Complete 70-217 Comprehensive 5_16_02 from MCSEBraindumps.com This dump was compiled by Skippy. Many explanations were added and links were provided to Microsoft articles, TechNet, W2k Server Online Help, and mcsebraindump forum where answers were debated. 1. You are the network administrator for Blue Sky Airlines. You are implementing a Windows 2000 network consisting of five sites in the blueskyairlines.com domain, which are shown below:

You are designing the structure of the DNS servers. You want to allow secure dynamic updates to DNS in Chicago, Los Angeles, and New York. You want full DNS replication to occur in all the sites. You do not want the Miami site to have an editable copy of the DNS zone.

DNS Server Options: A. Install a Active Directory Integrated Zone in Chicago B. Install a Primary Zone in Chicago C. Install a Cache Only in Chicago D. Install a Active Directory Integrated Zone in Los Angeles E. Install a Primary Zone in Los Angeles F. Install a Secondary Zone in Los Angeles G. Install a Secondary Zone in Miami H. Install a Cache Only in Miami I. Do not install anything in Miami (Leave Blank) J. Install a Active Directory Integrated Zone in New York K. Install a Secondary Zone in New York L. Install a Secondary Zone in Seattle M. Install a Cache Only in Seattle N. Do not install anything in Seattle (Leave Blank) Answer: A,D,G,J,L AD Integrated at Chicago, Los Angeles, and New York
Secondary Zone at Miami and Seattle
2. You are the administrator of a Windows 2000 network. You create global groups and Domain Local groups for the accounts payable and accounts receivable departments. The Domain Local group named AP has Change permission for the Accounts Payable folder. The Accounts Payable folder is a subfolder of the Accounting folder. The Accounts Payable global group is a member of the AP Domain Local group. Fred's user account is a member of the Accounts Payable global group. Fred moves from the accounts payable department to the accounts receivable department. Fred now needs to access only accounts receivable information. You remove Fred's user account from the Accounts Payable global group, but Fred is still able to access documents in the Accounts Payable folder.

What are two possible causes of this problem? (Choose two) A. Fred's user account has explicit permissions on the Accounting folder. B. Fred's user account belongs to another group that gives him permissions on the Accounts Payable folder. C. The Accounting folder is not published in Active Directory. D. The Accounts Payable folder is on a FAT32 partition. E. The AP Domain Local group is not a member of the Accounts Payable global group. Answer: A, B Fred could be getting inherited rights through another group he belongs to or from explicit rights to the folder or files within the folder.

Windows 2000 Server Technet Chapter 12 - Access Control
Permissions acquired through inheritance are called inherited permissions. Permissions that are not inherited, but are instead defined directly on an object, are called explicit permissions. One way to tell an explicit permission from an inherited permission is to select an entry in the Permission Entries list and read the text displayed after the list. In Figure 12.14, the second entry is selected, and the text after the list says This permission is defined directly on this object. In other words, the permission is explicit, not inherited.

Note that propagation of inheritable permissions from the a folder to another folder does not change explicit permissions in the child's DACL. Only inherited permissions are replaced when inheritable permissions are propagated to existing child objects. However, if explicit permissions are also inheritable, the propagation process reapplies them as it moves down the tree. For example, both explicit permissions that were added to the DACL on a folder are inheritable by child objects in the folder. As the propagation process moves downward from the folder, it picks up these additional inheritable permissions and applies them to the DACL of any child object that it finds.
The owner of a parent object can choose to overwrite explicit permissions defined on child objects. This is done by selecting the Reset permissions on all child objects and enable propagation of inheritable permissions checkbox in the Access Control Settings dialog box. When the owner of a parent object chooses this option, the propagation process removes explicit permissions from the DACLs on all child objects. It also sets the option Allow inheritable permissions from parent to propagate to this object on all child objects, removing any protection from inheritance that might have been set by the objects' owners. 3. You are the administrator of a Windows 2000 domain. The domain has an organizational unit (OU) named Support. Users in the Support OU frequently use their portable computers when they are not connected to the network. The portable computers are Windows 2000 Professional computers in the Support OU. The domain also has a Windows 2000 Server computer named Data3. The \\Data3\SupFiles share contains files that are needed by the users in the Support OU.
You want to accomplish the following goals: 

What should you do? (Choose all that apply) A. Configure the SupFiles share on the Data3 server to cache documents automatically. B. Create a new Group Policy object (GPO) named Exfolder. Assign the Exfolder GPO to the Support OU. Configure the Exfolder GPO to exclude the \\Data3\SupFiles folder from roaming profiles. C. Create a new Group Policy object (GPO) named Maxdisk. Assign the Maxdisk GPO to the Support OU. Configure the Maxdisk GPO to limit the automatically cached off line files to 5 percent of the hard disk space. D. Create a new Group Policy object (GPO) named Maxsize. Assign the Maxsize GPO to the Support OU. Configure the Maxsize GPO to limit the size of each user profile to 5 percent of the hard disk space. Answer: A, C For Caching on a shared folder you can set it to: Automatic Caching for Documents, Automatic Caching for Programs, or Manual Caching for Documents (Default).
Automatic Caching for Documents will cause opened files to be automatically downloaded and made available when working offline.
Automatic Caching for Programs is recommended for folders with read-only data or run-from-the-network applications. File sharing is not ensured, but opened files are downloaded and made available when working offline as it does for Automatic Caching for Documents.
Manual Caching for Documents - Users must specify any files they want available when working offline.
You want to limit the offline file size, not the profile size which includes a lot more then just the offline files, therefore you would implement C.
4. How do you change the registry key for all users? A. Use an Administrative Template B. Use a change to the Sysvol partition C. Use a Security Template D. Use a change to the Netlogon Answer: A ADM files are used to modify registry keys. See below article.

