. Explanation: Creating one group policy with the same settings in both America and

Europe would achieve the required results and allow all users to receive the security

settings. Creating one group policy for each domain with the same settings would

allow the all users in each domain to receive the policy but because there are no

users other than those created by default in the mcsejobs.net domain there is no need

to place a policy there. Creating a single group policy in the mcsejobs.net domain

would not configure any users with the security settings because no users exist in

that domain. The no override option would not have an effect in the mcsejobs.net

domain because no users exist there.

236 Chapter 3

67. Role:


Company:


for the next five years. The company's original focus was as a web portal that



Network:






and Schema Admins.











Connectivity:




You are also responsible for establishing a group policy whose settings restrict the

Europe domain's sales group from having the Run command on the Start menu. How

would you accomplish this?

A. Create a group policy at the Europe domain level and configure the settings to restrict

the Run command from appearing on the Start menu. Change the permissions of the

group policy by adding the Sales group and granting them the Read and Apply group

policy permission. Remove the Authenticated Users group from the permission list.

B. Create a group policy at the Europe domain controllers OU level and configure the

settings to restrict the Run command from appearing on the Start menu. Change the

permissions of the group policy by adding the Sales group and granting them the

Read and Apply group policy permission. Remove the Authenticated Users group

from the permission list.

C. Create a group policy at the Europe domain level and configure the settings to restrict

the Run command from appearing on the Start menu. Change the permissions of the

group policy by adding the Sales group and granting them the Read and Apply group

policy permission. Change the permissions on the Authenticated Users group to

Deny Read permission.

D. Create a group policy at the Europe domain controllers OU level and configure the

settings to restrict the Run command from appearing on the Start menu. Change the


Read and Apply group policy permission. Change the permissions on the

Authenticated Users group to Deny Read permission.

238 Chapter 3

67. Role:


Company:





Network:






and Schema Admins.











Connectivity:




You are also responsible for establishing a group policy whose settings restrict the

Europe domain's sales group from having the Run command on the Start menu. How

would you accomplish this?

*A. Create a group policy at the Europe domain level and configure the settings to

restrict the Run command from appearing on the Start menu. Change the

permissions of the group policy by adding the Sales group and granting them

the Read and Apply group policy permission. Remove the Authenticated Users

group from the permission list. B. Create a group policy at the Europe domain controllers OU level and configure

the settings to restrict the Run command from appearing on the Start menu.

Change the permissions of the group policy by adding the Sales group and

granting them the Read and Apply group policy permission. Remove the

Authenticated Users group from the permission list.

C. Create a group policy at the Europe domain level and configure the settings to

restrict the Run command from appearing on the Start menu. Change the


Read and Apply group policy permission. Change the permissions on the

Authenticated Users group to Deny Read permission.

D. Create a group policy at the Europe domain controllers OU level and configure

the settings to restrict the Run command from appearing on the Start menu.

Change the permissions of the group policy by adding the Sales group and

granting them the Read and Apply group policy permission. Change the

permissions on the Authenticated Users group to Deny Read permission.

Explanation: For the group policy settings to only restrict the European sales group, the

group policy must be set at the European domain as that is the domain the Sales

users log on to. The policy must then be filtered so that it applies only to the Sales

group and not all authenticated users. To accomplish this you should add the Sales

group to the permission list and grant them both Read and Apply group policy

permission and remove the authenticated users group from the permission list.

Denying the authenticated users group read permission would result in the Sales

group not having read permission either and therefore not inherit the group policy

settings. Applying the group policy at the domain controllers OU level would not

result in the Sales group receiving the group policy unless the Sales group was

located in the domain controllers OU and that was not stated.

240 Chapter 3

68. Role:


Company:





Network:






and Schema Admins.











Connectivity:




You are an administrator responsible for creating one group policy for all the computers

and another group policy for all the users in the America domain. You are concerned

about inheritance and want to ensure that all users receive the settings in the group

policy, and that they are not overridden by the settings of another group policy. How

can you ensure that the policies are effective?

A. Create one group policy for all the computers at the Computers container and create

another group policy for all the users at the Users container. Enable the no override

setting on both group policies.

B. Create one group policy for all computers at the America domain level and create

another group policy for all the users at the America domain level. Enable no

override on both group policies.

C. Create one group policy for all the computers at the Computers container and create

another group policy for all the users at the Users container. Enable the block

inheritance setting on both group policies.

D. Create one group policy for all computers at the America domain level and create

another group policy for all the users at the America domain level. Enable the block

inheritance setting on both group policies.

242 Chapter 3

68. Role:


Company:





Network:






and Schema Admins.











Connectivity:




You are an administrator responsible for creating one group policy for all the computers

and another group policy for all the users in the America domain. You are concerned

about inheritance and want to ensure that all users receive the settings in the group

policy, and that they are not overridden by the settings of another group policy. How

can you ensure that the policies are effective?

A. Create one group policy for all the computers at the Computers container and

create another group policy for all the users at the Users container. Enable the no

override setting on both group policies.

*B. Create one group policy for all computers at the America domain level and

create another group policy for all the users at the America domain level.

Enable no override on both group policies. C. Create one group policy for all the computers at the Computers container and

create another group policy for all the users at the Users container. Enable the

block inheritance setting on both group policies.

D. Create one group policy for all computers at the America domain level and create

another group policy for all the users at the America domain level. Enable the

block inheritance setting on both group policies.

Explanation: Creating two group policies, one for users and the other for computers, at

the domain level and setting the no override option would ensure that all users and

computers receive the settings of the group policy. Group policies cannot be set on

containers, meaning that the computers container and the users container will not

support the creation of group policies. Group policies can only be configured at the

Site, domain, or organizational unit level.

244 Chapter 4

Introduction

Certainly no one would argue with the statement that Active Directory is the centerpiece

of Windows 2000 networking. This distributed, replicated database provides a central

point from which all network management can be coordinated. Maintenance of Active

Directory, the optimization of Active Directory and disaster recovery for Active

Directory becomes essential in the on-going administration of a Windows 2000 network.

In this section we will look at how to create objects in Active Directory, either manually

or through the use of scripting, how to move objects, how to locate objects in Active

Directory, as well as how to provide access to objects and how to delegate administration

in Active Directory. We will then look at how to monitor, optimize and troubleshoot

domain controllers and AD. This is a major undertaking, given the fact that Active

Directory has been designed with no limitations on size, and has been designed to

encompass multiple locations. Lastly we will cover disaster recovery options including

recovering Active Directory from a failed domain controller.

Active Directory Components 245

Chapter 4: Components of Active Directory

1.

4.

5. j

6.

7. j

8.

9.


the following:

Manage Active Directory objects.

2. Move Active Directory objects.

3. Publish resources in Active Directory.

Locate objects in Active Directory.

Create and manage ob ects manually or by using scripting.

Control access to Active Directory objects.

Delegate administrative control of ob ects in Active Directory.

Monitor, optimize, and troubleshoot Active Directory performance and

replication.

Back up and restore Active Directory.

10. Perform an authoritative and a nonauthoritative restore of Active Directory.

11. Recover from a system failure.

12. Seize operations master roles.

1. When creating user accounts in Active Directory, there are four names that are given.

What name provides for backwards compatibility to users logging on from Windows

NT 3.51 or 4.0 computers?

A. First and Last Name

B. Name

C. User Logon Name

D. Downlevel Logon Name

246 Chapter 4

1. When creating user accounts in Active Directory, there are four names that are given.

What name provides for backwards compatibility to users logging on from Windows

NT 3.51 or 4.0 computers?

A. First and Last Name

B. Name

C. User Logon Name

*D. Downlevel Logon Name Explanation: Organizational Unit objects are container objects in Active Directory and






which you wish to create an OU, select New, and name the new OU. The most

fundamental account in Active Directory is the user account, since all access to

resources in the network eventually originates from this object. New user accounts

are created in Active Directory Users and Computers. In creating users, there are five

name properties to configure: first name and last name, generally used for searching

for users, name, which AD displays as the account name and must be unique in the

OU, User logon name (or user principal name UPN), which is the logon name for the

user, and downlevel logon name, which is used to logon to computers running

previous versions of Windows.


2. What name given a User account must be unique within the container?

A. Last Name

B. User Logon Name

C. First Name


248 Chapter 4

2. What name given a User account must be unique within the container?

A. Last Name

*B. User Logon Name C. First Name


Explanation: Organizational Unit objects are container objects in Active Directory and






which you wish to create an OU, select New, and name the new OU. The most

fundamental account in Active Directory is the user account, since all access to

resources in the network eventually originates from this object. New user accounts

are created in Active Directory Users and Computers. In creating users, there are five

name properties to configure: first name and last name, generally used for searching

for users, name, which AD displays as the account name and must be unique in the

OU, User logon name (or user principal name UPN), which is the logon name for the

user, and downlevel logon name, which is used to logon to computers running

previous versions of Windows. The downlevel logon name must be unique within a

given domain.


3. What happens to permissions when you move objects in Active Directory? (Choose 2)

A. Permissions granted directly to the object are lost and must be restored.

B. Permissions inherited from the former OU are retained.

C. Permissions from the new OU are inherited.

D. Permissions granted directly to the object are retained.

4. How can objects can be located in Active Directory? (Choose 2)

A. Users can use Start-Find.

B. Administrators can use Active Directory Users and Computers - Find.

C. Users can search in Explorer/Tools/Find.

D. Administrators and Users can use the Find option in Active Directory Users and

Computers.

250 Chapter 4

3. What happens to permissions when you move objects in Active Directory? (Choose 2)

A. Permissions granted directly to the object are lost and must be restored.

B. Permissions inherited from the former OU are retained.

*C. Permissions from the new OU are inherited.

*D. Permissions granted directly to the object are retained. Explanation: Organizational Unit objects are container objects in Active Directory and




the Administrators group can create OUs anywhere in the forest by default. Objects

can be moved within Active Directory Users and Computers by simply right-clicking

the object and choosing Move. You then expand the domain tree, click the

destination container and choose OK. Permissions that were granted directly to the

moved object remain the same and the object will inherit the permissions in effect in

the new parent OU.

4. How can objects can be located in Active Directory? (Choose 2)

A. Users can use Start-Find.

*B. Administrators can use Active Directory Users and Computers - Find. C. Users can search in Explorer/Tools/Find.

D. Administrators and Users can use the Find option in Active Directory Users and

Computers.

Explanation: Certainly, members of the Administrators group can create OUs anywhere

in the forest by default. Objects can be moved within Active Directory Users and

Computers by simply right-clicking the object and choosing Move. You then expand

the domain tree, click the destination container and choose OK. Permissions that

were granted directly to the moved object remain the same, and the object will

inherit the permissions in effect in the new parent OU. Active Directory Users and

Computers also provides a Find function on the Action menu in the main console.


5. What are the two basic group types that are now supported in Active Directory?

(Choose 2)

A. Domain Local groups

B. Global groups

C. Universal groups

D. Security groups

E. Distribution groups

6. What type of group should you create in Active Directory if you want the access token

used during logon to be reduced in size?

A. Local groups

B. Global groups

C. Security groups

D. Distribution groups

E. Universal groups

252 Chapter 4

5. What are the two basic group types that are now supported in Active Directory?

(Choose 2)

A. Domain Local groups

B. Global groups

C. Universal groups

*D. Security groups

*E. Distribution groups Explanation: Organizational Unit objects are container objects in Active Directory, and




groups are used for sending e-mails with e-mail applications.

6. What type of group should you create in Active Directory if you want the access token

used during logon to be reduced in size?

A. Local groups

B. Global groups

C. Security groups

*D. Distribution groups E. Universal groups





groups are used for sending e-mails with e-mail applications. Because Windows

2000 creates an access token (containing the SIDs of all of the Security groups to

which the user belongs) and forwards that to the user in the logon process, creating

less Security groups and more Distribution groups can reduce the size of the token

and improve the logon process.


7. What accounts can be added as members of a Domain Local group?

A. Accounts from the local domain only

B. Accounts from any domain in the forest

C. Accounts from the same OU as the group object is in

D. Accounts cannot exist in Domain Local groups.

254 Chapter 4

7. What accounts can be added as members of a Domain Local group?

A. Accounts from the local domain only

*B. Accounts from any domain in the forest C. Accounts from the same OU as the group object is in

D. Accounts cannot exist in Domain Local groups.



Directory there are two types of Groups: Security groups and Distribution groups.

Security groups are used to grant or deny rights or permissions, while Distribution














8. What accounts can a Universal group contain when in mixed mode?

A. Only accounts from the local domain


C. You cannot create a Universal group in a domain operating in mixed mode.

D. Only user accounts from the local domain and any Global groups in the forest.

256 Chapter 4

8. What accounts can a Universal group contain when in mixed mode?

A. Only accounts from the local domain


*C. You cannot create a Universal group in a domain operating in mixed mode. D. Only user accounts from the local domain and any Global groups in the forest.


















9. What is the recommended strategy for using groups to grant permissions to access

resources?

A. Place accounts into Domain Local groups, then Domain local into global and then

grant permissions to the Global groups.

B. Place accounts into Domain Local groups, Domain local into global, global into

Universal and then grant permissions to the Universal groups.

C. Place accounts into Global groups, then global into Domain local and then grant

permissions to the Local groups.

10. What are three properties of groups that must be specified to create the group in


A. Group Name

B. Group Members

C. Group Type

D. Group Location

E. Group Scope

258 Chapter 4

9. What is the recommended strategy for using groups to grant permissions to access

resources?

A. Place accounts into Domain Local groups, then Domain local into global and

then grant permissions to the Global groups.

B. Place accounts into Domain Local groups, Domain local into global, global into

Universal and then grant permissions to the Universal groups.

*C. Place accounts into Global groups, then global into Domain local and then grant

permissions to the Local groups. Explanation: Organizational Unit objects are container objects in Active Directory and






the group can be used. The three scopes are domain local, global and universal. The

recommended strategy for using groups is to put user accounts into Global groups

and Global groups into domain Local groups and then grant permissions to the

domain Local groups.

10. What are three properties of groups that must be specified to create the group in


*A. Group Name B. Group Members

*C. Group Type D. Group Location

*E. Group Scope Explanation: In Active Directory there are two types of Groups: Security groups and

Distribution groups. Security groups are used to grant or deny rights or permissions,

while Distribution groups are used for sending e-mails with e-mail applications. Both

types of groups have an attribute called scope, which determines who can be a

member and where the group can be used. The three scopes are domain local, global

and universal. To create a group in Active Directory Users and Computers, right-

click the appropriate OU, select New and click Group. Then provide the group name,

downlevel name, type and scope.


11. After you create a group, what are three types of objects that can be added as

members? (Choose 3)

A. User accounts

B. Group objects

C. Container objects

D. Computer objects

12. What are two situations in which you cannot change the scope of a group in Active


A. When the group is in a different tree in the forest.

B. When the domain is in mixed mode.

C. When the group scope is universal.

D. When the group is in a "Locked" state.

260 Chapter 4

11. After you create a group, what are three types of objects that can be added as

members? (Choose 3)

*A. User accounts

*B. Group objects C. Container objects

*D. Computer objects Explanation: In Active Directory there are two types of Groups: Security groups and







downlevel name, type and scope. After the group is created, you can add users, other

groups and computers as members.

12. What are two situations in which you cannot change the scope of a group in Active


A. When the group is in a different tree in the forest.

*B. When the domain is in mixed mode.

*C. When the group scope is universal. D. When the group is in a "Locked" state.

Explanation: In Active Directory there are two types of Groups: Security groups and







downlevel name, type and scope. Once a group has been created, you may wish to

change either the type or scope of the group. You can change the type between

security and distribution on the General tab of the Properties box for the group.

Scope would be changed in the same dialog box. These two changes are only

possible if the domain is operating in native mode. Lastly, you cannot change the

scope of a universal group, since the other scopes have more restrictive membership

properties.


13. What are three of the standard permissions in Active Directory security? (Choose 3)

A. Full Control

B. Write All Properties

C. Read

D. Write

E. Administer

14. When allowing and denying permissions conflict, which takes precedence?

A. The permissions allowed for a group always takes precedence over user denied

permissions.

B. The user allowed permissions always takes precedence over the group denied

permissions.

C. Denied permissions always take precedence.

D. Allowed permissions always take precedence.

262 Chapter 4

13. What are three of the standard permissions in Active Directory security? (Choose 3)

*A. Full Control B. Write All Properties

*C. Read

*D. Write E. Administer

Explanation: Every object in Active Directory has an attribute called the Discretionary

Access Control List (DACL). Objects on this list have access either granted or

denied to the object. Permissions can be set using standard permissions, which

include Full Control, Read, Write, Create All Child Objects, and Delete All Child

Objects. Permissions can be granted or denied, and deny takes precedence over the

granting of a permission. When permissions are set in Active Directory, the

administrator can decide how the permission should inherit down the AD structure.

This can allow the administrator to set fewer permissions and let the inheritance

process continue to grant access.

14. When allowing and denying permissions conflict, which takes precedence?

A. The permissions allowed for a group always takes precedence over user denied

permissions.

B. The user allowed permissions always takes precedence over the group denied

permissions.

*C. Denied permissions always take precedence. D. Allowed permissions always take precedence.











15. What is the process through which permissions are passed on to child objects from

their parent in Active Directory?

A. Transitive permissions

B. Inheritance

C. There is no such process. Permissions must be applied at each level in the tree.

D. Universal permissions

16. Where are permissions for Active Directory objects applied?

A. In Active Directory Users and Computers -<object>- View - Advanced Features -

Properties - Security

B. In Active Directory Users and Computers -<object>- Properties - Security

C. In Active Directory Users and Computers -<object>- View - Security

D. In Active Directory Users and Computers -<object>- Security

264 Chapter 4

15. What is the process through which permissions are passed on to child objects from

their parent in Active Directory?

A. Transitive permissions

*B. Inheritance C. There is no such process. Permissions must be applied at each level in the tree.

D. Universal permissions










16. Where are permissions for Active Directory objects applied?

*A. In Active Directory Users and Computers -<object>- View - Advanced Features

- Properties - Security B. In Active Directory Users and Computers -<object>- Properties - Security

C. In Active Directory Users and Computers -<object>- View - Security

D. In Active Directory Users and Computers -<object>- Security








permissions and let the inheritance process continue to grant access.


17. Who is the default owner of an object in Active Directory?

A. The Administrator account

B. The container administrator

C. The user who created the object

D. The Administrators group

18. What application helps simplify the process of delegating administrative permissions

in Active Directory?


B. Active Directory Domains and Services

C. Delegation of Control Wizard

D. Active Directory Administrative Control MMC

266 Chapter 4

17. Who is the default owner of an object in Active Directory?

A. The Administrator account

B. The container administrator

*C. The user who created the object D. The Administrators group








permissions and let the inheritance process continue to grant access. By default, the

creator of an object becomes the owner and controls the DACL.

18. What application helps simplify the process of delegating administrative permissions

in Active Directory?


B. Active Directory Domains and Services

*C. Delegation of Control Wizard D. Active Directory Administrative Control MMC








permissions and let the inheritance process continue to grant access. By default, the

creator of an object becomes the owner and controls the DACL. Administrators can

take ownership of an object and thus grant permissions. Further administration in

Active Directory can be established using the Delegation of Control Wizard,

accessed from within Active Directory Users and Computers by right-clicking on the

appropriate OU and choosing Delegate Control. This will allow permissions to be

granted at the OU level and then inherited into the subordinate objects below.


19. What are two ways in which administrative control can be delegated in Active


A. Permissions can be granted to create or modify objects in a domain

B. Permissions can be granted to create or modify objects in a specific OU

C. Permission can be granted to modify the permissions to an object

D. Permission can be granted to modify password restrictions at the OU level

20. What is the file extension for saved customized MMC consoles?

A. .MMC

B. .MSC

C. .EXE

D. .CUS

268 Chapter 4

19. What are two ways in which administrative control can be delegated in Active


A. Permissions can be granted to create or modify objects in a domain

*B. Permissions can be granted to create or modify objects in a specific OU

*C. Permission can be granted to modify the permissions to an object D. Permission can be granted to modify password restrictions at the OU level


Computers - View - Advanced Features - Properties - Security. By default, the

creator of an object becomes the owner and controls the DACL. Administrators can

take ownership of an object and thus grant permissions. Further administration in

Active Directory can be established using the Delegation of Control Wizard,

accessed from within Active Directory Users and Computers by right-clicking on the

appropriate OU and choosing Delegate Control. This will allow permissions to be

granted at the OU level and then inherited into the subordinate objects below. There

are essentially two levels of control that can be delegated: to allow the permission to

create objects in an OU and to grant the permissions to grant permissions to objects.

20. What is the file extension for saved customized MMC consoles?

A. .MMC

*B. .MSC C. .EXE

D. .CUS

Explanation: Introduced originally in IIS, the Microsoft Management Console (MMC)

has become the tool of preference in managing and maintaining Windows networks.

With the release of Windows 2000, administrators have the ability to create

customized MMC consoles. To open an empty MMC console click Start-Run and

type mmc and click OK. Adding the necessary snap-ins and further selecting the

console mode allows for customization. The MMC console is then saved in My

Documents as an .MSC file. This file can be e-mailed to other administrators to

provide them with the same MMC console that was originally created and

configured.


21. Which of the following statements best describes the concept of a domain in the

Windows 2000 Active Directory structure?

A. A domain is a physical boundary.

B. A domain is a geographical boundary.

C. A domain is an administrative boundary.

D. A domain is a container within a specific site.

22. In Windows 2000, what is the correct term used for a collection of domains into one

larger, contiguous namespace?

A. A tree

B. A forest

C. A site

D. A zone

270 Chapter 4

21. Which of the following statements best describes the concept of a domain in the

Windows 2000 Active Directory structure?

A. A domain is a physical boundary.

B. A domain is a geographical boundary.

*C. A domain is an administrative boundary. D. A domain is a container within a specific site.

Explanation: A domain is an administrative boundary in Windows 2000 and represents a

namespace that corresponds to a DNS domain. A site is a physical boundary in

Active Directory that is used to control replication and authentication traffic across

your WAN.

22. In Windows 2000, what is the correct term used for a collection of domains into one

larger, contiguous namespace?

*A. A tree B. A forest

C. A site

D. A zone

Explanation: A tree is a collection of domains with a contiguous namespace. A forest is

a collection of trees with non-contiguous namespaces. A site is a collection of one or

more IP subnets connected by a high-speed link. A zone is a portion of the DNS

namespace that contains the resource records. The resource records that belong to the

contiguous portion of the DNS namespace are owned and the owner's name is listed

in the records.


23. As a project manager it is your responsibility to sell the benefits of Active Directory

to management. What are the three core pieces of functionality that the Active

Directory, directory service offers that you could tell management?

A. Organization of resources

B. Management of resources

C. Control of resources

D. Creation of resources

E. Evaluating of resources



global catalog server in the planet.com domain and a second in the east.planet.com

domain. What information is contained on the east.planet.com global catalog server?

A. All objects from all three domains, and all attributes of the objects from the

east.planet.com domain, but only selected attributes of the objects from the

west.planet.com and planet.com domains.

B. All objects from the planet.com domain, and all attributes of the objects from the



C. All objects from all three domains, and all attributes of the objects from the


planet.com domain.

D. All objects from the east.planet.com domain and all attributes of the objects from the

east.planet.com domain.

272 Chapter 4

23. As a project manager it is your responsibility to sell the benefits of Active Directory

to management. What are the three core pieces of functionality that the Active

Directory, directory service offers that you could tell management?

*A. Organization of resources

*B. Management of resources

*C. Control of resources D. Creation of resources

E. Evaluating of resources

Explanation: The Active Directory, directory service offers the ability to organize,

manage, and control resources. The creation and evaluation of resources if up to the

administrator and not a core piece of the directory service functionality.



global catalog server in the planet.com domain and a second in the east.planet.com

domain. What information is contained on the east.planet.com global catalog server?

*A. All objects from all three domains, and all attributes of the objects from the


west.planet.com and planet.com domains. B. All objects from the planet.com domain, and all attributes of the objects from the



C. All objects from all three domains, and all attributes of the objects from the


planet.com domain.

D. All objects from the east.planet.com domain and all attributes of the objects from

the east.planet.com domain.

Explanation: A global catalog server contains naming contexts for all the domains in a

forest. All objects of a domain are contained and replicated within a domain naming

context for each domain. A global catalog server contains all the objects from its

own domain and all of the attributes of the objects from its own domain. It also

contains all the objects from all other domains but only selected properties of other

domain objects.


25. As the domain administrator, you are planning the creation of your user accounts

within you Active Directory domain. You want to ensure that you follow the

recommended guidelines established by Microsoft for the creation and

administration of users and groups. Which of the following guidelines should you

follow?

A. A distinguished name must be unique in the forest.

B. A distinguished name must be unique in the site.

C. A relative distinguished name must be unique in its parent container.

D. A relative distinguished name must be unique in the forest.

E. Always use the guest account for temporary access.

26. When configuring applications for terminal services, when do you use the "change

user" command?

A. When installing the application uses another method than a setup program.

B. When a single-user application is going to be used in conjunction with terminal

services.

C. When a single-user application has to be used in a multi-user environment.

D. When the user-specific registry settings are not being propagated as needed.

274 Chapter 4

25. As the domain administrator, you are planning the creation of your user accounts

within you Active Directory domain. You want to ensure that you follow the

recommended guidelines established by Microsoft for the creation and

administration of users and groups. Which of the following guidelines should you

follow?

*A. A distinguished name must be unique in the forest. B. A distinguished name must be unique in the site.

*C. A relative distinguished name must be unique in its parent container. D. A relative distinguished name must be unique in the forest.

E. Always use the guest account for temporary access.

Explanation: A distinguished name must be unique in the forest and a relative

distinguished name must be unique in its parent container. The guest account should

never be used, even for temporary access. A temporary account should be created

and used for individual temporary access so that there is an audit trail.

26. When configuring applications for terminal services, when do you use the "change

user" command?

*A. When installing the application uses another method than a setup program. B. When a single-user application is going to be used in conjunction with terminal

services.

C. When a single-user application has to be used in a multi-user environment.

D. When the user-specific registry settings are not being propagated as needed.

Explanation: The "change user" command is used only when an application is being

installed using a method other than running a setup program. An example of this is

when Internet Explorer prompts installation of an add-on application.


27. Which of the following statements are true regarding applications in a Terminal

Services environment?

A. Windows-based 32-bit applications run more efficiently than 16-bit applications.

B. Applications that do not run on Windows 2000 will not run in a multi-user

environment on Terminal server.

C. 16-bit applications can reduce the number of users supported by as much as 40%.

D. Applications that normally would not run on Windows 2000 may be configured to run

on Terminal server.

28. What are two protocols necessary to support Windows 2000 terminal services on a

Windows 2000 client?

(Choose 2)

A. NetMeeting

B. IPX/SPX Compatible Protocol

C. RDP

D. TCP/IP

276 Chapter 4

27. Which of the following statements are true regarding applications in a Terminal

Services environment?

*A. Windows-based 32-bit applications run more efficiently than 16-bit

applications.

*B. Applications that do not run on Windows 2000 will not run in a multi-user

environment on Terminal server.

*C. 16-bit applications can reduce the number of users supported by as much as

40%. D. Applications that normally would not run on Windows 2000 may be configured

to run on Terminal server.

Explanation: Applications that will not run on Windows 2000 will not run on Terminal

Services either. 32-bit applications will run more efficiently than 16-bit applications

because they will take advantage of 32-bit hardware and operating systems. 16-bit

applications can impact the performance of the terminal server by reducing the

number of users that the processor can support by as much as 40%, and increase

memory usage by user by as much as 50%.

28. What are two protocols necessary to support Windows 2000 terminal services on a

Windows 2000 client?

(Choose 2)

A. NetMeeting

B. IPX/SPX Compatible Protocol

*C. RDP

*D. TCP/IP Explanation: Windows 2000 Terminal Services allows a Windows 2000 computer to

host applications, and run the applications for remote users, transferring only mouse

movement, keystrokes and graphical screens between the client and server. The

client can be running Windows 2000 Professional, Windows NT, Windows 95/98,

Windows for Workgroups or even Windows CE. Clients must be running both

TCP/IP and the Remote Desktop Protocol (RDP).


29. What are four operating systems that can support the terminal services client?

(Choose 4)

A. Windows 2000 Professional

B. UNIX

C. Windows 95

D. Windows NT 4.0

E. Windows CE

30. You have been asked to deploy Terminal Services in your company's network with as

little additional cost as possible. You have 4 Windows 2000 servers, 235 Windows

2000 Professional workstations, 3 UNIX servers and 175 Pentium 120 Mhz PCs

running UNIX . Since Terminal Services does not support non-Windows clients,

what solution would you propose for this implementation to minimize costs?

A. You will need to purchase 175 licenses for Windows 2000 Professional and using RIS,

deploy Professional across all of the UNIX PCs.

B. You will recommend installing Citrix MetaFrame on top of Terminal Services,

providing support for both the Windows 2000 Professional clients and the UNIX

clients.

C. Actually, Terminal Services does support UNIX, so you can simply proceed with the

implementation with no additional costs.

D. You simply need to contact the UNIX vendor and procure their Terminal Services

client for the 175 UNIX workstations.

278 Chapter 4

29. What are four operating systems that can support the terminal services client?

(Choose 4)

*A. Windows 2000 Professional B. UNIX

*C. Windows 95

*D. Windows NT 4.0

*E. Windows CE Explanation: The client operating system can be running Windows 2000 Professional,

Windows NT, Windows 95/98, Windows for Workgroups or even Windows CE.

Clients must be running both TCP/IP and the Remote Desktop Protocol (RDP). The

PC itself requires very little in terms of hardware requirements, since the terminal

server will do all of the processing for the client. The server has extra hardware

requirements, with 4 to 10 Mb of RAM for each terminal session, and high

performance network cards as minimum needs.

30. You have been asked to deploy Terminal Services in your company's network with as

little additional cost as possible. You have 4 Windows 2000 servers, 235 Windows

2000 Professional workstations, 3 UNIX servers and 175 Pentium 120 Mhz PCs

running UNIX . Since Terminal Services does not support non-Windows clients,

what solution would you propose for this implementation to minimize costs?

A. You will need to purchase 175 licenses for Windows 2000 Professional and using

RIS, deploy Professional across all of the UNIX PCs.

*B. You will recommend installing Citrix MetaFrame on top of Terminal Services,

providing support for both the Windows 2000 Professional clients and the

UNIX clients. C. Actually, Terminal Services does support UNIX, so you can simply proceed with

the implementation with no additional costs.

D. You simply need to contact the UNIX vendor and procure their Terminal

Services client for the 175 UNIX workstations.

Explanation: The client operating system can be running Windows 2000 Professional,

Windows NT, Windows 95/98, Windows for Workgroups or even Windows CE.

Clients must be running both TCP/IP and the Remote Desktop Protocol (RDP). The

PC itself requires very little in terms of hardware requirements, since the terminal

server will do all of the processing for the client. For non-windows operating

systems, Citrix MetaFrame extends Terminal Services, and then provides enterprise-

level support for large multi-location network implementations.


31. What are three recommendations for servers that will run Windows 2000 Terminal

Services?

(Choose 3)

A. The server should be a domain controller in the Active Directory network.

B. The server should not be a domain controller, but rather a member server.

C. The server file system should be NTFS.

D. The server requires between 4 and 10 Mb of additional RAM for each client session

that it will host.

E. The server file system should be FAT32.

32. What type of license will a Windows 2000 Professional workstation use when

accessing Terminal Services?

A. Terminal Services Internet Connection Licenses

B. Terminal Services CALs

C. Temporary Licenses

D. Built-in Licenses

280 Chapter 4

31. What are three recommendations for servers that will run Windows 2000 Terminal

Services?

(Choose 3)

A. The server should be a domain controller in the Active Directory network.

*B. The server should not be a domain controller, but rather a member server.

*C. The server file system should be NTFS.

*D. The server requires between 4 and 10 Mb of additional RAM for each client

session that it will host. E. The server file system should be FAT32.

Explanation: Windows 2000 Terminal Services allows a Windows 2000 computer to



server has extra hardware requirements, with Microsoft recommending 4 to 10 Mb of

RAM for each terminal session, high performance network cards, that Terminal

Services be installed on an NTFS partition and that the server not be a domain

controller, but a member server.

32. What type of license will a Windows 2000 Professional workstation use when

accessing Terminal Services?

A. Terminal Services Internet Connection Licenses

B. Terminal Services CALs

C. Temporary Licenses

*D. Built-in Licenses Explanation: Every device that connects to Terminal Services must be licensed. For

Windows 2000 Professional workstations, the CAL will suffice, and is referred to as

built-in license. For access across the Internet, a Terminal Services Internet

Connector license is used. Non-windows systems use a Terminal Services license

purchased separately. A license server maintains licensing for connections to

Terminal Services. In a Windows 2000 domain, the license server will be a domain

controller. If a Terminal Server needs a license, it sends the request to the license

server. If the license server has none, it can issue the last type of Terminal Services

license, the Temporary license.