Microsoft Article #Q225087 Writing Custom AMD files
An Administrative template can be created with any text editor and saved as a .ADM file. It can then be loaded into System Policy Editor and deployed to your users.
5. Which of the following partitions get replicated as part of AD replication? (Choose three) A. The DNS partition B. The domain partition C. The schema partition D. The Sysvol partition E. The configuration partition Answer: B, C, E Windows 2000 Resource Kit - Global Catalog Servers
Every domain controller in a forest stores three full, writeable directory partitions: a domain directory partition, a schema directory partition, and a configuration directory partition. A Global Catalog is a domain controller that stores these writeable directory partitions, as well as a partial, read-only copy of all other domain directory partitions in the forest. The additional directory partitions are "partial" because, although they collectively contain every object in the directory, only a limited set of specific attributes are included for each object. The Global Catalog is built automatically by the Active Directory replication system.
6. Which of the following is true of AD replication? (Choose two) A. Replication messages between sites are uncompressed and replication messages within a site are compressed. B. Replication messages between sites are compressed and replication messages within a site are uncompressed. C. Replication between sites always uses RPC over IP. Replication within a site can use either RPC over IP or SMTP over IP. D. Replication within a site always uses RPC over IP. Replication between sites can use either RPC over IP or SMTP over IP. Answer: B, D Inter-site and intra-site data exchange formats
Inter-site directory updates use data compression to reduce demands on network resources. Compressed data can be transmitted more rapidly, but requires more computing power to compress before sending and decompress upon receipt. Intra-site directory updates are optimized to reduce demands on the processing power of domain controllers, so these exchanges are not compressed. Uncompressed exchanges require more network resources but less processing power.

Windows 2000 Site Replication
Directory information can be exchanged using different network protocols such as IP or SMTP.

SMTP replication. SMTP replication is only used for replication over site links (inter-site), and not for replication within a site (intra-site). Because SMTP is asynchronous, it typically ignores all schedules. Therefore, do not configure site link replication availability on SMTP site links unless the following is true:

If your network's SMTP connections meet these conditions, synchronize your SMTP site link replication schedule with the times your network's SMTP connections are available.

If you choose to use SMTP over site links, you must install and configure an enterprise certification authority. The certification authority (CA) signs SMTP messages that are exchanged between domain controllers, ensuring the authenticity of directory updates. SMTP replication uses 56-bit encryption.

IP replication. IP replication uses remote procedure calls (RPC) for replication over site links (inter-site) and within a site (intra-site). By default, inter-site IP replication does adhere to replication schedules, although you may configure Active Directory replication to ignore schedules.
IP replication does not require a CA.
7. An AD tree and an AD forest share many things. Which of the following do they NOT share? A. The same namespace B. The same schema C. The same global catalog D. Two-way transitive trust relationships Answer: A Namespace - the internal (or external) domain name used by your company. (Example: mycompany.com)
Schema - Set of rules for objects and attributes in the Active Directory. It contains information on the different kinds of objects in the AD and the attributes related to them. The schema master is responsible for maintaining and distributing the schema throughout the rest of the forest. (First DC installed in the Forest).
Global Catalog - is a replica copy of AD and is used for universal logon authentication, coordinating, and responding to queries of the AD.
2-way Transitive Trust Relationships - When a trust is setup between 2 domains, they are both the trusting and trusted domain (2way) and the trust is passed from one domain trust to another (Transitive - A trust B, B trust C, so A trust C). This is the default trust relationship for all domains in a W2k Tree or Forest and allows all domains in that tree or forest to access all other resources throughout the tree or forest.
Tree - the logical structure that has more then one domain and share a common namespace or domain name. First domain in logical structure becomes the ROOT domain for that namespace and any additional domains become a part of this tree. (Tree Root - mycompany.com, sales.mycompany.com)
Forest - consist of 2 or more trees that share the same AD, Schema, and Global Catalog, but do not share the same namespace. (Tree Root - mycompany.com, sales.mycompany.com)-------(Tree Root - mycompany2.com, marketing.mycompany2.com)
8.Your network is divided into three sites: New York, Texas and Washington. You have created two site links shown below.

What will the cost of the site link bridge be between Washington and New York? A. Seven B. Four C. Three D. One E. Thirty-five Answer: A Microsoft Article #Q199174
A site-link bridge is a collection of two or more site links that provides a structure to build transitive links between sites and evaluate the least-cost path. For example, you may have three sites, A, B, and C, and you may create the following site links: A-----(3)-----B-----(4)-----C Note that the costs are in parentheses ().
If site B is unavailable (if every domain controller in the site is unavailable), site A cannot replicate to site C because there is no site-A-to-site-C link. To resolve this problem, either create a site link from site A to site C with some cost, or create a site-link bridge that consists of links between site A and site B, and between site B and site C. The bridge infers a transitive link between site A and site C with a cost of 7.
9.What does the Global Catalog server store? (Choose 2)
A. A Global Catalog server is a domain controller that stores a writeable copy of the domain directory, the schema directory and the configuration directory partition. B. A Global Catalog server is a domain controller that stores a partial Read Only copy of all the other domain directory partitions in the forest. C. A Global Catalog server is a domain controller that stores a writeable copy of all the other domain directory partitions in the forest. D. A Global Catalog server is a domain controller that stores a partial Read Only copy of the domain directory, the schema directory and the configuration directory partition. Answer: A, B Windows 2000 Resource Kit - Global Catalog Servers
Every domain controller in a forest stores three full, write able directory partitions: a domain directory partition, a schema directory partition, and a configuration directory partition. A Global Catalog is a domain controller that stores these write able directory partitions, as well as a partial, read-only copy of all other domain directory partitions in the forest. The additional directory partitions are "partial" because, although they collectively contain every object in the directory, only a limited set of specific attributes are included for each object. The Global Catalog is built automatically by the Active Directory replication system.

All of the directory partitions on a Global Catalog server, whether full or partial partitions, are stored in a single directory database (Ntds.dit) on that server. There is no separate storage area for Global Catalog attributes; they are treated as additional information in the domain controller directory database.

When a new domain is added to the forest, the information about the new domain is stored in the configuration directory partition, which reaches the Global Catalog server (and all domain controllers) through replication of forest-wide information. When a new Global Catalog server is designated, this information is also stored in the configuration directory partition and replicated to all domain controllers in the forest.
10. Rick works as a Network Administrator for a Windows 2000 Active Directory based network.
His company's network consists of two sites namely New York and Seattle. Both sites are connected with high-speed T1 lines.
Rick is configuring Active Directory replication between the sites. He creates a site link for the T1 line and one for dial-up connection. He wants the Active Directory to always choose the T1 site link first, to replicate the data. He wants the dial-up connection to be chosen only in case the T1 line is not available.
How will Rick configure the site links to meet this requirement? A. He will configure a lower cost for the T1 line and a higher cost for the dial-up network. B. He will configure a higher cost for the T1 line and a lower cost for the dial-up network. C. He will set the replication frequency of the T1 line higher than that of the dial-up network. D. He will set the replication frequency of the T1 line lower than that of the dial-up network. Answer: A Microsoft Article #Q199174 Directory Replication Basics Link cost determines which link is used first. The link with a lower cost will always be used before a link with a higher cost. To make sure that the high speed line is always used you would configure that link with a lower cost then the low speed line.
11.You work as a Network Administrator of a Windows 2000 Active Directory based network.
Your company's network consists of two sites namely Miami and Los Angeles. These sites are connected with a high-speed T1 line. The Miami site is highly protected and a firewall has been configured for security reasons.
You create a site link to replicate the Active Directory data between the two sites. You find that the replication is not working properly.
You know that a firewall is preventing data from being replicated between the two sites. What will you do to troubleshoot the problem? A. Increase the cost of the site link. B. Make the proxy server of the Miami site a preferred bridgehead server. C. Schedule a site link to replicate the Active Directory data for twenty four hours a day. D. Remove the firewall, as replication is not possible if the firewall is configured in a site. Answer: B Microsoft Windows 2000 Server Documentation - Replication goals and strategies
Creating site link bridges or bridging all site links maximizes replication, but errors will occur if there are domain controllers in a single site link or in bridged site links that span a firewall. Because all domain controllers in a site link or site link bridge attempt to send directory updates to other domain controllers in their site or site link, they may send updates to domain controllers that are on the opposite side of a firewall. If this occurs, those attempts will fail unless the sender is also the firewall proxy server. Therefore, if you have domain controllers on different sides of a firewall and the firewall is configured in such a way that allows packet transmission between specific computers only, do not place them all in one site, even if they are well-connected. Instead, add all domain controllers that are on the same side of a firewall to a site link and establish the firewall proxy as the preferred bridgehead server for the site link. By doing so, the firewall will not block replication.
12. You work as a Network Administrator for Subway Inc., which has multiple domain controllers in its network based on Windows 4.0. A few months ago, all the systems were upgraded to Windows 2000. No backup has been taken since the upgrade. Recently, one of the domain controllers crashed. How will you restore the Active Directory data of the crashed system?

Required result: Repair Windows 2000 installation.
Optional result 1: Restore the Active Directory to the current state.
Suggested solution: First, use the Sites and Services snap-in on an existing domain controller to delete any references to the old domain controller. Then, restore a domain controller by reinstalling the Windows 2000 Server on the damaged system, making it a domain controller.
Which results does the suggested solution produce? A. The suggested solution produces the required result and the optional result. B. The suggested solution produces only the optional result. C. The suggested solution produces only the required result. D. The suggested solution does not produce the required result. Answer: A Microsoft Article #Q238369 Promote and Demote DC's.
Microsoft Article #Q216498 Describes how to remove data in the Active Directory after an unsuccessful domain controller demotion.

Your first action removes all the configuration data for the domain controller from the Active Directory. This data takes the form of an "NTDS Settings" object, which exists as a child to the server object in the Active Directory Sites and Services Manager. Since the server crashed and you were unable to run dcpromo.exe to demote the server, this was not done automatically.

Your second action simply brings up a new W2k server. By promoting it to a DC it automatically gets the current state of AD.
13.Rick works as a Network Administrator of a Windows 2000 Active Directory based network. One day he discovers that the volume that contains the Active Directory database file on ADServer is running out of disk space. What should Rick do to move NTDS.DIT database file to an empty volume on a different disk on the AD Server? A. Restart the ADServer in the Directory Services Restore Mode. B. Demote the server from a domain controller to a member server. C. Use the NTDSUTIL utility to move the database file to an empty volume. D. Use the MOVEDATABASE utility to move the database file to an empty volume. Answer: A,C Microsoft Article #Q315131
The NTDS.DIT database file is locked and you cannot access it unless you boot into DS Restore Mode.

You can move the Ntds.dit data file to the new folder that is specified by the location variable. If you do so, the registry is updated so that Directory Service uses the new location when you restart the server.