33. What are two different means to install the Terminal Services client on your 275

Windows 95 workstations?

(Choose 2)

A. Insert disk 1 of the 4 disk installation set and choose setup.exe.

B. Insert disk 1 of the 2 disk installation set and choose setup.exe.

C. Share the systemroot\system32\clients\tsclient\win32 folder and then connect to the

share from the Windows 95 workstations and run setup.exe.

D. Share the systemroot\system32\clients\tsclient\win16 folder and then connect to the


282 Chapter 4

33. What are two different means to install the Terminal Services client on your 275

Windows 95 workstations?

(Choose 2)

*A. Insert disk 1 of the 4 disk installation set and choose setup.exe. B. Insert disk 1 of the 2 disk installation set and choose setup.exe.

C. Share the systemroot\system32\clients\tsclient\win32 folder and then connect to

the share from the Windows 95 workstations and run setup.exe.

*D. Share the systemroot\system32\clients\tsclient\win16 folder and then connect to

the share from the Windows 95 workstations and run setup.exe. Explanation: Windows 2000 Terminal Services allows a Windows 2000 computer to






To install the Terminal Services client, either installation disks can be used or the client

can connect to the installation files on a shared folder at the terminal server. For 16

bit Windows clients, the disk-based installation consists of 4 disks, while the

network installation files can be found on the terminal server at

systemroot\system32\clients\tsclients\win16. For 32-bit Windows clients, the disk-

based installation consists of 2 disks, while the network installation files can be

found at systemroot\system32\clients\tsclient\win32.


34. You are installing Terminal Services for a 300-user organization. The workstations

are all running Windows 2000 Professional. What are two different ways to install

the Terminal Services client for the organization?

(Choose 2)

A. Share the systemroot\system\clients\tsclient\win32 folder and then connect to the


B. Share the systemroot\system32\clients\tsclient\win32 folder and then connect to the


C. Insert disk 1 of the 4 disk installation set and choose setup.exe.

D. Insert disk 1 of the 2 disk installation set and choose setup.exe.

284 Chapter 4

34. You are installing Terminal Services for a 300-user organization. The workstations

are all running Windows 2000 Professional. What are two different ways to install

the Terminal Services client for the organization?

(Choose 2)

A. Share the systemroot\system\clients\tsclient\win32 folder and then connect to the


*B. Share the systemroot\system32\clients\tsclient\win32 folder and then connect to

the share from the Windows 95 workstations and run setup.exe. C. Insert disk 1 of the 4 disk installation set and choose setup.exe.

*D. Insert disk 1 of the 2 disk installation set and choose setup.exe. Explanation: Windows 2000 Terminal Services allows a Windows 2000 computer to






Notes:

286 Chapter 5

Introduction

Windows 2000 makes a variety of Security Templates available to the administrator for

further securing the network. These templates are inactive until either applied to

individual computers using the Local Security Policy, or imported into a Group Policy.

The ability to organize computer objects in containers and then link those containers to

Group Policy objects with specific security configuration settings provides a tremendous

ability to implement and standardize security across the Windows 2000 network. In this

chapter we will see yet another example of the power of Active Directory in configuring

and managing networks. First we will take a little review of security templates, and then

we will look at how to configure, apply and manage security configurations using Active

Directory.

Active Directory Security Solutions 287

Chapter 5: Security in a Directory Services Infrastructure

1.

2. Security

3.

4.


the following:

Apply security policies by using Group Policy.

Create, analyze, and modify security configurations by using the

Configuration and Analysis snap-in and the Security Templates snap-in.

Implement an audit policy.

Monitor and analyze security events.

1. At what level in the Active Directory forest can you set password settings, account

lockout settings and Kerberos v5 settings in a Group Policy?

A. Container

B. Site

C. OU

D. Domain

2. What security template in Windows 2000 "opens" up the default Users settings for

modification and therefore is not considered a secure environment?

A. Basic

B. Compatible

C. Secure

D. High Secure

288 Chapter 5

1. At what level in the Active Directory forest can you set password settings, account

lockout settings and Kerberos v5 settings in a Group Policy?

A. Container

*B. Site

*C. OU

*D. Domain Explanation: The Group Policy allows you to apply configurations to computer and user



Redirection. The Security settings extension allows the administrator to configure

settings in the areas of Account policies, which can include password policies,

account lockout policies and Kerberos v5 policies, Local Policies, for computers and

mostly concerned with auditing policies, user rights etc, Event Log, specifying the

parameters for the logs, and Restricted Group, allowing the management of built-in

groups.

2. What security template in Windows 2000 "opens" up the default Users settings for

modification and therefore is not considered a secure environment?

A. Basic

*B. Compatible C. Secure

D. High Secure

Explanation: Windows 2000 makes a variety of Security Templates available to the

administrator for further securing the network. These templates are inactive until

imported into a Group Policy or the Security Analysis and Configuration snap-in for

MMC. Typically the administrator will open the appropriate Group Policy object and

select the Import Policy option. There are four types of Security Templates in

Windows 2000: Basic templates which apply the default Windows 2000 settings and

are generally applied to computers recently upgraded from Windows NT;

Compatible, which loosens the default access control policy for the Users group and

so is not considered a very secure configuration (but is necessary for some older,

legacy applications); Secure, which modifies no ACLs, but does modify settings like

password policy, audit policy, etc; and High Secure, which increases the security to a

point where there are no concerns for computer performance nor operational ease-of-

use. The thrust of these templates is to help restrict the membership of the user in the

local Power Users group, which in many security circles is considered an unsecured

configuration.


3. What Windows 2000 security template modifies security parameters to their extreme

settings without regard to performance or ease of use?

A. Basic

B. Compatible

C. Secure

D. High Secure

4. What utility in Windows 2000 can be best used to edit Security Templates?



C. Security Template snap-in to MMC

D. Security Configuration and Analysis snap-in to MMC

290 Chapter 5

3. What Windows 2000 security template modifies security parameters to their extreme

settings without regard to performance or ease of use?

A. Basic

B. Compatible

C. Secure

*D. High Secure Explanation: Windows 2000 makes a variety of Security Templates available to the












use. The thrust of these templates is to help restrict the membership of the user in the

local Power Users group, which in many security circles is considered an unsecured

configuration.

4. What utility in Windows 2000 can be best used to edit Security Templates?



*C. Security Template snap-in to MMC D. Security Configuration and Analysis snap-in to MMC





select the Import Policy option. Templates can be edited using the Security

Templates snap-in for MMC.


5. What utility would an Administrator use to import or export Security Templates?



C. Security Templates snap-in for MMC

D. Security Configuration and Analysis snap-in for MMC

6. What are three Security Templates available in Windows 2000? (Choose 3)

A. User

B. Basic

C. Computer

D. Secure

E. Compatible

292 Chapter 5

5. What utility would an Administrator use to import or export Security Templates?



C. Security Templates snap-in for MMC

*D. Security Configuration and Analysis snap-in for MMC Explanation: Windows 2000 makes a variety of Security Templates available to the












use.

6. What are three Security Templates available in Windows 2000? (Choose 3)

A. User

*B. Basic C. Computer

*D. Secure

*E. Compatible Explanation: There are four types of Security Templates in Windows 2000: basic

templates which apply the default Windows 2000 settings and are generally applied

to computers recently upgraded from Windows NT; compatible, which loosens the

default access control policy for the Users group and so is not considered a very

secure configuration (but is necessary for some older, legacy applications); Secure,

which modifies no ACLs, but does modify settings like password policy, audit

policy, etc; and high secure, which increases the security to a point where there are

no concerns for computer performance nor operational ease-of-use. The thrust of

these templates is to help restrict the membership of the user in the local Power

Users group, which in many security circles is considered an unsecured

configuration.


7. What are group is created during the installation of Windows 2000 whose

membership may need to be altered by Security Templates?

A. Users

B. Power Users

C. Administrators

D. Server Operators

294 Chapter 5

7. What are group is created during the installation of Windows 2000 whose membership

may need to be altered by Security Templates?

A. Users

*B. Power Users C. Administrators

D. Server Operators

Explanation: There are four types of Security Templates in Windows 2000: Basic

templates which apply the default Windows 2000 settings and are generally applied

to computers recently upgraded from Windows NT; Compatible, which loosens the

default access control policy for the Users group and so is not considered a very

secure configuration (but is necessary for some older, legacy applications); Secure,

which modifies no ACLs, but does modify settings like password policy, audit

policy, etc; and High Secure, which increases the security to a point where there are

no concerns for computer performance nor operational ease-of-use. The thrust of

these templates is to help restrict the membership of the user in the local Power

Users group, which in many security circles is considered an unsecured

configuration.


8. What are four categories of events that can be audited in a Windows 2000 network?

(Choose 4)

A. Account Logon

B. Directory Service Access

C. Account Logoff

D. Object Access

E. Privilege Use

296 Chapter 5

8. What are four categories of events that can be audited in a Windows 2000 network?

(Choose 4)

*A. Account Logon

*B. Directory Service Access C. Account Logoff

*D. Object Access

*E. Privilege Use Explanation: Security auditing in Windows 2000, as in Windows NT 4.0, is not enabled

by default. To enable auditing in Windows 2000, the administrator opens the Group

Policy object using the Group Policy snap-in to MMC and activates the type of

auditing desired. Types or area of auditing include: account logon events, account

management, directory service access, logon events, object access, policy change,

privilege use, process tracking and system events. Once enabled, the administrator

then activates auditing for that event in the area where security settings appear; for

example, in NTFS folders on the Auditing tab. Once the events are logged, the

administrator can view the security log using Event Viewer. Microsoft specifies a

number of areas that should be audited if you suspect a threat. For instance, for

attempts to "hack" into someone else's account the failure audit for logon/logoff can

be set. For suspected network intrusions with stolen passwords, set the success audit

for logon/logoff. Lastly, to detect virus outbreaks in the network, set success/failure

of write access to program (.exe and .dll) files.


9. What Windows 2000 utility would an administrator use to look at security log files?

A. Event Viewer

B. Security snap-in for MMC


D. Security Log Viewer snap-in for MMC

298 Chapter 5

9. What Windows 2000 utility would an administrator use to look at security log files?

*A. Event Viewer B. Security snap-in for MMC


D. Security Log Viewer snap-in for MMC

Explanation: Security auditing in Windows 2000, as in Windows NT 4.0, is not enabled















10. What settings in a security audit would help the administrator detect someone

attempting to "hack" into someone else's User account?

A. Success audit for user rights

B. Success audit for logon/logoff

C. Failure audit for logon/logoff

D. Success/failure audit write access for program files (.exe and .dll files)

300 Chapter 5

10. What settings in a security audit would help the administrator detect someone

attempting to "hack" into someone else's User account?



*C. Failure audit for logon/logoff D. Success/failure audit write access for program files (.exe and .dll files)
















11. What settings in a security audit would help the administrator detect someone logging

onto someone else's User account using a stolen password?


B. Success audit for logon

C. Failure audit for logon


302 Chapter 5

11. What settings in a security audit would help the administrator detect someone logging

onto someone else's User account using a stolen password?


*B. Success audit for logon C. Failure audit for logon

















12. What settings in a security audit would help the administrator detect a virus outbreak

in the network?





304 Chapter 5

12. What settings in a security audit would help the administrator detect a virus outbreak

in the network?




*D. Success/failure audit write access for program files (.exe and .dll files) Explanation: Security auditing in Windows 2000, as in Windows NT 4.0, is not enabled















13. How is security auditing enabled in Windows 2000?

A. Using Event Viewer

B. Using the Security snap-in for MMC

C. Using the Group Policy snap-in for MMC

D. Using the Security Log Viewer snap-in for MMC

306 Chapter 5

13. How is security auditing enabled in Windows 2000?

A. Using Event Viewer

B. Using the Security snap-in for MMC

*C. Using the Group Policy snap-in for MMC D. Using the Security Log Viewer snap-in for MMC
















14. What security template in Windows 2000 applies default settings and would generally

be applied to computers that have been upgraded from Windows NT?

A. Basic

B. Compatible

C. Secure

D. High Secure

308 Chapter 5

14. What security template in Windows 2000 applies default settings and would generally

be applied to computers that have been upgraded from Windows NT?

*A. Basic B. Compatible

C. Secure

D. High Secure












point where there are no concerns for computer performance, operational ease-of-

use, etc. The thrust of these templates is to help restrict the membership of the user in

the local Power Users group, which in many security circles is considered an

unsecured configuration.


15. As the administrator of the windows 2000 domain called mcsejobs.net, you are trying

to decide on the trust relationships to create between domains. What are the default

trust relationships in Windows 2000?

A. Transitive

B. Explicit

C. Direct one-way

D. Shortcut

16. As the administrator of the mcsejobs.net Windows 2000 directory service, you are


directory. You are also the DNS administrator for the mcsejobs.net namespace that

all of the objects are created in. Your user naming convention is the user's first initial

and last name. You have recently hired a summer student named Chloe Ward to

assist you in your responsibilities and are explaining the concept of a User Principal

Name. To demonstrate this, you open Active Directory Users and Computers and

select Chloe's account within the mcsejobs.net domain. What is the User Principal

Name of Chloe's account?

A. mcsejobs\cward

B. mcsejobs.net\cward

C. [email protected]

D. cward@mcsejobs

E. [email protected]

310 Chapter 5

15. As the administrator of the windows 2000 domain called mcsejobs.net, you are trying

to decide on the trust relationships to create between domains. What are the default

trust relationships in Windows 2000?

*A. Transitive B. Explicit

C. Direct one-way

D. Shortcut

Explanation: Transitive trusts are the default trust relationships created between domains

in a forest in Windows 2000. Explicit trusts can be created with Active Directory

Domains and Trusts and are one-way trust relationships. Direct one-way trusts could

also be considered explicit trusts. Shortcut trusts are used to create a direct

connection between two domains in a forest and allow users in those domains to

directly access resources without following the default trust structure.

16. As the administrator of the mcsejobs.net Windows 2000 directory service, you are


directory. You are also the DNS administrator for the mcsejobs.net namespace that

all of the objects are created in. Your user naming convention is the user's first initial

and last name. You have recently hired a summer student named Chloe Ward to

assist you in your responsibilities and are explaining the concept of a User Principal

Name. To demonstrate this, you open Active Directory Users and Computers and

select Chloe's account within the mcsejobs.net domain. What is the User Principal

Name of Chloe's account?

A. mcsejobs\cward

B. mcsejobs.net\cward

*C. [email protected] D. cward@mcsejobs

E. [email protected]

Explanation: A User Principal Name is composed of the user's logon name and the DNS

domain name where the user object resides. In this question, Chloe's logon name is

cward and the name of the domain is mcsejobs.net. Therefore, Chloe's user principal

name would be [email protected]. Mcsejobs\cward is Chloe's NetBIOS logon

name, which can be used on both Windows 2000 and Windows NT 4 computers.

Cward@mcsejobs is not correct as it does not contain the entire domain component.

[email protected] is not correct as Chloe.ward is not Chloe's logon name.


17. What is the Slang word for Greenwich Mean Time?

A.

18. What is an application compatibility script used for?

A. To modify an application to function better in a multi-user environment.

B. To make an application that normally would not run on Windows 2000 run with

Windows 2000 Terminal Services.

C. To test the compatibility of an application in a terminal services environment.

D. To configure a single-user application to run in multi-user mode.

312 Chapter 5


*A. Zulu time Explanation: Zulu Time is the Slang word for Greenwich Mean Time.

18. What is an application compatibility script used for?

*A. To modify an application to function better in a multi-user environment. B. To make an application that normally would not run on Windows 2000 run with

Windows 2000 Terminal Services.

C. To test the compatibility of an application in a terminal services environment.

D. To configure a single-user application to run in multi-user mode.

Explanation: Application compatibility scripts, included with Terminal Services, modify

applications to function better in a multi-user environment by modifying global

registry settings and disabling functions that might decrease system performance.

Notes:

314 Chapter 6

Introduction

The installation of Windows 2000 can be automated using Microsoft’s Remote

Installation Services (RIS). RIS consists of three main components, RIS servers, CD-

based or RIPrep images and RIS clients. The clients connect to the RIS servers using a

RIS boot disk, and then download the image to install Windows 2000. Additional

configuration of the operating system can be customized through the use of an

unattend.txt answer file.