14.You are the Network Administrator of a Windows 2000 Active Directory based network. You are puzzled that although you have deleted so many objects from your Active Directory, the file size of the NTDS.DIT file remains the same.

What is the most likely cause for this? A. Deletion of the objects in the Active Directory make no change in the actual database file as active directory keeps object in separate database. B. The Active Directory keeps the database in the compressed mode hence deletion of objects, of Active Directory, makes no change in the file size of the database. C. The database is fragmented and requires defragmentation, to reduce the size of the database file. D. The database got corrupted. Answer: C Microsoft Article #Q229602

Online Defragmentation With online defragmentation, database pages are effectively rearranged within the data file, but no space is released back into the file system. Online defragmentation is performed automatically by ESE at regular intervals following the garbage collection process.
Offline Defragmentation Offline defragmentation cannot be performed while the computer is running as a domain controller; it must be performed with the computer running in Directory Services Repair mode, in which the computer is effectively running as a member server. In Directory Services Repair mode, an administrator can use the Ntdsutil.exe command-line tool to defragment the Ntds.dit file.
You can run Directory Services Repair mode by restarting the computer and selecting the appropriate item from the Boot menu. This menu is accessible on Intel-based computers by pressing F8 during startup.
Upon completion of the defragment operation, Ntdsutil.exe places a defragmented version of the Ntds.dit file into a separate folder. You can then move the defragmented file into the Ntds folder after archiving the original Ntds.dit file.
15.All your domain controllers are configured for DHCP. Each time the system is booted, it gets a new IP address from the DHCP server. You have also configured Active Directory on the domain controller. You want to configure your DNS setting so that it will dynamically update the DNS data, only if the zone type is Active Directory integrated, whenever the IP address of the domain controller changes. How will you configure for dynamic updates? A. Update none, the zone for Active Directory integrated will always be updated. B. Allow Updates C. Allow Only Secure Updates D. Allow Only Active Directory Updates Answer: C Microsoft Article #Q232187

For Active Directory-integrated zones, the default value for the "Dynamic update" setting is "Allow Only Secure Updates."
The exception to this is the default value for Active Directory-integrated root (or ".") zones. For these zones, the default value is "None."
16.You want to install Active Directory on your Windows 2000 system. You have already installed DNS and want to check it using the DNS console. Which options will be available? A. Run the loopback test. B. Use the Test Now button on the client computer's TCP/IP properties. C. Run the PING utility from the DNS console. D. Use the Test Now button on the Monitoring tab of the Properties dialog box for the server. Answer: D In the DNS console you can select the DNS server you want to test and go to Properties of that server by right-clicking it. At the Properties page you can select the Monitoring tab and you are presented with the choices to do an immediate test by clicking the Test Now button. You can choose to do a simple query or a recursive query. You can also elect to do the test(s) automatically per the interval you specify.
17. You work as a Network Administrator of a Windows 2000 Active Directory based network. Your network is a single domain multiple site network. These sites are connected with high-speed T1 lines. A DNS server is used for host name resolution. Changes are frequent and you want that the name server should return the current domain namespace across the network.

What should you do to ensure that the data about the domain namespace is more current across the network? A. Specify longer TTL values for each DNS name server in the domain. B. Remove all cache-only servers in the domain. C. Specify shorter TTL values for each DNS name server in the domain. D. Install a preferred bridgehead server in each site. Answer: C The TTL value specifies how long the DNS server will cache a resolution response that it had to have help resolving. If there are frequent changes and you specify a longer TTL then it will take longer for a change to be removed from the cache of the DNS server. If that response has not been deleted from cache and another client request the same information from the server, it will respond with the wrong information.
18. You are the administrator of a Windows 2000 Network. Your network's organizational unit (OU) structure is shown in an exhibit. You grant Create Users Objects permission to Anita for the Executive OU, but she is unable to create users objects in the Users OU. Anita is able to create users objects in the Workstation OU. Executive is the parent OU of both the Users and Workstation OU's as shown below:

How do you resolve Anita's problem?
A. Clear the Allow inheritable permissions from parent to propagate to this object check box in the Executive OU properties. B. Select the Allow inheritable permissions from parent to propagate to this object check box in the Users OU properties. C. Add Anita to the Server Operators group. D. Move the Users OU to the same level as the Executive OU. Answer: B By default permissions on an OU flow down to all child OU's. To block them you would clear the Allow inheritable permissions from parent to propagate to this object at the OU you do not want them to be passed on to.

A - Would prevent permissions from OU's above the Executive OU from being passed to the Executive OU.
B - Would be setting the Users OU to inherit the permissions from it's parent OU.
C - This would not effect Anita's ability to create objects under the Users OU
D - This would not resolve the issue unless Anita is giving the same permissions to the parent OU of the Executive.
19. You add a new domain controller named GC01 to your network to take the place of the existing global catalog server. You also enable GC01 as a global catalog. You want to use GC00, the original server, as a domain controller but not as a GC server for the domain. You want to increase disk space on GC00.

What should you do? (Choose all that apply) A. Use the Active Directory Sites and Services. Select the NTDS settings object for the GC00 Server to clear the Global Catalog check box. B. On the GC00 server, run the Ntdsutil utility to defragment Active Directory. C. On the GC00 server, reinstall Windows 2000. D. On the GC01 server, run the Ntdsutil utility to enable the global catalog server option. Answer: A, B Microsoft Article #Q313994 Steps for adding and removing a Global Server
To remove the global catalog from the original domain controller:

Microsoft Article #Q315131 Manage AD with NTDSUTIL.EXE
NTDSUTIL.EXE (AD Diagnostic Tool) is a command line utility used to perform maintenance on the Active Directory database, NTDS.DIT. NTDSUTIL.EXE is used for offline defrag of AD in order to reduce the size of the AD database. The size of NTDS.DIT will grow as it is modified. To reduce it's size, you must take the DC offline (in Directory Services Restore mode) and perform an offline defrag. 20. You add three new SCSI hard disk drives to your company's domain controller. The SCSI disks are configured in a hardware RAID-5 array. You have two other physical disks in this domain controller. You want to optimize the speed of the Active Directory database.

What can you do? (Choose two) A. Move the NTDS.DIT file to the RAID-5 array. B. Move the log files to a separate physical disk from the OS. C. Move the log files and the NTDS.DIT file to the RAID-5 array. D. Move the NETLOGON share to the RAID-5 array. E. Create a mirror volume and place the log files on the mirror. Answer: A, B Microsoft Article #Q257420 This article describes how to move the Active Directory database file, Ntds.dit, and the Active Directory log files to different drives to improve performance.

Note, you must restart the computer in Directory Services Restore mode in order to perform maintenance on AD. Then, start NTDSUTIL.EXE and use the "Move DB" command to move the database to the RAID-5 volume. For optimized performance, you can also perform an offline defrag of the NTDS.DIT Active Directory database file. 21. You are the administrator of the Arbor Shoes company network. There is one domain named arborshoes.com. The domain contains three sites named Geneva, Milwaukee, and Portland. Each site has two domain controllers from the arborshoes.com domain. Geneva and Portland each have 1,000 users. Milwaukee has 500 users. This is shown in the exhibit.



You want to add another domain controller in each site to handle all replication from each site.

What should you do? A. Configure each new domain controller to be the IP preferred bridgehead server for its site. B. Create a connection object from each domain controller in each site to the new domain controller in each site. C. Create a new site link that has a lower cost that the existing site links. D. Delete the existing connection objects in each site and manually start the KCC. Answer: A Microsoft Article #Q271997
In Windows 2000 Server, bridgehead servers are the contact point for the exchange of directory information between sites. A bridgehead server is a domain controller that has been either administratively assigned or automatically chosen to replicate changes collected from other domain controllers in the site to bridgehead servers in other sites.
By default, the Active Directory replication topology generator, the Knowledge Consistency Checker (KCC), automatically chooses servers to act as bridgehead servers. However, if you are an administrator, you may select one or more domain controllers in the site to be preferred bridgehead servers. These servers are used exclusively to replicate changes collected from the site. Even though you may have administratively configured several domain controllers as preferred bridgehead servers, the KCC chooses one of these servers to become the bridgehead server for the site. However, if you choose only one bridgehead server for a particular site, and that server becomes unavailable, the KCC does not choose another domain controller to be the bridgehead server. Therefore, if you assign a preferred bridgehead server, you should assign more than one.
Multiple bridgehead servers may be required to replicate full copies of data from one site to another. This behavior depends on the transports available, the directory partitions that have to be replicated, and the availability of global catalog servers. You must assign one bridgehead server for each write able directory partition in your forest. When you assign a bridgehead server, you can establish a preferred bridgehead server for one or more protocols such as IP or SMTP. When you configure a domain controller to be the preferred bridgehead server, you must specify the transports that are preferred for replication.
22. You are the LAN admin for Arbor Shoes. You hire Sophie to be a LAN administrator for the Dublin office. Arbor Shoes has one domain named arborshoes.com. Each office has its own OU. Sophie needs to be able to create child OU's under only OU=Dublin, dc=arborshoes, dc=com and verify the existence of the created OU's.

Which permissions should you assign to Sophie on the Dublin OU? (Choose three) A. Full Control B. List Contents C. Create OU objects D. Create All Child Objects E. Write F. Read Answer: B, C, F Microsoft Article #Q315676 Delegate Admin authority in AD
Microsoft Article #Q308194 How to create OU's

By default, Domain and Enterprise Admins groups have permissions to create OU's. If you are not a member of one of those groups you will have to be assigned the following permissions on the parent container (domain or OU) to create OU's within that container:
Read Permissions
List Contents - List Contents is not specifically required to create an OU, but you cannot view the newly created OU without it.
Create Child (OU)
Create All Child Objects also gives you the ability to create Computer Objects, Contact Objects, Group Objects and many others. That is not what they are asking for. 23. You are the administrator for Trey Research and A. Datum Corporation. You manage a multi-domain Windows 2000 network of 5,000 users for the two companies. The network is configured as shown in an exhibit.


Each Domain and OU has specific Group Policy settings that must be applied to all of its members. Your company is reorganizing all six departments. Some, but not all, of the users in each OU have moved. Many users have changed departments, and some have changed domains. You want to accomplish the following goals in the least possible amount of time:

What should you do? A. For all users, create new user accounts in the appropriate OU's. Assign permissions to the accounts to apply the Group Policy settings and then delete the old accounts. B. For the users moving between domains create new user accounts in the appropriate OU's. Assign permissions to the accounts to apply the Group Policy settings and then delete the old accounts. For the users moving between Ou's in the same domain, select the accounts. Then choose MOVE from the Action menu, targeting the new OU. C. For the users moving between domains, use the Movetree utility, specifying the source and target domains and OU's. For the users moving between OU's in the same domain, select the accounts. Then choose MOVE from the ACTION menu, targeting the new OU. D. For the users moving between domains, create new user accounts in the appropriate OU's. Assign permissions to the account to apply the Group Policy settings and then delete the old accounts. For the users moving between OU's in the same domain, select the accounts. Then choose Copy from the Action menu, entering the appropriate account information for the new users accounts. Then delete the old accounts. Answer: C Microsoft Article #Q238394
MoveTree.exe is a command-line utility that enables administrators to move Active Directory objects such as organizational units, users, and so on, between domains in a single forest. These types of operations support domain reconsolidation or organizational restructuring. Although MoveTree moves Active Directory objects between domains, there are some Active Directory objects that cannot be moved between domains. There may also be associated data outside the Active Directory that also is not moved. Computer objects are not moved during a MoveTree operation.
When objects are moved, they are initially copied to the LostandFound container in the source domain, and then they are moved to the destination domain. All objects that are moved are recorded in the MoveTree.log file, and all error messages are recorded in the MoveTree.err file. Objects that cannot be moved remain in an orphan container in the LostandFound container in the source domain. Local and domain global groups are not moved during a MoveTree operation. However, group memberships remain intact; therefore, security is not compromised.
Associated data that is not moved during MoveTree operations includes profiles, logon scripts, and users' personal data. Additional scripts or management tools need to be used in conjunction with MoveTree to perform these additional steps. MoveTree enables an organizational unit to be moved with all of the linked Group Policy objects in the source domain intact. Although the Group Policy object link moves and continues to work, clients receive their group policy settings from the source domain. Due to this potential performance degradation, you are strongly recommended to re-create the Group Policy objects for the moved organizational unit in the destination domain, and then delete the old Group Policy objects in the source domain.
MoveTree moves the computer accounts, but the accounts are not valid in the new domain. Active Directory Users and Computers in the new domain show all the computer accounts that MoveTree moved, but the individual computers are not able to log into the new domain. Netdom must be used to move the computer accounts.
NOTE : Movetree requires that the destination domain be in Native mode.

Movetree syntax: movetree [/start, /continue, /check] [/s source server FQDN] [/d destination server FQDN] [/sdn source subtree root DN] [/ddn destination subtree root DN] [/u domain\username] [/p password] [/quiet] 24. You are the administrator of a Windows 2000 network. Your Windows 2000 domain controller has been in operation for one year. During that year, you have deleted numerous objects. However, the NTDS.DIT file is the same size it was before you deleted any objects. You want to reduce the size of the NTDS.DIT file.

What should you do? (Choose two) A. Delete all the log files from the NTDS folder and restart the server. B. Use the Ntdsutil utility to perform an authoritive restore. C. Run the Esentutl utility by using the /d switch. D. Restart the server in Directory Services restore mode. E. Use the Ntdsutil utility to compress the database to another drive. Answer: D, E Microsoft Article #Q229602

Online Defragmentation With online defragmentation, database pages are effectively rearranged within the data file, but no space is released back into the file system. Online defragmentation is performed automatically by ESE at regular intervals following the garbage collection process.
Offline Defragmentation Offline defragmentation cannot be performed while the computer is running as a domain controller; it must be performed with the computer running in Directory Services Repair mode, in which the computer is effectively running as a member server. In Directory Services Repair mode, an administrator can use the Ntdsutil.exe command-line tool to defragment the Ntds.dit file.
You can run Directory Services Repair mode by restarting the computer and selecting the appropriate item from the Boot menu. This menu is accessible on Intel-based computers by pressing F8 during startup.
Upon completion of the defragment operation, Ntdsutil.exe places a defragmented version of the Ntds.dit file into a separate folder. You can then move the defragmented file into the NTDS folder after archiving the original Ntds.dit file.
25. You are the administrator of the company network for Arbor Shoes. Arbor Shoes has three domains:

arborshoes.com
na.arborshoes.com
sa.arborshoes.com

All the domains are in native mode. You are going to remove the na.arborshoes.com domain in an effort to consolidate domains. There are 300 users in na.arborshoes.com. You want to move all 300 users at the same time to arborshoes.com.

What should you do? A. At the command prompt, type the following command: Cscript sidhist.vbs /srcdc:dc1 /srcdom:na.arborshoes.com /dstdc:dc1/dstdom:arborshoes.com. B. At the command prompt, type the following command: Movetree /start /s dc1.na.arborshoes.com /d dc1.arborshoes.com/sdn cn=users,dc=na,dc=arborshoes,dc=com /ddn cn=users, dc=arborshoes, dc=com. C. In MMC, use the copy command in Active Directory Users and Computers. D. In MMC, use the move command in Active Directory Users and Computers. Answer: B MoveTree.exe is a command-line utility that enables administrators to move Active Directory objects such as organizational units, users, and so on, BETWEEN domains in a single forest.
Movetree syntax: Movetree [/start, /continue, /check] [/s source server FQDN] [/d destination server FQDN] [/sdn source subtree root DN] [/ddn destination subtree root DN] [/u domain\username] [/p password] [/quiet] 26. You are the enterprise administrator of a Windows 2000 domain tree that has five domains. All domains are in native mode. Each domain has one or more users who are help desk staff. Each domain has a global group named Help Desk Members that contains the help desk staff from each domain. There is an OU named Interns in the root domain. You want all help desk staff to be able to reset passwords of the users in the Interns OU.