Remote Installation Services Configuration 315

Chapter 6: Remote Installation Services Configuration

The objective of this chapter is to provide the reader with an

•

•

•

•

understanding of the following:

The use of Remote Installation Service (RIS) to install Windows 2000

remotely

The use of CD-based and RIPrep images in RIS

How to create a RIS boot disk

How to troubleshoot RIS

1. What are three benefits of Remote OS Installation Services in Windows 2000?

(Choose 3)

A. Enables remote installation of Windows 2000 Professional.

B. Detects plug-and-play hardware during setup.

C. Simplifies the installation of third-party application programs.

D. Support operating system recovery in the event of failure.

2. What three network services must be available for RIS to be installed in a Windows

2000 network? (Choose 3)

A. DNS

B. DHCP

C. Group Policies

D. Active Directory

E. Software Installation and Maintenance

316 Chapter 6

1. What are three benefits of Remote OS Installation Services in Windows 2000?

(Choose 3)

*A. Enables remote installation of Windows 2000 Professional.

*B. Detects plug-and-play hardware during setup. C. Simplifies the installation of third-party application programs.

*D. Support operating system recovery in the event of failure. Explanation: Windows 2000 Remote OS Installation Services (RIS) allows the

installation of Windows 2000 throughout a network from a central location. It

enables remote installation of Windows 2000 Professional, simplifies server image

management, provides for recovery of the original operating system in the event of

failure, retains security settings and lowers the Total Cost of Ownership (TCO) of

the network.

2. What three network services must be available for RIS to be installed in a Windows

2000 network? (Choose 3)

*A. DNS

*B. DHCP C. Group Policies

*D. Active Directory E. Software Installation and Maintenance

Explanation: Windows 2000 Remote OS Installation Services (RIS) allows the





the network. A Windows 2000 Server, either member server or domain controller,

must host RIS. Additionally, DNS, DHCP and Active Directory must be available on

the network.


3. What are two ways to install RIS on a Windows 2000 server? (Choose 2)

A. During the installation of Windows 2000.

B. Using the RIS Setup Wizard

C. Using Configure Your Server from Administrative Tools.

D. From Network - Services you choose RIS.

4. What are three requirements of the shared volume on which RIS is installed on a

Windows 2000 server? (Choose 3)

A. The shared volume must be formatted with NTFS.

B. The shared volume must be on the same drive that is running Windows 2000 server.

C. The shared volume cannot be used for any other user access.

D. The shared volume must be large enough to hold the RIS software and the various

images.

E. The shared volume cannot be on the drive containing Windows 2000 system files.

318 Chapter 6

3. What are two ways to install RIS on a Windows 2000 server? (Choose 2)

*A. During the installation of Windows 2000. B. Using the RIS Setup Wizard

*C. Using Configure Your Server from Administrative Tools. D. From Network - Services you choose RIS.

Explanation: Windows 2000 Remote OS Installation Services (RIS) allows the







the network. RIS is installed by the Remote Installation Services Setup Wizard,

which can be invoked by either typing risetup in Start-Run, by using the Windows

Components Setup program in Add/Remove Programs, or it can be installed during

the initial install of Windows 2000 on the server.

4. What are three requirements of the shared volume on which RIS is installed on a

Windows 2000 server? (Choose 3)

*A. The shared volume must be formatted with NTFS. B. The shared volume must be on the same drive that is running Windows 2000

server.

C. The shared volume cannot be used for any other user access.

*D. The shared volume must be large enough to hold the RIS software and the

various images.

*E. The shared volume cannot be on the drive containing Windows 2000 system

files. Explanation: Windows 2000 Remote OS Installation Services (RIS) allows the







the network. Finally, RIS must be installed on an NTFS volume that is shared over

the network, with enough space to hold RIS and the necessary images and the

volume cannot be running Windows 2000.


5. What command will start the RIS Installation Services Setup Wizard?

A. Start-Run-riswiz

B. Start-Run-ris.exe

C. Start-Run-risetup

D. Start-Run-ristart

6. What are three tasks performed by the RIS Installation Services Setup Wizard?

(Choose 3)

A. Installs RIS on the server.

B. Creates a RIS folder structure.

C. Creates a Windows 2000 Professional image from the CD ROM.

D. Creates a boot disk for client computers.

E. Starts the RIS service.

320 Chapter 6

5. What command will start the RIS Installation Services Setup Wizard?

A. Start-Run-riswiz

B. Start-Run-ris.exe

*C. Start-Run-risetup D. Start-Run-ristart

Explanation: A Windows 2000 Server, either member server or domain controller, must

host RIS. Additionally, DNS, DHCP and Active Directory must be available on the

network. RIS is installed by the Remote Installation Services Setup Wizard, which

can be invoked by either typing risetup in Start-Run, by using the Windows


the initial install of Windows 2000 on the server.

6. What are three tasks performed by the RIS Installation Services Setup Wizard?

(Choose 3)

A. Installs RIS on the server.

*B. Creates a RIS folder structure.

*C. Creates a Windows 2000 Professional image from the CD ROM. D. Creates a boot disk for client computers.

*E. Starts the RIS service. Explanation: A Windows 2000 Server, either member server or domain controller, must

host RIS. Additionally, DNS, DHCP and Active Directory must be available on the

network. RIS is installed by the Remote Installation Services Setup Wizard, which



the initial install of Windows 2000 on the server. Once the Wizard runs, a RIS folder

structure is created, supporting RIS files are copied to the server, a CD-based image

of Windows 2000 Professional is created and RIS services are started.


7. What is the default setting for Initial Settings in RIS after the Setup Wizard has run?

A. The server will respond to all client requests.

B. The server will not respond to any client requests.

C. The server will only respond to clients that have pre-configured computer accounts.

D. The server will only respond to client computers that have connected with the RIS

boot disk.

8. Through which Windows 2000 service does the administrator authorize a RIS server?

A. DHCP

B. DNS

C. Active Directory

D. RIS

322 Chapter 6

7. What is the default setting for Initial Settings in RIS after the Setup Wizard has run?

A. The server will respond to all client requests.

*B. The server will not respond to any client requests. C. The server will only respond to clients that have pre-configured computer

accounts.

D. The server will only respond to client computers that have connected with the

RIS boot disk.

Explanation: RIS is installed by the Remote Installation Services Setup Wizard, which





of Windows 2000 Professional is created and RIS services are started. Initially RIS is

set to not respond to client requests. After installing RIS, the administrator will have

to enable the RIS server to respond to client requests by enabling DHCP services on

the server and authorizing the RIS service. If the server is already a DHCP server,

then the authorizing is DHCP console is all that is necessary.

8. Through which Windows 2000 service does the administrator authorize a RIS server?

*A. DHCP B. DNS

C. Active Directory

D. RIS






of Windows 2000 Professional is created and RIS services are started. Initially RIS is

set to not respond to client requests. After installing RIS, the administrator will have

to enable the RIS server to respond to client requests by enabling DHCP services on

the server and authorizing the RIS service. If the server is already a DHCP server,

then the authorizing is DHCP console is all that is necessary.


9. What right must users have in Active Directory to install a RIS image on their

computer?

A. Users must have Write to the parent container.

B. Users must have Add/Change to the parent container.

C. Users must have the Create Computer object permission in the parent container.

D. Users must have the Register Computer permission in the parent container.

10. What two ways can a user initiate a remote installation on a client computer using

RIS? (Choose 2)

A. By pressing F12 after they turn on their computers.

B. By pressing CTL+ F12 after they turn on their computer.

C. By booting their system with a RIS boot disk.

D. By double-clicking on the RIS icon the administrator has delivered to the desktop.

324 Chapter 6

9. What right must users have in Active Directory to install a RIS image on their

computer?

A. Users must have Write to the parent container.

B. Users must have Add/Change to the parent container.

*C. Users must have the Create Computer object permission in the parent

container. D. Users must have the Register Computer permission in the parent container.

Explanation: The Remote Installation Services Setup Wizard installs RIS. Once the

Wizard runs, a RIS folder structure is created, supporting RIS files are copied to the

server, a CD-based image of Windows 2000 Professional is created and RIS services

are started. Initially RIS is set to not respond to client requests. After installing RIS,

the administrator will have to enable the RIS server to respond to client requests by

enabling DHCP services on the server and authorizing the RIS service. If the server

is already a DHCP server, then the authorizing is DHCP console is all that is

necessary. Finally, clients need the right to create computers accounts in Active

Directory. The administrator needs to do this in the appropriate OU.

10. What two ways can a user initiate a remote installation on a client computer using

RIS? (Choose 2)

*A. By pressing F12 after they turn on their computers. B. By pressing CTL+ F12 after they turn on their computer.

*C. By booting their system with a RIS boot disk. D. By double-clicking on the RIS icon the administrator has delivered to the

desktop.








necessary. Finally, clients need the right to create computers accounts in Active

Directory. The administrator needs to do this in the appropriate OU. Once

configured, users request a remote installation by either pressing F12 after they turn

on their computers or by using a RIS boot disk. In either case, the user is presented a

menu with four options: automatic setup, custom setup, restart a previous attempt

and maintenance and troubleshooting.


11. What are three options presented to the users when initiating a remote installation

using RIS? (Choose 3)

A. Automatic Setup

B. Boot Setup

C. Custom Setup

D. Restart a Previous Setup Attempt

E. Restore to Previous Operating System

326 Chapter 6

11. What are three options presented to the users when initiating a remote installation

using RIS? (Choose 3)

*A. Automatic Setup B. Boot Setup

*C. Custom Setup

*D. Restart a Previous Setup Attempt E. Restore to Previous Operating System








necessary.

Finally, clients need the right to create computers accounts in Active Directory. The

administrator needs to do this in the appropriate OU. Once configured, users request

a remote installation by either pressing F12 after they turn on their computers or by

using a RIS boot disk. In either case, the user is presented a menu with four options:

automatic setup, custom setup, restart a previous attempt and maintenance and

troubleshooting.


12. As the network administrator for BFQ, Inc. you are going to use RIS to install

Windows 2000 Professional on 200 client computers. You have 125 computers with

identical network adapters that support the PXE specification, and 75 computers with

three different adapters that do not support the specification. How many RIS boot

disks will you need to create to enable RIS on the client computers?

A. 1

B. 2

C. 3

D. 4

E. 5

328 Chapter 6

12. As the network administrator for BFQ, Inc. you are going to use RIS to install

Windows 2000 Professional on 200 client computers. You have 125 computers with

identical network adapters that support the PXE specification, and 75 computers with

three different adapters that do not support the specification. How many RIS boot

disks will you need to create to enable RIS on the client computers?

*A. 1 B. 2

C. 3

D. 4

E. 5

Explanation: Users request a remote installation by either pressing F12 after they turn on

their computers (if their network adapter meets the PXE specification) or by using a

RIS boot disk if their network adapter does not meet PXE specs. In either case, the

user is presented a menu with four options: automatic setup, custom setup, restart a

previous attempt and maintenance and troubleshooting. RIS boot disks are created by

using rbfg.exe found in \\RISserver\reminsf\admin\i386. The same RIS boot disk can

be used on multiple computers, and is not adapter-specific. Even if the adapter is not

on the supported list, the boot disk may still work.


13. Your network adapter is not on the list of supported adapters for creating a RIS boot

disk. What is your next option for enabling remote installation for these computers?

A. You can download an updated RIS boot image from Microsoft's web site.

B. Even though the adapter is not listed, you should still check to see if the boot disk

works,

C. You have no option; you must replace the adapters with a compatible type.

D. You must use an updated driver for the network adapter to enable remote installation

(if there is a an RIS enabled one) .

14. What are three remote installation options that you can configure to determine how

the RIS server responds to client requests? (Choose 3)

A. Configuring Client Computer Names and Locations

B. Pre-Staging Client Computers

C. Unattended Client Installation

D. Configuring Client Installation Options

E. Additional Client Software Installations

330 Chapter 6

13. Your network adapter is not on the list of supported adapters for creating a RIS boot

disk. What is your next option for enabling remote installation for these computers?

A. You can download an updated RIS boot image from Microsoft's web site.

*B. Even though the adapter is not listed, you should still check to see if the boot

disk works, C. You have no option; you must replace the adapters with a compatible type.

D. You must use an updated driver for the network adapter to enable remote

installation (if there is a an RIS enabled one) .

Explanation: Users request a remote installation by either pressing F12 after they turn on

their computers (if their network adapter meets the RXE specification) or by using a

RIS boot disk if their network adapter does not meet RXE specs. In either case, the

user is presented a menu with four options: automatic setup, custom setup, restart a

previous attempt and maintenance and troubleshooting. RIS boot disks are created by

using rbfg.exe found in \\RISserver\reminsf\admin\i386. The same RIS boot disk can

be used on multiple computers, and is not adapter-specific. Even if the adapter is not

on the supported list, the boot disk may still work.

14. What are three remote installation options that you can configure to determine how

the RIS server responds to client requests? (Choose 3)

*A. Configuring Client Computer Names and Locations

*B. Pre-Staging Client Computers C. Unattended Client Installation

*D. Configuring Client Installation Options E. Additional Client Software Installations




are started. Before clients attempt to connect to the RIS server, the administrator can

configure in Group Policy in Active Directory Users and Computers how the server

will respond. The options are configuring client computer names and locations,

which allows users to create computer accounts, pre-staging client computers, which

pre-creates a computers account for each installation, configuring client installation

options, which further specifies the options the client will be presented with during

the installation, configuring maintenance and troubleshooting tools, which may allow

users access to some diagnostic utilities and lastly activating client support, where

the administrator specifies how the RIS server will respond to client requests.


15. What tool is used to configure client names and locations for client computers

accessing an RIS server for Windows 2000 Professional installation?

A. RIS Setup Wizard


C. Administrative Tools - RIS Configuration

D. Active Directory Domains and Services

16. What does RIS use for the default computer name when performing a remote

installation?

A. The original NetBIOS computer name.

B. The user name of the user performing the installation with an incremental number

appended.

C. The name specified by a text file created before the installation by an administrator.

D. RIS generates a random 8-character name for the computer.

332 Chapter 6

15. What tool is used to configure client names and locations for client computers

accessing an RIS server for Windows 2000 Professional installation?

A. RIS Setup Wizard

*B. Active Directory Users and Computers C. Administrative Tools - RIS Configuration

D. Active Directory Domains and Services







which allows users to create computer accounts using pre-set naming conventions,

pre-staging client computers, which pre-creates a computers account for each

installation, configuring client installation options, which further specifies the

options the client will be presented with during the installation, configuring

maintenance and troubleshooting tools, which may allow users access to some

diagnostic utilities and lastly activating client support, where the administrator

specifies how the RIS server will respond to client requests.

16. What does RIS use for the default computer name when performing a remote

installation?

A. The original NetBIOS computer name.

*B. The user name of the user performing the installation with an incremental

number appended. C. The name specified by a text file created before the installation by an

administrator.

D. RIS generates a random 8-character name for the computer.







which allows users to create computer accounts using pre-set naming conventions.

By default, RIS will name the computers after the users who create them.


17. What are two reasons for using the Pre-staging Client Computers option in RIS client

configuration? (Choose 2)

A. Pre-staging allows users to install Windows 2000 Professional without being

concerned about

which RIS server is servicing their installation.

B. Pre-staging allows RIS servers to be load balanced by pre-assigning RIS servers.

C. Pre-staging is done primarily for security reasons.

D. Pre-staging simplifies the remote installation process.

18. Where in Windows 2000 does the administrator configure the four installation

options that are presented to users at the start of a remote installation?

A. RIS Setup Wizard

B. RIS Client Boot Disk

C. Group Policy

D. RIS server - System Properties

334 Chapter 6

17. What are two reasons for using the Pre-staging Client Computers option in RIS client

configuration? (Choose 2)

A. Pre-staging allows users to install Windows 2000 Professional without being

concerned about

which RIS server is servicing their installation.

*B. Pre-staging allows RIS servers to be load balanced by pre-assigning RIS servers.

*C. Pre-staging is done primarily for security reasons. D. Pre-staging simplifies the remote installation process.






will respond. Pre-staging client computers, which pre-creates a computer’s account

for each installation, is done primarily for security reasons. Pre-staging can also

provide load balancing of the installation process on the network.

18. Where in Windows 2000 does the administrator configure the four installation

options that are presented to users at the start of a remote installation?