What should you do? A. Create a new global security group named Help Desk Staff in the root domain. Place the five Help Desk Members groups in the Help Desk staff group. Place the Help desk staff group in the Reset Interns group. On the reset Interns group, assign the Reset password permission to the Help Desk Staff group. B. Create a new global security group named Help Desk Staff in the root domain. Place the five help desk staff in the Help Desk Staff group. Create a new local security group named Reset Interns in the root domain. Place all users from the Interns OU in the Reset Interns group. On the Interns OU, assign the reset Password permission to the Reset Interns group. C. Create a new universal security group named Help Desk Staff in the root domain. Place the five Help Desk Members groups in the Help Desk Staff universal group. Create a new local security group named Reset Interns in the root domain. Place the Help Desk Staff group in the Reset Interns group. On the Interns OU, assign the reset password permission to the Reset Interns group. D. Create a new universal security group named Help Desk Staff in the root domain. Place the five Help Desk Members groups in the Help Desk Staff group. Create a new local security group named reset Interns in the root domain. Place all users from the Interns OU in the Reset Interns group. On the reset Interns group, assign the Reset Password permission to the Help Desk staff group. Answer: C Windows 2000 security groups: Domain Local - can contain user accounts, global groups and universal groups from any domain in forest, as well as other domain local groups in the same domain. Domain local groups can be used only in its own domain and can be assigned permissions for resources located only in its own domain.
Global - can contain user accounts and global groups from the same domain. Global groups can be used in any domain in the forest and can be assigned permissions for resources located in any domain in the forest.
Universal - can contain user accounts, global groups and universal groups from any domain in the forest. Universal groups can be used in any domain in the forest and can be assigned permissions for resources located in any domain in the forest. Universal group membership is validated at logon by Global Catalog servers. 27. Your company's Windows 2000 network consists of a single domain. You are the enterprise administrator of the domain. Two administrators named Ann and Bill make changes to Active Directory at approximately the same time at two different domain controllers named ServerA and ServerB. Ann deletes an empty OU named Branch1 from ServerA. Before this deletion is replicated to ServerB, Bill move five existing users from the Brach2 OU to the Branch1 OU at ServerB. Ten minutes later, Bill discovers that the Branch1 OU is deleted from Active Directory. You want to reinstate the configuration that Bill attempted to accomplish.

What should you do? A. Perform an authoritative restore of the Brach1 OU at ServerA. B. Perform a nonauthoritative restore of the Branch1 OU at ServerA. C. Perform an authoritative restore of the five users at ServerB D. At ServerB, move the Branch1 OU from the LostAndFound container to its original location. E. At ServerA, create a new Branch OU. Move the five users from the Branch2 OU to the new Branch1 OU. F. At ServerB, create a new Branch1 OU. Move the five users from the LostAndFound container to the new Branch1 OU. Answer: F When an Active Directory object is deleted, a small portion of the object remains for a specified period of time so that other domain controllers that are replicating changes will become aware of the deletion. This period of time is referred to as the "tombstone lifetime" and is configurable.
Orphaned Objects will be moved to the LostAndFound container until their tombstone time has expired (By default, this is 60 days) and the garbage collection process of AD is executed (This is ran by default on AD every twelve hours).
The LostAndFound container stores objects (with properties intact) that have been created in, or moved to, a container that no longer exists after replication.

AD Garbage Collection
Microsoft Article #Q198793

28. Your company is deploying Windows 2000 Professional on a network of 300 computers. The network has two Windows 2000 server computers. You have just enough Windows 2000 Professional licenses. You need to restrict the department so that Windows 2000 Professional can be installed on the right client computers. You will need to minimize the user intervention during the deployment and centralize the installation files.

What should you do? A. Create a shared folder on one of the servers. Copy the source files from the Windows 2000 Professional CD-ROM to the shared folder. Allow users to perform unattended installation from the shared folder on the licensed computers. B. Install RIS on one of the servers. Create user accounts for all licensed users. Configure the server to accept the connection from only known computers. Perform unattended installation for all connecting computers. C. Create a shared folder on one of the servers. Restrict access to the share so that only 250 users can connect. Copy the source files from the Windows 2000 Professional CD-ROM to the shared folder. Allow users to perform unattended installation from the shared folder on the licensed computers. D. Install RIS on one of the servers. Create computer accounts to the domain for only the licensed computers. Configure the RIS server to accept connections from only known computers. Allow users to perform unattended installation from the shared folder on the licensed computers. Answer: D Microsoft Article #Q298750
By pre-staging the client (known computers), the administrator can define a specific computer name, and optionally, the RIS server that can service the client: Locate the container in the Active Directory service in which you want your client accounts to be created. Right-click the container, click New , and then click Computer . The New Object-Computer dialog box is displayed.
Enter the computer name and authorize domain-join permissions for the user or security group that contains the user who is going to use the computer that this computer account represents. In the next dialog box, you are prompted for either the globally unique identifier (GUID) or universally unique identifier (UUID) of the computer itself and whether you intend to use this computer as a managed (Remote OS Installation-enabled) client. Enter either the GUID or UUID, and then click to select the This is a managed computer check box.
The GUID or UUID is a unique 32-character number that is supplied by the manufacturer of the computer, and is stored in the system basic input/output system (BIOS) of the computer. This number is written on the case of the computer, or on the outside of the box that the computer had been shipped in. If you cannot locate this number, run the system BIOS configuration utility. The GUID is stored as part of the system BIOS. Contact your OEM for a VBScript (created with Visual Basic Scripting Edition) that can be used to prestage newly purchased clients in Active Directory for use with Remote OS Installation.
The next screen prompts you to indicate the RIS server that this computer is serviced by. This option can be left blank to indicates that any available RIS server can answer and service this client. If you know the physical location of the specific RIS server and where this computer can be delivered, you can use this option to manually load clients in the RIS servers in your organization as well as segment the network traffic. For example, if a RIS server had been located on the fifth floor of your building, and you are delivering these computers to users on that floor, you can assign this computer to the RIS server on the fifth floor.
29. Your company Windows 2000 domain controller contains an Organization Unit (OU) named Shipping. The domain is in the native mode. You want to delegate the control of the Group Policy setting for the Shipping OU to a global group named Help Desk. Members of the Help Desk group need to able to create and edit new GPOs and assign those GPOs to the Shipping OU. You do not want these members to assign GPOs to other OUs.