A. RIS Setup Wizard

B. RIS Client Boot Disk

*C. Group Policy D. RIS server - System Properties






will respond. One of the options is Configuring Client Installation Options, which

specifies the options the client will be presented with during the installation. The

administrator can allow, deny or let the specific setting be inherited from the parent

GPO. In any case, the individual choices that may be allowed (or denied) are

automatic setup, custom setup, restart from a previous Setup attempt and

maintenance and troubleshooting. By default, Automatic Setup is enabled when you

first install RIS.


19. What option is used by default when you install RIS?

A. Automatic Setup

B. Custom Setup

C. Restart from a Previous Attempt

D. Maintenance and Troubleshooting

336 Chapter 6

19. What option is used by default when you install RIS?

*A. Automatic Setup B. Custom Setup

C. Restart from a Previous Attempt

D. Maintenance and Troubleshooting












first install RIS.


20. What are two tasks that can be performed using the Maintenance and Troubleshooting

option of the RIS Client Installation? (Choose 2)

A. Restart the RIS installation.

B. Upgrade flash BIOS.

C. Create a RIS boot disk.

D. Diagnose hardware-related problems.

338 Chapter 6

20. What are two tasks that can be performed using the Maintenance and Troubleshooting

option of the RIS Client Installation? (Choose 2)

A. Restart the RIS installation.

*B. Upgrade flash BIOS. C. Create a RIS boot disk.

*D. Diagnose hardware-related problems. Explanation: The Remote Installation Services Setup Wizard installs RIS. Once the











first install RIS. Maintenance and troubleshooting allows the users to install tools

from third-party vendors, diagnose hardware problems, configure optional BIOS

settings or even upgrade flash BIOS.


21. During the remote installation of Windows 2000 using RIS servers, your client

computer displays a DHCP error message, but not a BINL message. What two

troubleshooting steps should you take? (Choose 2)

A. Verify that the RIS server is online and authorized.

B. Stop and start the NetPC Boot Service Manager on the RIS server.

C. In the Remote Disk Boot Generator utility, verify that the network adapter is supported

by RIS.

D. Make sure that DHCP packets are being routed.


computer displays the BINL error message but cannot connect to the RIS server.

What is the probable solution to this error?




by RIS.


340 Chapter 6


computer displays a DHCP error message, but not a BINL message. What two

troubleshooting steps should you take? (Choose 2)

*A. Verify that the RIS server is online and authorized. B. Stop and start the NetPC Boot Service Manager on the RIS server.

C. In the Remote Disk Boot Generator utility, verify that the network adapter is

supported by RIS.

*D. Make sure that DHCP packets are being routed. Explanation: The Remote Installation Services Setup Wizard installs RIS. Once the







necessary. If client computers display a DHCP error but not a BINL error, then

verify that the server is online and that DHCP packets are being routed on the

network.


computer displays the BINL error message but cannot connect to the RIS server.

What is the probable solution to this error?


*B. Stop and start the NetPC Boot Service Manager on the RIS server. C. In the Remote Disk Boot Generator utility, verify that the network adapter is

supported by RIS.









necessary. If the client computers are displaying a BINL error but cannot connect to

the RIS server, then the administrator should stop and restart the NetPC Boot Service

Manager (BINLSVC) service on the RIS server.



computer cannot connect to the RIS server using the RIS boot disk. What do you

check to resolve the problem?




by RIS.


24. What are two types of images supported by RIS in Windows 2000? (Choose 2)

A. CD-based images

B. Boot images

C. RIPrep images

D. Ghost images

342 Chapter 6


computer cannot connect to the RIS server using the RIS boot disk. What do you

check to resolve the problem?



*C. In the Remote Disk Boot Generator utility, verify that the network adapter is

supported by RIS. D. Make sure that DHCP packets are being routed.








necessary. If client computers display no error message, yet are unable to connect to

the RIS server, then verify that the RIS boot disk supports the adapter in the

computer.

24. What are two types of images supported by RIS in Windows 2000? (Choose 2)

*A. CD-based images B. Boot images

*C. RIPrep images D. Ghost images




are started. A standard answer file (Ristndrd.sif) is also created for use with the CD-

based image. Additional answer files can be created using a text editor or the

Windows 2000 Setup Manager Wizard. Using the Remote Installation Preparation

Wizard, the administrator can also create a RIPrep image for use in RIS installations.


25. What two of the following are created by default when you install RIS on a Windows

2000 server? (Choose 2)

A. CD-based image

B. RIPrep image

C. Ristndrd.sif file

D. RIPans.inf file

26. What utility can you use to easily create an answer file for the unattended remote

installation of Windows 2000 on multiple computers using RIS?


B. RIS Setup Wizard

C. Windows 2000 Setup Manager Wizard

D. Remote Installation Preparation Wizard

344 Chapter 6

25. What two of the following are created by default when you install RIS on a Windows

2000 server? (Choose 2)

*A. CD-based image B. RIPrep image

*C. Ristndrd.sif file D. RIPans.inf file








26. What utility can you use to easily create an answer file for the unattended remote

installation of Windows 2000 on multiple computers using RIS?


B. RIS Setup Wizard

*C. Windows 2000 Setup Manager Wizard D. Remote Installation Preparation Wizard









27. What are three levels of user interaction that can be set during the creation of an

answer file with the Windows 2000 Setup Manager Wizard? (Choose 3)

A. Fully Automated

B. Custom

C. Read Only

D. GUI Attended

E. Text only

346 Chapter 6

27. What are three levels of user interaction that can be set during the creation of an

answer file with the Windows 2000 Setup Manager Wizard? (Choose 3)

*A. Fully Automated B. Custom

*C. Read Only

*D. GUI Attended E. Text only

Explanation: Additional answer files can be created using a text editor or the Windows

2000 Setup Manager Wizard. The first setting in the answer file determines the level

of user interaction. The next setting configures how the administrator password will

be provided during installation. Then display settings, network settings additional

settings (time zone, telephony, etc.), printers and initial logon. The five options for

user interaction are: provide defaults, which displays all setup pages for the user,

fully automated, where the installation is unattended, hide pages, which displays

only setup pages with missing information that you have pre-filled with a default that

the user can change, read only, which is the same as hide pages but users cannot

change your pre-sets, and GUI attended, which automates only the text portion of the

setup and requires the users to complete the GUI portion manually.


28. What selection for administrator password in the configuration of an answer file for

RIS will prevent an unattended installation?

A. When the system first boots, automatically log on as administrator.

B. Use the following administrator password.

C. Prompt the user for an administrator password.

348 Chapter 6


RIS will prevent an unattended installation?



*C. Prompt the user for an administrator password. Explanation: The Remote Installation Services Setup Wizard installs RIS. Once the





Windows 2000 Setup Manager Wizard. The first setting in the answer file

determines the level of user interaction. The next setting configures how the

administrator password will be provided during installation. Then display settings,

network settings additional settings (time zone, telephony, etc.), printers and initial

logon. The second setting is how the administrator password is set on the client

computers during install. The three options are: prompt the user for an administrator

password, which provides the best security, use the following administrator

password, which allows for a completely unattended install with some security, and

when system first boots, automatically log on as administrator, which provides the

least security.



RIS is the least secure?




30. What option in Network Settings would you choose in the Windows 2000 Setup

Manager Wizard to automatically enable DHCP on the client computer?

A. Typical Settings

B. Custom Settings

C. Networking Components

D. Number of Network Adapters

350 Chapter 6


RIS is the least secure?

*A. When the system first boots, automatically log on as administrator. B. Use the following administrator password.


Explanation: A standard answer file (Ristndrd.sif) is also created for use with the CD-


Windows 2000 Setup Manager Wizard. The first setting in the answer file

determines the level of user interaction. The next setting configures how the

administrator password will be provided during installation. Then display settings,

network settings additional settings (time zone, telephony, etc.), printers and initial

logon. The second setting is how the administrator password is set on the client

computers during install. The three options are: prompt the user for an administrator

password, which provides the best security, use the following administrator

password, which allows for a completely unattended install with some security, and

when system first boots, automatically log on as administrator, which provides the

least security.


Manager Wizard to automatically enable DHCP on the client computer?

*A. Typical Settings B. Custom Settings

C. Networking Components

D. Number of Network Adapters






Windows 2000 Setup Manager Wizard Within the answer file, networking settings

need to be configured. The Setup Wizard provides for typical settings, which installs

DHCP and the Client for Microsoft Networks, and custom settings, within which the

number of network adapters, settings for each, TCP/IP settings, additional services,

etc. can be specified.



Manager Wizard to add IPX/SPX to the network adapter?

A. Typical Settings

B. Optional Settings

C. Number of Network Adapters

D. Networking Components

32. How is the default printer specified in the answer file that you create with the

Windows 2000 Setup Manager Wizard?

A. The default printer is specified during configuration by selection in the GUI.

B. The user selects the default printer during the remote installation.

C. The default printer is always the first printer listed in the printers specified during the

configuration process.

D. The default printer is the printer that is currently the default printer for the user.

352 Chapter 6


Manager Wizard to add IPX/SPX to the network adapter?

A. Typical Settings

B. Optional Settings

C. Number of Network Adapters

*D. Networking Components Explanation: The Remote Installation Services Setup Wizard installs RIS. Once the





Windows 2000 Setup Manager Wizard Within the answer file, networking settings

need to be configured. The Setup Wizard provides for typical settings, which installs

DHCP and the Client for Microsoft Networks, and custom settings, within which the

number of network adapters, settings for each, TCP/IP settings, additional services,

etc can be specified.

32. How is the default printer specified in the answer file that you create with the

Windows 2000 Setup Manager Wizard?

A. The default printer is specified during configuration by selection in the GUI.

B. The user selects the default printer during the remote installation.

*C. The default printer is always the first printer listed in the printers specified

during the configuration process. D. The default printer is the printer that is currently the default printer for the user.





settings (time zone, telephony, etc.), printers and initial logon. The Install Printers

page allows the administrator to list shared printers, with the first listed printer

installed as the default. If you have configured administrator passwords as

Automatically Logon as Administrator, then the printers are added to the

administrator profile and will not be available to the user upon logon.


33. You have installed Windows 2000 Professional on all of the organizations

workstations using RIS, but now users are complaining that they have no printers

available on their desktop. What is the most likely cause of this problem?

A. In the RIS Setup Wizard you forgot to specify the installation of any printers for the

users.

B. The users probably forgot to logon to their workstations.

C. The RIS installation was configured to automatically logon as Administrator upon

completion of the setup.

D. The RIS installation did not complete properly.

34. What option in saving an answer file provides information about the purpose and

intended use of a RIS answer file?

A. Descriptive string

B. Help string

C. Answer File Name

D. Answer File Description

354 Chapter 6

33. You have installed Windows 2000 Professional on all of the organizations

workstations using RIS, but now users are complaining that they have no printers

available on their desktop. What is the most likely cause of this problem?

A. In the RIS Setup Wizard you forgot to specify the installation of any printers for

the users.

B. The users probably forgot to logon to their workstations.

*C. The RIS installation was configured to automatically logon as Administrator

upon completion of the setup. D. The RIS installation did not complete properly.





settings (time zone, telephony, etc.), printers and initial logon. The Install Printers

page allows the administrator to list shared printers, with the first listed printer

installed as the default. If you have configured administrator passwords as

Automatically Logon as Administrator, then the printers are added to the

administrator profile and will not be available to the user upon logon.

34. What option in saving an answer file provides information about the purpose and

intended use of a RIS answer file?

A. Descriptive string

*B. Help string C. Answer File Name

D. Answer File Description





settings (time zone, telephony, etc.), printers and initial logon. Once completed, the

answer file should be saved in the same folder as the image, so that it will

automatically be available to all users. The file can also have a help string for

assistance in identifying the purpose of the file, and a description string to help

identify the file. Answer files are typically saved with a .sif extension.


35. You have created an answer file for use in a RIS installation; however, certain

settings were not available during the creation process. What can you use to further

modify the answer file?

A. RIS Setup Wizard

B. Setup Wizard Extensions

C. Notepad

D. Active Directory Users and Computers

356 Chapter 6

35. You have created an answer file for use in a RIS installation; however, certain

settings were not available during the creation process. What can you use to further

modify the answer file?

A. RIS Setup Wizard


*C. Notepad D. Active Directory Users and Computers









identify the file. Answer files are typically saved with a .sif extension. Modification

of answer files can be accomplished using any text editor (Notepad, etc).


36. You have created an answer file for an RIS installation and are attempting to

associate it with an image. You receive an error "The file you entered is not an

unattended setup information file (.sif) or the .sif is not portable to other images.

Only .sif files for CD-based images should be copied."

What have you done in the configuration process to cause this error?

A. You forgot to add an entry in the "Run Once" section.

B. You set the installation to "GUI Attended".

C. You neglected save the answer file in the same directory with the image.

D. You neglected to edit the [OSChooser] portion of the answer file.

358 Chapter 6

36. You have created an answer file for an RIS installation and are attempting to

associate it with an image. You receive an error "The file you entered is not an

unattended setup information file (.sif) or the .sif is not portable to other images.

Only .sif files for CD-based images should be copied."

What have you done in the configuration process to cause this error?

A. You forgot to add an entry in the "Run Once" section.

B. You set the installation to "GUI Attended".

C. You neglected save the answer file in the same directory with the image.

*D. You neglected to edit the [OSChooser] portion of the answer file. Explanation: Additional answer files can be created using a text editor or the Windows









of answer files can be accomplished using any text editor (Notepad, etc). For an

answer file to be associated with a CD-based image, the administrator must edit the

[OSChooser] portion, adding ImageType=Flat and Version="5.0". The Flat value

identifies this as a CD-based image answer file.


37. When configuring the [OSChooser] section of an answer file, what specification

indicates that the image being used is a CD-based image?

A. ImageType=Flat

B. ImageType=CD

C. Version=5.0

D. Version=CD

360 Chapter 6

37. When configuring the [OSChooser] section of an answer file, what specification

indicates that the image being used is a CD-based image?

*A. ImageType=Flat B. ImageType=CD

C. Version=5.0

D. Version=CD













identifies this as a CD-based image answer file.


38. In what utility can you associate an answer file with a CD-based image file?

A. RIS Setup Wizard



D. Notepad

362 Chapter 6

38. In what utility can you associate an answer file with a CD-based image file?

A. RIS Setup Wizard


*C. Active Directory Users and Computers D. Notepad













identifies this as a CD-based image answer file. Lastly, in Active Directory Users

and Computers, the RIS server properties are modified to reflect the association of

the answer file to the appropriate image.


39. What do you need to do as an administrator to make images available to users for

unattended installations?

A. You need to give the users permissions to the appropriate image folder.

B. You need to place the images in the PUBLIC folder on the RIS server.

C. Nothing, since they are available to all users by default.

D. You need to specify the users who may access an image file during the creation of the

answer file.

364 Chapter 6

39. What do you need to do as an administrator to make images available to users for

unattended installations?

A. You need to give the users permissions to the appropriate image folder.

B. You need to place the images in the PUBLIC folder on the RIS server.

*C. Nothing, since they are available to all users by default. D. You need to specify the users who may access an image file during the creation

of the answer file.


2000 Setup Manager Wizard. Answer files are typically saved with a .sif extension.

Modification of answer files can be accomplished using any text editor (Notepad,

etc). For an answer file to be associated with a CD-based image, the administrator

must edit the [OSChooser] portion, adding ImageType=Flat and Version="5.0". The

Flat value identifies this as a CD-based image answer file. Lastly, in Active

Directory Users and Computers, the RIS server properties are modified to reflect the

association of the answer file to the appropriate image. All images are available to all

users by default, but administrators can restrict this by setting NTFS permissions.

Users only need Read and Read and Execute to install images. Microsoft suggests

that you create or use existing Security groups and permit the appropriate Security

group to install using the appropriate images.


40. What would you do to restrict the access of users to certain images for unattended

installation using RIS?

A. Group the users into Security groups and grant only the Security groups permissions

to the image folders.

B. Group the users into Security groups and grant only the Security groups permissions to

the answer file folders.

C. Group the users into Security groups and grant only the Security groups permissions to

the RIS server.

D. Nothing, since the users are restricted to only the images you have specifically granted

them permissions to in the first place.

366 Chapter 6

40. What would you do to restrict the access of users to certain images for unattended

installation using RIS?

A. Group the users into Security groups and grant only the Security groups

permissions to the image folders.

*B. Group the users into Security groups and grant only the Security groups

permissions to the answer file folders. C. Group the users into Security groups and grant only the Security groups

permissions to the RIS server.

D. Nothing, since the users are restricted to only the images you have specifically

granted them permissions to in the first place.








association of the answer file to the appropriate image. All images are available to all

users by default, but administrators can restrict this by setting NTFS permissions.



group to install using the appropriate images.


41. What utility would you use to restrict users access to only certain images for RIS

installs?

A. RIS Setup Wizard


C. Windows Explorer

D. Notepad

42. Before you can create a RIPrep image on an RIS server, what must be available on

the server?

A. DNS

B. DHCP

C. CD-based image

D. Windows Explorer

368 Chapter 6

41. What utility would you use to restrict users access to only certain images for RIS

installs?

A. RIS Setup Wizard


*C. Windows Explorer D. Notepad








association of the answer file to the appropriate image. All images are available to

all users by default, but administrators can restrict this by setting NTFS permissions.



group to install using the appropriate images. Of the choices, only Windows

Explorer will allow access to the NTFS permissions tab of a folder.

42. Before you can create a RIPrep image on an RIS server, what must be available on

the server?

A. DNS

B. DHCP

*C. CD-based image D. Windows Explorer






of Windows 2000 Professional is created and RIS services are started. While the CD-

based image is appropriate for installing Windows 2000, if the administrator wants to

install applications with the operating system, or wants a faster installation of the

operating system, then creation of a RIPrep image is called for. The RIP rep image

will be created on the RIS server, and requires a CD-based image to begin. The

Remote Installation Preparation Wizard is used to create RIPrep images.


43. What utility is used to create RIPrep images for remote installation of Windows

2000?

A. RIS Setup Wizard

B. Windows 2000 Setup Manager Wizard

C. Remote Installation Preparation Wizard

D. Active Directory Setup Wizard

44. After you have created a RIPrep image and saved it to an RIS server, what utility can

be used to modify the image?

A. Remote Installation Preparation Wizard

B. RIS Setup Wizard

C. Nothing, you must create a new image.

D. Windows 2000 Setup Manager Wizard

370 Chapter 6

43. What utility is used to create RIPrep images for remote installation of Windows

2000?

A. RIS Setup Wizard

B. Windows 2000 Setup Manager Wizard

*C. Remote Installation Preparation Wizard D. Active Directory Setup Wizard






of Windows 2000 Professional is created and RIS services are started. While the CD-

based image is appropriate for installing Windows 2000, if the administrator wants to

install applications with the operating system, or wants a faster installation of the

operating system, then creation of a RIPrep image is called for. The RIP rep image

will be created on the RIS server, and requires a CD-based image to begin. The

Remote Installation Preparation Wizard is used to create RIPrep images.

44. After you have created a RIPrep image and saved it to an RIS server, what utility can

be used to modify the image?

A. Remote Installation Preparation Wizard

B. RIS Setup Wizard

*C. Nothing, you must create a new image. D. Windows 2000 Setup Manager Wizard

Explanation: While the CD-based image is appropriate for installing Windows 2000, if

the administrator wants to install applications with the operating system, or wants a

faster installation of the operating system, then creation of a RIPrep image is called

for. The RIP rep image will be created on the RIS server, and requires a CD-based

image to begin. The Remote Installation Preparation Wizard is used to create RIPrep

images. These images are similar to the "ghost"-like third party images from other

vendor solutions, and cannot be altered. Any changes would require the creation of a

new RIPrep image.


45. What must you do to ensure that the changes you have made in creating a RIPrep

image are available to all users?

A. Nothing, since the image is available to all users by default.

B. You must copy the Administrator profile to the Default User profile on the configured

computer.

C. You must give the users the appropriate permissions to the RIPrep image folder.

D. You must specify the users who can access the RIPrep image during the configuration

with the Remote Installation Preparation Wizard.

46. What are three tasks performed by the Remote Installation Preparation Wizard?

(Choose 3)

A. The RIP Wizard removes all settings unique to the configured computer, returning it

to a "generic" state.

B. The RIP Wizard removes HKEY_LOCAL_MACHINE in preparation for installation

on disparate computers.

C. The RIP Wizard creates the RIPrep image on the specified RIS server.

D. The RIP Wizard creates an answer file and automatically can associate with the

appropriate RIPrep image.

E. The RIP Wizard removes all profiles from the configured computer.

372 Chapter 6

45. What must you do to ensure that the changes you have made in creating a RIPrep

image are available to all users?

A. Nothing, since the image is available to all users by default.

*B. You must copy the Administrator profile to the Default User profile on the

configured computer. C. You must give the users the appropriate permissions to the RIPrep image folder.

D. You must specify the users who can access the RIPrep image during the

configuration with the Remote Installation Preparation Wizard.






images. These images are similar to the "ghost"-like third party images from other

vendor solutions, and cannot be altered. Any changes would require the creation of a

new RIPrep image. Once the image has been created, you then copy the

administrator profile on the source computer to the default user profile, so that all of

the customized settings will be available to the user once they logon.

46. What are three tasks performed by the Remote Installation Preparation Wizard?

(Choose 3)

*A. The RIP Wizard removes all settings unique to the configured computer,

returning it to a "generic" state. B. The RIP Wizard removes HKEY_LOCAL_MACHINE in preparation for

installation on disparate computers.

*C. The RIP Wizard creates the RIPrep image on the specified RIS server.

*D. The RIP Wizard creates an answer file and automatically can associate with the

appropriate RIPrep image. E. The RIP Wizard removes all profiles from the configured computer.






images. Running the Wizard removes all unique settings in the source computer,

returning it to a "generic" state, creates the RIP rep image and creates an answer file

and associates the answer file with the image.


47. What are two ways to maintain the same RIPrep image on multiple RIS servers?

(Choose 2)

A. During the running of the Remote Installation Preparation Wizard, you can specify the

RIS servers that will maintain copies of the image.

B. You can manually copy the image to the appropriate RIS servers.

C. You can use Microsoft SMS to manage the replication of images between multiple

RIS servers.

D. You can use Active Directory Users and Computers to specify the link between RIS

servers and RIPrep images.

48. What are two characteristics of a CD-based image for remote installation? (Choose 2)

A. It can contain only the operating system.

B. It can contain the operating system and applications.

C. It performs a full over-the-network setup.

D. It copies only the necessary files and registry keys.

E. You can only deploy it to computers with the same HAL as the source computer.

374 Chapter 6

47. What are two ways to maintain the same RIPrep image on multiple RIS servers?

(Choose 2)

A. During the running of the Remote Installation Preparation Wizard, you can

specify the RIS servers that will maintain copies of the image.

*B. You can manually copy the image to the appropriate RIS servers.

*C. You can use Microsoft SMS to manage the replication of images between

multiple RIS servers. D. You can use Active Directory Users and Computers to specify the link between

RIS servers and RIPrep images.






images. Running the Wizard removes all unique settings in the source computer,

returning it to a "generic" state, creates the RIP rep image and creates an answer file

and associates the answer file with the image. The same image can be copied to other

RIS servers to load balance the installation process or provide fault tolerance.

Systems Management Server (SMS) can also be used to replicate the images to

multiple RIS servers.

48. What are two characteristics of a CD-based image for remote installation? (Choose 2)

*A. It can contain only the operating system. B. It can contain the operating system and applications.

*C. It performs a full over-the-network setup. D. It copies only the necessary files and registry keys.


Explanation: CD-based images can only contain the operating system, is based on

default settings which can be further customized with an answer file, can be

deployed on any computer with a supported HAL (Hardware Abstraction Layer) and

is created automatically when RIS is installed. RIPrep images can contain the

operating system and applications, is based on a pre-configured source computer

which requires further customization to be done after the install, must be manually

created with the Remote Installation Preparation Wizard, can only be deployed on

computers with the same HAL and install faster since they only copy files and

registry keys necessary to the client computer.


49. What are three characteristics of a RIPrep image for remote installation? (Choose 3)


B. It can contain the operating system and applications.

C. It performs a full over-the-network setup.

D. It copies only the necessary files and registry keys.


50. What are two advantages of RIPrep images over CD-based images for remote

installations? (Choose 2)

A. RIPrep images are easier to create than CD-based images.

B. RIPrep images install Windows 2000 faster than do CD-based images.

C. RIPrep images are automatically available to all users for remote installation, while

CD-based are not.

D. RIPrep images allow for the installation of operating system and applications, while

CD-based images only support the installation of the operating system.

376 Chapter 6

49. What are three characteristics of a RIPrep image for remote installation? (Choose 3)


*B. It can contain the operating system and applications. C. It performs a full over-the-network setup.

*D. It copies only the necessary files and registry keys.

*E. You can only deploy it to computers with the same HAL as the source computer. Explanation: CD-based images can only contain the operating system, is based on









50. What are two advantages of RIPrep images over CD-based images for remote

installations? (Choose 2)

A. RIPrep images are easier to create than CD-based images.

*B. RIPrep images install Windows 2000 faster than do CD-based images. C. RIPrep images are automatically available to all users for remote installation,

while CD-based are not.

*D. RIPrep images allow for the installation of operating system and applications,

while CD-based images only support the installation of the operating system. Explanation: CD-based images can only contain the operating system, is based on









Notes:

Introduction

Terminology Knowledge is the Exam takers best friend. There are a lot of different terms

and acronyms that you will be presented on the real examination.

We have presented the Terminology in a Fill-In-The-Blank style so you may know which

terms or acronyms you really need to know.

It must be assumed that you have a certain amount of Active Directory experience. If you

find this chapter difficult you may find it necessary to supplement this material with our

other books like ExamInsight For 70-217 or InsideScoop to 70-217 with CD.

Glossary 379

Chapter 7: Terminology Questions

1. What is an adaptation of the Ethernet standard that uses thin coaxial cable and

provides data transfer rates of up to 10 Mbps.

A.

2. What is the original Ethernet standard that uses thick coaxial cable and provides

data transfer rates of up to 10 Mbps.

A.

380 Chapter 7

1. What is an adaptation of the Ethernet standard that uses thin coaxial cable and


*A. 10Base-2 Explanation: The maximum effective distance for 10Base-2 is 185 meters. 10Base

2 is also known as thinnet.

2. What is the original Ethernet standard that uses thick coaxial cable and provides

data transfer rates of up to 10 Mbps.

*A. 10Base-5 Explanation: The maximum effective distance for 10Base-5 is 500 meters. 10Base

5 is also known as thicknet.

Glossary 381

3. What is an adaptation of the Ethernet standard that uses optical fiber cable and


A.

4. What is an adaptation of the Ethernet standard that runs over unshielded twisted-

pair wiring and provides data transfer rates of 10 Mbps.

A.

382 Chapter 7

3. What is an adaptation of the Ethernet standard that uses optical fiber cable and


*A. 10Base-F Explanation: 10Base-F can transmit data over very long distances with little loss of

data integrity.

4. What is an adaptation of the Ethernet standard that runs over unshielded twisted-

pair wiring and provides data transfer rates of 10 Mbps.

*A. 10Base-T Explanation:

Glossary 383

5. What is an emerging high-speed network standard that will use high-capacity

cabling to provide data transfer rates up to 10,000 Mbps.

A.

6. What is a high-speed network standard, based on Ethernet, that provides data

transfer rates as high as 100 Mbps.

A.

384 Chapter 7

5. What is an emerging high-speed network standard that will use high-capacity

cabling to provide data transfer rates up to 10,000 Mbps.

*A. 10 Gigabit Ethernet Explanation:

6. What is a high-speed network standard, based on Ethernet, that provides data

transfer rates as high as 100 Mbps.

*A. 100Base-T Explanation: Sometimes called Fast Ethernet

Glossary 385

7. What is an emerging high-speed network standard, based on Ethernet, that

provides data transfer rates as high as 1000 Mbps.

A.

8. What describes the number of bits used by an operating system to perform an

operation. The term also describes the microprocessor on which the operating

system runs.

A.

386 Chapter 7

7. What is an emerging high-speed network standard, based on Ethernet, that

provides data transfer rates as high as 1000 Mbps.

*A. 1000Base-T Explanation: Sometimes called Gigabit Ethernet

8. What describes the number of bits used by an operating system to perform an

operation. The term also describes the microprocessor on which the operating

system runs.

*A. 32-bit Explanation:

Glossary 387

9. When logging on to a computer or network what is the term used for managing

permissions?

A.

10. ACE is the acronym for ______ ?

A.

388 Chapter 7

9. When logging on to a computer or network what is the term used for managing

permissions?

*A. access control Explanation: Access Control is the management of permissions for logging on or

accessing a computer or network.

10. ACE is the acronym for ______ ?

*A. access control entry Explanation: ACE is the acronym for access control entry.

Glossary 389

11. What object contains a security identifier (SID), which identifies the principal

user and/or group to which it applies?

A.

12. What kind of list is a set of data associated with a file, directory, or other

resource that defines the permissions that users and/or groups have for accessing

it?

A.

390 Chapter 7

11. What object contains a security identifier (SID), which identifies the principal

user and/or group to which it applies?

*A. access control entry Explanation: Each ACE contains a security identifier, which identifies the principal

user and/or group to whom the ACE applies.

It also contains information on what type of access the ACE grants or denies.

12. What kind of list is a set of data associated with a file, directory, or other

resource that defines the permissions that users and/or groups have for accessing

it?

*A. access control list Explanation: An access control list is a set of data associated with a file, directory,

or other resource that defines the permissions that users and/or groups have for

accessing it. In the Active DirectoryTM service, an ACL is a list of access

control entries stored with the object it protects. In the Windows NT operating

system, an ACL is stored as a binary value, called a security descriptor.

Glossary 391

13. ACL is the acronym for ______ ?

A.

14. What is the name of the structure supported by Windows 2000 that lets any

object on a network be tracked and located, and provides the foundation for

Windows 2000 distributed networks?

A.

392 Chapter 7

13. ACL is the acronym for ______ ?

*A. access control list Explanation: ACL is the acronym for access control list.

14. What is the name of the structure supported by Windows 2000 that lets any

object on a network be tracked and located, and provides the foundation for

Windows 2000 distributed networks?

*A. Active Directory Explanation: What structure supported by Windows 2000 that lets any object on a

network be tracked and located. Active Directory is the directory service used in

Windows 2000 Server and provides the foundation for Windows 2000

distributed networks.

Glossary 393

15. What is a client-side product based on the Component Object Model that defines

a directory service model and a set of COM interfaces?

A.

16. ADSI is the acronym for ______ ?

A.

394 Chapter 7

15. What is a client-side product based on the Component Object Model that defines

a directory service model and a set of COM interfaces?

*A. Active Directory Service Interfaces Explanation: Active Directory Service Interfaces are client-side product based on

the Component Object Model. ADSI defines a directory service model and a set

of COM interfaces that enable Windows NT and Windows 95 client applications

to access several network directory services, including Active Directory. ADSI

allow applications to communicate with Active Directory.

ADSI provides the means for directory service clients to use one set of interfaces to

communicate with any namespace that provides an ADSI implementation. ADSI

clients gain a simpler access to namespace services by using ADSI in place of

the network-specific application programming interface calls. ADSI conforms to

and supports standard COM features. ADSI also defines interfaces and objects

accessible from automation-compliant languages such as Java, Visual Basic, and

Visual Basic Scripting Edition, as well as from non-automation-compliant

languages such as C and C++, which enhance performance. In addition, ADSI

supplies its own OLE database provider, and so fully supports any clients

already using an OLE database, including those using ActiveX technologies.

16. ADSI is the acronym for ______ ?

*A. Active Directory Service Interface Explanation:

Glossary 395

17. What do you call a single property of an object?

A.

18. What process verifies the identity of a user who is logging on to a computer

system, or verifies the integrity of a transmitted message?

A.

396 Chapter 7

17. What do you call a single property of an object?

*A. attribute Explanation: An attribute is a single property of an object. An object is described by

the values of its attributes. The term attribute is often used interchangeably with

property. Attributes are also data items used to describe the objects that are

represented by the classes defined in the schema. Attributes are defined in the

schema separately from the classes. This allows a single attribute definition to

be applied to many classes.

18. What process verifies the identity of a user who is logging on to a computer

system, or verifies the integrity of a transmitted message?

*A. authentication Explanation: Authentication verifies the identity of a user who is logging on to a

computer system, or verifies the integrity of a transmitted message.

Glossary 397

19. API is the acronym for what?

A.

20. In a Windows NT Server 4.0 or earlier domain, what is the title given to a

computer running Windows NT Server that receives a copy of the domain's

directory database, and synchronizes periodically and automatically with the

master copy?

A.

398 Chapter 7

19. API is the acronym for what?

*A. application programming interface Explanation: API is the acronym for application programming interface.

20. In a Windows NT Server 4.0 or earlier domain, what is the title given to a

computer running Windows NT Server that receives a copy of the domain's

directory database, and synchronizes periodically and automatically with the

master copy?

*A. backup domain controller Explanation: In a Windows NT Server 4.0 or earlier domain, a computer running

Windows NT Server that receives a copy of the domain's directory database,

which contains all account and security policy information for the domain. The

copy is synchronized periodically and automatically with the master copy on the

primary domain controller. Backup domain controllers also authenticate user

logons and can be promoted to function as PDCs as needed. Multiple backup

domain controllers can exist on a domain.

In a Windows 2000 domain, backup domain controllers are not required; all domain

controllers are peers, and all can perform maintenance on the directory.

Windows NT 4.0 and Windows NT 3.51 backup domain controllers can

participate in a Windows 2000 domain when it is running in mixed mode.

Glossary 399

21. What name is given to a special type of Active Directory object that has

attributes and is part of the Active Directory namespace but does not usually

represent something concrete?

A.

22. What architectural layer of Active Directory isolates the upper layers of the

directory service from the underlying database system by exposing application

programming interfaces to the Directory System Agent layer so that no calls are

made directly to the Extensible Storage Engine?

A.

400 Chapter 7

21. What name is given to a special type of Active Directory object that has

attributes and is part of the Active Directory namespace but does not usually

represent something concrete?

*A. container Explanation: A container is a special type of Active Directory object. A container is

like other directory objects in that it has attributes and is part of the Active

Directory namespace. However, unlike other objects, it does not usually

represent something concrete. It is the container for a group of objects and other

containers.

22. What architectural layer of Active Directory isolates the upper layers of the

directory service from the underlying database system by exposing application

programming interfaces to the Directory System Agent layer so that no calls are

made directly to the Extensible Storage Engine?

*A. database layer Explanation: A database layer is an architectural layer of Active Directory that

isolates the upper layers of the directory service from the underlying database

system by exposing application programming interfaces to the Directory System

Agent layer so that no calls are made directly to the Extensible Storage Engine.

Glossary 401

23. What allows a higher administrative authority to grant specific administrative

rights for containers and subtrees to individuals and groups?

A.

24. What hierarchical structure stores information about objects on the network?

A.

402 Chapter 7

23. What allows a higher administrative authority to grant specific administrative

rights for containers and subtrees to individuals and groups?

*A. delegation Explanation: Delegation allows a higher administrative authority to grant specific

administrative rights for containers and subtrees to individuals and groups. This

eliminates the need for domain administrators with sweeping authority over

large segments of the user population. Access control entries can grant specific

administrative rights on the objects in a container to a user or group. Rights are

granted for specific operations on specific object classes via ACEs in the

container's Access Control List.

24. What hierarchical structure stores information about objects on the network?

*A. directory Explanation: A directory is a hierarchical structure that stores information about

objects on the network.

Glossary 403

25. What kind of service provides the methods for storing directory data and making

this data available to network users and administrators?

A.

26. What would you call the management of network elements such as routers,

applications, and users from a central repository of information about users,

applications, and network resources?

A.

404 Chapter 7

25. What kind of service provides the methods for storing directory data and making

this data available to network users and administrators?

*A. directory service Explanation: A directory service, such as Active Directory, provides the methods

for storing directory data and making this data available to network users and

administrators.

26. What would you call the management of network elements such as routers,

applications, and users from a central repository of information about users,

applications, and network resources?

*A. directory-enabled networking Explanation: Directory-enabled networking is the management of network elements

such as routers, applications, and users from a central repository of information

about users, applications, and network resources.

Glossary 405

27. What contiguous subtree of the directory forms a unit of replication?

A.

28. What kind of name identifies the domain that holds the object as well as the

complete path through the container hierarchy by which the object is reached?

A.

406 Chapter 7

27. What contiguous subtree of the directory forms a unit of replication?

*A. directory partition Explanation: A directory partition is a contiguous subtree of the directory that forms

a unit of replication. A given replica is always a replica of some directory

partition. Active Directory is made up of one or more directory partitions.

28. What kind of name identifies the domain that holds the object as well as the

complete path through the container hierarchy by which the object is reached?

*A. distinguished name Explanation: A Distinguished name identifies the domain that holds the object as

well as the complete path through the container hierarchy by which the object is

reached. Every object in the Active Directory has a unique distinguished name.

Glossary 407

29. DNS is the acronym for ______ ?

A.

30. What term describes a single security boundary of a Windows NT based

computer network?

A.

408 Chapter 7

29. DNS is the acronym for ______ ?

*A. Domain Name System Explanation: DNS is the acronym for Domain Name System.

30. What term describes a single security boundary of a Windows NT based

computer network?

*A. domain Explanation: A domain is a single security boundary of a Windows NT-based

computer network. Active Directory is made up of one or more domains. On a

standalone workstation, the domain is the computer itself. A domain can span

more than one physical location. Every domain has its own security policies and

security relationships with other domains. When multiple domains are connected

by trust relationships and share a common schema, configuration, and global

catalog, they constitute a domain tree. Multiple domain trees can be connected

together to create a forest.

Glossary 409

31. What kind of system is a Windows NT-based server holding an Active Directory

partition?

A.

32. What can contain users and global groups from any domain in the forest,

universal groups, and other domain local groups in its own domain?

A.

410 Chapter 7

31. What kind of system is a Windows NT-based server holding an Active Directory

partition?

*A. domain controller Explanation: A domain controller is a Windows NT-based server holding an Active

Directory partition.

32. What can contain users and global groups from any domain in the forest,

universal groups, and other domain local groups in its own domain?

*A. domain local group Explanation: A domain local group can contain users and global groups from any

domain in the forest, universal groups, and other domain local groups in its own

domain. A domain local group can only be used on ACLs in its own domain.

Glossary 411

33. What hierarchical distributed database is used for name/address translation and

client-server connections?

A.

34. DSA is the acronym for what?

A.

412 Chapter 7

33. What hierarchical distributed database is used for name/address translation and

client-server connections?

*A. Domain Name System Explanation: A Domain Name System (DNS) is a hierarchical distributed database

used for name/address translation and client-server connections. Domain Name

System is the namespace used on the Internet to translate computer and service

names into TCP/IP addresses. Active Directory uses DNS as its location service,

and so clients find domain controllers via DNS queries.

34. DSA is the acronym for what?

*A. Directory System Agent Explanation: DSA is the acronym for Directory System Agent.

Glossary 413

35. ESE is the acronym for what?

A.

36. What engine is the Active Directory database engine?

A.

414 Chapter 7

35. ESE is the acronym for what?

*A. Extensible Storage Engine Explanation: ESE is the acronym for Extensible Storage Engine.

36. What engine is the Active Directory database engine?

*A. Extensible Storage Engine Explanation: The Extensible Storage Engine is the Active Directory database

engine. ESE (Esent.dll) is an improved version of the Jet database that is used in

Microsoft Exchange Server versions 4.x and 5.5. It implements a transacted

database system, which means that it uses log files to ensure that committed

transactions are safe.

Glossary 415

37. What name is given to a group of one or more Active Directory trees that trust

each other?

A.

38. What contains a partial replica of every Windows 2000 domain in the directory?

A.

416 Chapter 7

37. What name is given to a group of one or more Active Directory trees that trust

each other?

*A. forest Explanation: A group of one or more Active Directory trees that trust each other

constitutes a forest. All trees in a forest share a common schema, configuration,

and global catalog. When a forest contains multiple trees, the trees do not form a

contiguous namespace. All trees in a given forest trust each other through

transitive bi-directional trust relationships. Unlike a tree, a forest does not need a

distinct name. A forest exists as a set of cross-referenced objects and trust

relationships known to the member trees. Trees in a forest form a hierarchy for

the purposes of trust.

38. What contains a partial replica of every Windows 2000 domain in the directory?

*A. global catalog Explanation: The global catalog contains a partial replica of every Windows 2000

domain in the directory. The GC lets users and applications find objects in an

Active Directory domain tree given one or more attributes of the target object. It

also contains the schema and configuration of directory partitions. The GC

allows users to find objects of interest quickly without knowing what domain

holds them and without requiring a contiguous extended namespace in the

enterprise. The global catalog is built automatically by the Active Directory

replication system.

Glossary 417

39. GC is the acronym for ______ ?

A.

40. What kind of server is a Windows 2000 domain controller that holds a copy of

the global catalog for the forest?

A.

418 Chapter 7

39. GC is the acronym for ______ ?

*A. global catalog Explanation: GC is the acronym for global catalog.

40. What kind of server is a Windows 2000 domain controller that holds a copy of

the global catalog for the forest?

*A. global catalog server Explanation: A global catalog server is a Windows 2000 domain controller that

holds a copy of the global catalog for the forest. See also global catalog.

Glossary 419

41. This kind of group can appear on ACLs anywhere in the forest and may contain

users and other global groups from its own domain.

A.

42. What entity can users be assigned to for organization and security reasons?

A.

420 Chapter 7

41. This kind of group can appear on ACLs anywhere in the forest and may contain

users and other global groups from its own domain.

*A. global group Explanation: A global group can appear on ACLs anywhere in the forest and may

contain users and other global groups from its own domain.

42. What entity can users be assigned to for organization and security reasons?

*A. group Explanation: Users can be assigned to a group for organization and security reasons.

Glossary 421

43. What term refers to applying policy to groups of computers and/or users

contained within Active Directory containers?

A.

44. What is a virtual collection of policies, given a unique name called?

A.

422 Chapter 7

43. What term refers to applying policy to groups of computers and/or users

contained within Active Directory containers?

*A. Group Policy Explanation: Group Policy refers to applying policy to groups of computers and/or

users contained within Active Directory containers. The type of policy includes

not only registry-based policy found in Windows NT Server 4.0, but is enabled

by Directory Services to store many types of policy data.

44. What is a virtual collection of policies, given a unique name called?

*A. Group Policy object Explanation: A group policy object is a virtual collection of policies. It is given a

unique name, such as a globally unique identifier (GUID). GPOs store group

policy settings in two locations: a Group Policy container (GPC) (preferred) and

a Group Policy template (GPT). The GPC is an Active Directory object that

stores version information, status information, and other policy information (for

example, application objects). The GPT is used for file-based data and stores

software policy, script, and deployment information. The GPT is located on the

system volume folder of the domain controller.

Glossary 423

45. GPO is the acronym for ______ ?

A.

46. What kind of namespace, such as the DNS namespace and the Active Directory

namespace, is hierarchically structured and provides rules that allow the

namespace to be partitioned?

A.

424 Chapter 7

45. GPO is the acronym for ______ ?

*A. Group Policy object Explanation: GPO is the acronym for Group Policy object.

46. What kind of namespace, such as the DNS namespace and the Active Directory

namespace, is hierarchically structured and provides rules that allow the

namespace to be partitioned?

*A. hierarchical namespace Explanation: A hierarchical namespace is a namespace, such as the DNS namespace

and the Active Directory namespace, which is hierarchically structured and

provides rules that allow the namespace to be partitioned.

Glossary 425

47. This is the domain controller assigned to update group-to-user references

whenever group memberships are changed, and to replicate these changes to any

other domain controllers in the domain.

A.

48. A physical location on a hard disk that points to data located at another location

on your hard disk or another storage device can be called a ________ point.

A.

426 Chapter 7

47. This is the domain controller assigned to update group-to-user references

whenever group memberships are changed, and to replicate these changes to any

other domain controllers in the domain.

*A. infrastructure master Explanation: The domain controller assigned to update group-to-user references

whenever group memberships are changed is the infrastructure master. It also

replicates these changes to any other domain controllers in the domain. At any

time, there can be only one infrastructure master in a particular domain.

48. A physical location on a hard disk that points to data located at another location

on your hard disk or another storage device can be called a ________ point.

*A. junction Explanation: A junction point is a physical location on a hard disk that points to

data located at another location on your hard disk or another storage device.

Glossary 427

49. This security system, which is the primary authentication mechanism in the

Windows 2000 operating system, authenticates users establishing an identity at

logon, which is used throughout the session, but doesn't provide authorization to

services or databases.

A.

50. What built-in service runs on all domain controllers and automatically establishes

connections between individual machines in the same site?

A.

428 Chapter 7

49. This security system, which is the primary authentication mechanism in the

Windows 2000 operating system, authenticates users establishing an identity at

logon, which is used throughout the session, but doesn't provide authorization to

services or databases.

*A. Kerberos Explanation: Kerberos is a security system that authenticates users. Kerberos

doesn't provide authorization to services or databases -- it establishes identity at

logon, which is used throughout the session. The Kerberos protocol is the

primary authentication mechanism in the Windows 2000 operating system.

50. What built-in service runs on all domain controllers and automatically establishes

connections between individual machines in the same site?

*A. Knowledge Consistency Checker Explanation: Knowledge Consistency Checker is a built-in service that runs on all

domain controllers and automatically establishes connections between

individual machines in the same site. These are known as Windows 2000

Directory Service connection objects. An administrator may establish additional

connection objects or remove connection objects. At any point, however, where

replication within a site becomes impossible or has a single point of failure, the

KCC will step in and establish as many new connection objects as necessary to

resume Active Directory replication.

Glossary 429

51. This protocol, which currently being implemented in Web browsers and e-mail

programs, is a protocol used to access a directory service.

A.

52. Domain controllers running both Windows 2000 and earlier versions of

Windows NT to co-exist in the domain in which mode?

A.

430 Chapter 7

51. This protocol, which currently being implemented in Web browsers and e-mail

programs, is a protocol used to access a directory service.

*A. Lightweight Directory Access Protocol Explanation: The Lightweight Directory Access Protocol is a protocol used to

access a directory service. LDAP support is currently being implemented in

Web browsers and e-mail programs, which can query an LDAP-compliant

directory. LDAP is a simplified version of the Directory Access Protocol (DAP),

which is used to gain access to X.500 directories. It is easier to code the query in

LDAP than in DAP, but LDAP is less comprehensive. For example, DAP can

initiate searches on other servers if an address is not found, while LDAP cannot

in its initial specification. Lightweight Access Directory Protocol is the primary

access protocol for Active Directory.

52. Domain controllers running both Windows 2000 and earlier versions of

Windows NT to co-exist in the domain in which mode?

*A. mixed mode Explanation: Mixed mode allows domain controllers running both Windows 2000

and earlier versions of Windows NT to co-exist in the domain. In mixed mode,

the domain features from previous versions of Windows NT Server are still

enabled, while some Windows 2000 features are disabled. Windows 2000

Server domains are installed in mixed mode by default. In mixed mode the

domain may have Windows NT 4.0 backup domain controllers present. Nested

groups are not supported in mixed mode.

Glossary 431

53. What feature of Active Directory provides and maintains copies of the directory

across multiple servers in a domain?

A.

54. When all the domain controllers in a given domain are running Windows 2000

Server, what mode is used?

A.

432 Chapter 7

53. What feature of Active Directory provides and maintains copies of the directory

across multiple servers in a domain?

*A. multi-master replication Explanation: Multi-master replication is a feature of Active Directory that provides

and maintains copies of the directory across multiple servers in a domain. Since

all replicas of a given directory partition are writeable, updates can be applied to

any replica of a given partition. The Active Directory replication system

propagates the changes from a given replica to all other replicas. Replication is

automatic and transparent.

Active Directory multi-master replication propagates every object created on any

domain controller to each of the other participating domain controllers. If one

domain controller in a domain slows or fails, other domain controllers in the

same domain can provide the necessary directory access because they contain

the same directory data.

54. When all the domain controllers in a given domain are running Windows 2000

Server, what mode is used?

*A. native mode Explanation: Native mode is used when all the domain controllers in a given

domain are running Windows 2000 Server. This mode allows organizations to

take advantage of new Active Directory features such as Universal groups,

nested group membership, and inter-domain group membership. Compare mixed

mode.

Glossary 433

55. A name or group of names that are defined according to some naming convention

is a ___________.

A.

56. The process of translating a name into an object or the information that the name

represents is called what?

A.

434 Chapter 7

55. A name or group of names that are defined according to some naming convention

is a ___________.

*A. namespace Explanation: A namespace is a name or group of names that are defined according

to some naming convention; any bounded area in which a given name can be

resolved. Active Directory is primarily a namespace, as is any directory service.

A telephone directory is also a namespace. The Internet uses a hierarchical

namespace that partitions names into categories known as top-level domains

such as .com, .edu, and .gov, which are at the top of the hierarchy.

56. The process of translating a name into an object or the information that the name

represents is called what?

*A. name resolution Explanation: Name resolution is the process of translating a name into some object

or information that the name represents. A telephone book forms a namespace in

which the names of telephone subscribers can be resolved into telephone

numbers. The Windows NTFS file system forms a namespace in which the

name of a file can be resolved into the file itself. Similarly, Active Directory

forms a namespace in which the name of an object in the directory can be

resolved into the object itself.

Glossary 435

57. What term is given to a distinct, named set of attributes that represents something

concrete, such as a user, a printer, or an application?

A.

58. What number, issued by issuing authorities, identifies an object class or attribute

in a directory service and form a hierarchy?

A.

436 Chapter 7

57. What term is given to a distinct, named set of attributes that represents something

concrete, such as a user, a printer, or an application?

*A. object Explanation: An object is a distinct, named set of attributes that represents

something concrete, such as a user, a printer, or an application. The attributes

hold data describing the thing that is identified by the directory object.

Attributes of a user might include the user's given name, surname, and e-mail

address.

58. What number, issued by issuing authorities, identifies an object class or attribute

in a directory service and form a hierarchy?

*A. object identifier Explanation: An object identifier is a number identifying an object class or attribute

in a directory service. Object identifiers are issued by issuing authorities and

form a hierarchy. An object identifier is represented as a dotted decimal string.

Enterprises can obtain a root object identifier from an issuing authority and use

it to allocate additional object identifiers.

Most countries in the world have an identified national registration authority

responsible for issuing object identifiers to enterprises. In the United States, the

national registration authority is the American National Standards Institute

(ANSI). An enterprise can register a name for the object identifier as well. There

is a fee associated with both root object identifiers and registered names. For

details, contact the NRA for your country. The International Standards

Organization recognizes NRAs and maintains a list of contacts on the ISO Web

site.

Glossary 437

59. What Active Directory administrative partition is a container object that can

contain users, groups, and resources?

A.

60. OU is the acronym for ______ ?

A.

438 Chapter 7

59. What Active Directory administrative partition is a container object that can

contain users, groups, and resources?

*A. organizational unit Explanation: An organizational unit is a container object that is an Active Directory

administrative partition. OUs can contain users, groups, resources, and other

OUs. Organizational Units enable the delegation of administration to distinct

subtrees of the directory.

60. OU is the acronym for ______ ?

*A. organizational unit Explanation: OU is the acronym for organizational unit.

Glossary 439

61. What two-way, transitive trust relationship is established when you add a domain

to an Active Directory tree?

A.

62. A complete unit of replication within the store is a __________.

A.

440 Chapter 7

61. What two-way, transitive trust relationship is established when you add a domain

to an Active Directory tree?

*A. parent-child trust relationship Explanation: A parent-child trust relationship is the two-way, transitive trust

relationship that is established when you add a domain to an Active Directory

tree. The Active Directory installation process automatically creates a trust

relationship between the domain you are creating (the new child domain) and

the parent domain.

62. A complete unit of replication within the store is a __________.

*A. partition Explanation: A partition is a complete unit of replication within the store.

Glossary 441

63. PDC is the acronym for ______ ?

A.

64. PKI is the acronym for ______ ?

A.

442 Chapter 7

63. PDC is the acronym for ______ ?

*A. primary domain controller Explanation: PDC is the acronym for primary domain controller.

64. PKI is the acronym for ______ ?

*A. public key infrastructure Explanation: PKI is the acronym for public key infrastructure.

Glossary 443

65. The set of rules that govern the interaction between a subject and an object forms

a ________.

A.

66. The software that executes at decision points to perform policy selection, to

evaluate conditions, and determine what actions must be performed is known as

what?

A.

444 Chapter 7

65. The set of rules that govern the interaction between a subject and an object forms

a ________.

*A. policy Explanation: A policy is the set of rules that govern the interaction between a

subject and an object.

66. The software that executes at decision points to perform policy selection, to

evaluate conditions, and determine what actions must be performed is known as

what?

*A. policy engine Explanation: A policy engine is software that executes at decision points to perform

policy selection, to evaluate conditions, and determine what actions must be

performed. The concept of the policy engine is quite diffuse; policy engine

functionality will often be spread through many parts of the distributed system.

Glossary 445

67. In a Windows NT Server 4.0 or earlier domain, what special name is given to the

computer running Windows NT Server that authenticates domain logons and

maintains the directory database for a domain?

A.

68. What collection of information is selected and applied to the interaction between

a subject and an object by an action that is the outcome of evaluation of policy

conditions?

A.

446 Chapter 7

67. In a Windows NT Server 4.0 or earlier domain, what special name is given to the

computer running Windows NT Server that authenticates domain logons and

maintains the directory database for a domain?

*A. primary domain controller Explanation: In a Windows NT Server 4.0 or earlier domain, the primary domain

controller is the computer running Windows NT Server that authenticates

domain logons and maintains the directory database for a domain. The primary

domain controller tracks changes made to accounts of all computers on a

domain. It is the only computer to receive these changes directly. A domain has

only one primary domain controller. In Windows 2000, one of the domain

controllers in each domain is identified as the primary domain controller for

compatibility with down level clients and servers. See domain controller, backup

domain controller.

68. What collection of information is selected and applied to the interaction between

a subject and an object by an action that is the outcome of evaluation of policy

conditions?

*A. profile Explanation: A profile is a collection of information selected and applied to the

interaction between a subject and an object by an action that is the outcome of

evaluation of policy conditions. The content of a profile is specific to the

subjects and objects in question. Profiles can further simplify administration by

reducing the total number of policies.

Glossary 447

69. What is a policy for establishing a secure method for exchanging information

within an organization, an industry, or a nation?

A.

70. This is the amount of disk space available to a user.

A.

448 Chapter 7

69. What is a policy for establishing a secure method for exchanging information

within an organization, an industry, or a nation?

*A. public key infrastructure Explanation: Public key infrastructure is a policy for establishing a secure method

for exchanging information within an organization, an industry, or a nation. PKI

is also an integrated set of services and administrative tools for creating,

deploying, and managing public-key-based applications. It includes the

cryptographic methods, the use of digital certificates and certificate authorities,

and the system for managing the process.

70. This is the amount of disk space available to a user.

*A. quota limit Explanation: The amount of disk space available to a user is known as the quota

limit.

Glossary 449

71. When using the Naming structure, what part of the name for an object is an

attribute of the object itself.

A.

72. This function keeps distributed databases synchronized by routinely copying the

entire database or subsets of the database to other servers in the network.

A.

450 Chapter 7

71. When using the Naming structure, what part of the name for an object is an

attribute of the object itself.

*A. relative distinguished name Explanation: Relative distinguished name is the part of the name of an object that is

an attribute of the object itself. The attribute that provides the RDN for an object

is referred to as the naming attribute.

72. This function keeps distributed databases synchronized by routinely copying the

entire database or subsets of the database to other servers in the network.

*A. replication Explanation: In database management, replication keeps distributed databases

synchronized by routinely copying the entire database or subsets of the database

to other servers in the network. There are several methods of replication,

including primary site replication, shared or transferred ownership replication,

symmetric replication, (also known as update-anywhere or peer-to-peer

replication), and fail over replication.

Glossary 451

73. The definition of an entire database is known as what?

A.

74. The domain controller assigned to control all updates to the schema within a

forest is known as what?

A.

452 Chapter 7

73. The definition of an entire database is known as what?

*A. schema Explanation: Schema is the definition of an entire database; the universe of objects

that can be stored in the directory is defined in the schema. For each object

class, the schema defines what attributes an instance of the class must have,

what additional attributes it may have, and what object class can be a parent of

the current object base.

74. The domain controller assigned to control all updates to the schema within a

forest is known as what?

*A. schema master Explanation: The schema master is the domain controller assigned to control all

updates to the schema within a forest. At any time, there can be only one schema

master in the forest.

Glossary 453

75. SID is the acronym for ______ ?

A.

76. What term is given to operations that are not permitted to occur at different

places in the network at the same time?

A.

454 Chapter 7

75. SID is the acronym for ______ ?

*A. security identifier Explanation: SID is the acronym for security identifier.

76. What term is given to operations that are not permitted to occur at different

places in the network at the same time?

*A. single-master operations Explanation: Single-master operations are Active Directory operations that are

single-master, that is, not permitted to occur at different places in the network at

the same time. Examples of these operations include:

Primary domain controller (PDC) election

Certain infrastructure changes

Relative identifier (RID) allocation

Schema modification

Glossary 455

77. A ________ is defined as one or more well connected TCP/IP subnets.

A.

78. The physical storage for each Active Directory replica is known as what?

A.

456 Chapter 7

77. A ________ is defined as one or more well connected TCP/IP subnets.

*A. site Explanation: A site is a location in a network holding Active Directory servers. A

site is defined as one or more well connected TCP/IP subnets. Well-connected

means that network connectivity is highly reliable and fast (LAN speeds, 10

MM bits-per-second or greater).

Sites play a major role in the Active Directory replication service, which

differentiates between replication using a local network connection (intra-site

replication) and replication over a slower wide area network (WAN) link (inter-

site replication). Administrators use the Active Directory Sites and Services

Manager snap-in to administer replication topology for both intra- and inter-site

replication.

78. The physical storage for each Active Directory replica is known as what?

*A. store Explanation: A store is the physical storage for each Active Directory replica. When

an object is stored in Active Directory, the system will select a copy of the store

and write the object there. The replication system will replicate the object on all

other replicas. The store is implemented using the Extensible Storage Engine.

Glossary 457

79. This is the trust relationship that inherently exists between Windows 2000

domains in a domain tree or forest, or between trees in a forest, or that can exist

between forests.

A.

80. A ________ is a set of Windows NT domains connected together through

transitive, bi-directional trust, sharing a common schema, configuration, and

global catalog.

A.

458 Chapter 7

79. This is the trust relationship that inherently exists between Windows 2000

domains in a domain tree or forest, or between trees in a forest, or that can exist

between forests.

*A. transitive trust Explanation: A transitive trust is the trust relationship that inherently exists between

Windows 2000 domains in a domain tree or forest, or between trees in a forest,

or that can exist between forests. When a domain joins an existing forest or

domain tree, a transitive trust is automatically established. Transitive trusts are

always two-way relationships. This series of trusts, between parent and child

domains in a domain tree and between root domains of domain trees in a forest,

allows all domains in a forest to trust each other for the purposes of

authentication.

80. A ________ is a set of Windows NT domains connected together through

transitive, bi-directional trust, sharing a common schema, configuration, and

global catalog.

*A. tree Explanation: A set of Windows NT domains connected together through transitive,

bi-directional trust, is called a tree. The domains share a common schema,

configuration, and global catalog. The domains must form a contiguous

hierarchical namespace.

Glossary 459

81. This simplest form of group can appear in ACLs anywhere in the forest.

A.

82. What kind of container allows an LDAP-compliant directory to be accessed

through Active Directory?

A.

460 Chapter 7

81. This simplest form of group can appear in ACLs anywhere in the forest.

*A. universal group Explanation: A universal group is the simplest form of group. Universal groups can

appear in ACLs anywhere in the forest, and can contain other universal groups,

global groups, and users from anywhere in the forest. Small installations can use

universal groups exclusively and not concern themselves with global and local

groups.

82. What kind of container allows an LDAP-compliant directory to be accessed

through Active Directory?

*A. virtual container Explanation: Any LDAP-compliant directory can be accessed through Active

Directory using a virtual container.

Glossary 461

83. When answering this question, keep in mind that your particular needs will

determine the precise meaning of this term.

What describes a network that has sufficient connectivity to make Active Directory

useful to clients on your network.

A.

84. Which Standard developed by the International Standards Organization (ISO)

became the standard for defining a distributed directory service?

A.

462 Chapter 7

83. When answering this question, keep in mind that your particular needs will

determine the precise meaning of this term.

What describes a network that has sufficient connectivity to make Active Directory

useful to clients on your network.

*A. well-connected Explanation: Well-connected describes sufficient connectivity to make your

network and Active Directory useful to clients on your network. The precise

meaning of the term is determined by your particular needs.

84. Which Standard developed by the International Standards Organization (ISO)

became the standard for defining a distributed directory service?

*A. X.500 Explanation: The X.500 standard was developed by the International Standards

Organization (ISO), and became the standard for defining a distributed directory

service.

Glossary 463

85. What protocol is an improvement on the XMODEM protocol?

A.

86. What is the acronym used to describe problems computers have with rolling over

to the year 2000?

A.

464 Chapter 7

85. What protocol is an improvement on the XMODEM protocol?

*A. Ymodem Explanation: Ymodem is a variation of the Xmodem file transfer protocol that

includes the following enhancements: the ability to transfer information in 1

kilobyte (1,024-byte) blocks, the ability to send multiple files (batch file

transmission), cyclical redundancy checking (CRC), and the ability to abort

transfer by transmitting two CAN (cancel) characters in a row.

86. What is the acronym used to describe problems computers have with rolling over

to the year 2000?

*A. Y2K Explanation: Y2K is used to describe problems with the year 2000.

Glossary 465

87. What term is used for Random Access Memory (RAM) when it is fast enough to

respond to the processor without requiring a wait state?

A.


A.

466 Chapter 7

87. What term is used for Random Access Memory (RAM) when it is fast enough to

respond to the processor without requiring a wait state?

*A. zero wait state Explanation: The condition of random access memory (RAM) that is fast enough to

respond to the processor without requiring wait states.


*A. Zulu time Explanation: Zulu Time is the Slang word for Greenwich Mean Time.

468 Other Microsoft Books

Other Microsoft Certification books by TotalRecall Publications

InsideScoop to MCP / MCSE Certification: Exam 70-217 Managing a Microsoft Directory Services Infrastructure

ExamInsight For MCP / MCSE Certification: Exam 70-217 Managing a Microsoft Directory Services Infrastructure

InsideScoop to MCP / MCSE Certification: Exam 70-210 Managing Microsoft Windows 2000 Professional

InsideScoop to MCP / MCSE Certification: Exam 70-215 Installing, Configuring, and Administering Microsoft Windows 2000 Server

InsideScoop to MCP / MCSE Certification: Exam 70-216 Implementing and Administering a Microsoft Windows 2000 Network Infrastructure

ExamWise For MCP / MCSE Certification: Exam 70-218 Managing a Microsoft Windows 2000 Network Environment

InsideScoop to MCP / MCSE Certification: Exam 70-219 Designing a Windows 2000 Directory Services Infrastructure

InsideScoop to MCP / MCSE Certification: Exam 70-220 Designing Security for a Microsoft Windows 2000 Network

InsideScoop to MCP / MCSE Certification: Exam 70-221 Designing a Microsoft Windows 2000 Network Infrastructure

ExamWise For MCP / MCSE Certification: Exam 70-227 Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition

Money Back Book Guarantee 469

Money Back Book Guarantee

This guarantee applies only to books published by TotalRecall Publications, Inc.! We are so confident in our products, we are prepared to offer the followingguarantee to YOU our valued customer: If you do not pass your certificationexam after two attempts, we will give money back!

Visit http://www.totalrecallpress.comSelect “Money Back Book Guarantee” for details. Registered book purchasers who qualify will receive

1. Receive a 50% cash refund of purchase price 2. Receive a free TotalRecall book of equal value. Note: you must pay for shipping and handling.

To qualify for this TotalRecall Guarantee you must meet these requirements and perform the following tasks:

1. Register your purchase at the TotalRecall web site

http://www.totalrecallpress.com 2. Fail the corresponding exam twice ( No time Limit ) 3. Contact TotalRecall for the RMA # and to claim this guarantee

Send email to mailto:[email protected] Subject must contain your Membership # or Registration #

Ship the following to claim your refund. 1. RMA # from returned email 2. Documents of exam scores for both failed attempts 3. Return the Book to the following address

TotalRecall Publications, Inc.

Attn: Corby Tate 1103 Middlecreek Friendswood, TX 77546

888-992-3131 [email protected] 281-992-3131

281-482-5390 Fax http://www.bfq.com It's a Passing day here at the BeachFront. Thank you for using the TotalREcall Success Program. Bruce Moran President

470 Free Practice Exam Online

Free Practice Exam Online

With the purchase of this book you qualify for a Free

Beachfront Quizzer, Inc. Online Practice exam.

Visit www.TotalRecallPress.com for details.

Register your book purchase at www.TotalRecallPress.com

Your Registration Code is: = EW-03217-1000

System Requirements: Internet connection:

Call: 281-992-3131

Good Luck with your certification!

Your Book Registration Number is EW-03217-1000

You cannot go wrong with this book because it is GUARANTEED:

See details at www.TotalRecallPress.com