What should you do? (Choose two) A. Add the Help Desk group to the Group Policy Creator Owners security group. B. Create a new security group named Group Policy administrator in the Shipping OU. Add the Help Desk group to this new group. C. On the existing GPO, assign Read and Write permission to the Help Desk group. D. On the Shipping OU, assign the apply group policy permission in the Help Desk group. E. On the Shipping OU, delegate the predefined task named "Manage Group policy" links to the Help Desk group. F. On all the OUs in the domain accept the Shipping OU, deny write permissions to the Help Desk group. Answer: A, E Debated here and the answer still stands:
MCSEBraindumps.com 70-217 Forum

Microsoft Article #Q221577 Delegating authority for editing GP objects
Create an organizational unit (OU) and create a new GPO directly linked to this OU. This can be done by clicking Properties on the context menu of the OU, clicking the Group Policy tab in the Properties dialog box, and clicking the New button. Once the GPO has been created, launch the Delegation Wizard . The Delegation Wizard provides a step-by-step process in which specific functionality may be delegated easily, with a high degree of detail. NOTE: Manage Group Policy is a predefined task that you can choose when running the Delegate Authority Wizard.

Provide your user Full Control - Allow privilege. Full Control provides the user the ability to write to the GPO, and also to change security permissions on the GPO. If you want to prevent this user from setting security, you may decide to give them only the Write - Allow permission.
Microsoft Article #Q233548 Fixing a delegate that cannot edit GP objects

After you assign complete control of an Organizational Unit (OU) to a user or group using the Active Directory Users And Computers snap-in for Microsoft Management Console (MMC), that user or group may not be able to edit or create Group Policy objects. NOTE: The user or members of the group can create a new computer, user, group, and printer object in the container.
This issue occurs because the user or group that has control of the OU is not a member of the Group Policy Creator Owners security group. 30. You are the network administrator of a Windows 2000 domain. The domain has an OU named Help Desk. A Group Policy (GPO) name Disable Regedit is assigned to the Help Desk OU. The only policy setting defined in the Disable Regedit GPO, which is the policy setting that disables use of registry editing tools. For performance reasons, your company wants to minimize the number of GPO's that are processed at logon. The company also decided that the restriction on the registry editing tools must no longer apply to the users of Help Desk OU.

What should you do? A. Remove the Disable Regedit GPO from the Help Desk OU. B. Assign a new GPO in the Help Desk OU that enables the use of registry editing tools. C. On the computers used by users in the Help Desk OU, edit the registry to allow the use of registry editing tools. D. On the computers used by users in the Help Desk OU, configure the local GPO to allow the use of registry editing tools. E. On the computers used by users in the Help Desk OU, delete the registry POL file from \systemroot\System32GroupPolicy folder. Answer: A C, D and E simply will not work because local policy or settings will be overwritten by all higher policies.
B - goes against the companies request to minimize the number of GPO's being processed.
31. You are the administrator of a domain named contonso.com. The domain contains an OU named Sales that has 20 users. It is stored on a domain controller named DC1. You inadvertently delete the Sales OU. You want to reinstate the Sales OU.

What should you do? A. Move the tombstoned sales OU from the LostAndFound containers to the original location. B. Copy the sales OU from another domain controller in the contonso.com domain to DC1. C. Perform authoritative restore of the Sales OU from the last backup. D. In Active Directory sites and service console. Force replication from another domain controller in the contonso.com domain. Answer: C Authoritive restore will return the AD to the state it was in when the backup was done.
OU's are not moved to the LostandFound container. Only objects of the AD are moved there.

Microsoft Article #Q241594
Restore a Subtree In many cases you may not want to restore the entire database due to the replication impact this would have on your domain or forest. The following steps will allow you to authoritatively restore a subtree within a Forest.

32. You are the network administrator of a Windows 2000 domain. Your current domain controller's hard disk drive is failing. You want to set up a new server as a domain controller to replace the failing domain controller. You run DCPromo.exe on the failing domain controller in your domain to remove Active Directory. While you are running DCPromo.exe, the hard disk drive fails. The server will not reboot. However, the objects of the failed server are still appearing in Active Directory. You are using the Ntdsutil utility. You want to remove the old server from Active Directory.

What option should you use? A. Metadata cleanup B. Semantic database analysis C. Security account management D. Domain management E. Authoritative restore Answer: A Microsoft Article #Q230306
Orphaned objects can be removed from AD by using the NTDSUTIL command line utility, then typing the "metadata cleanup" command. Replication then copies the deletion of the objects out to the other DC's. 33. You are the network administrator of a Windows 2000 domain. All of the domain resources are defined in two top levels OUs. The OUs are named West and East. William is the administrator of the West OU. Evert is the administrator of resources in the East OU. You move Printer1 from the West OU to the East OU. After you move the printer, Evert can administer it. However, William reports that he can still remove print jobs from Printer1. You want Evert to be the only one to administer Printer1.

What should you do? A. Use the delegation of control wizard on the east OU to assign printer1 permission to Evert. B. Configure the security properties for printer1 to disallow inheritable permissions to propagate. C. Remove the permissions for William from Printer1. D. Configure the printer permission on the west OU to apply to only the west OU. Answer: C Williams permissions for the object stays with it when it is moved within the domain. So removing William's permissions to Printer1 will remove his ability to remove print jobs from Printer1. 34. You are configuring a Windows 2000 DNS Server on your company network. DNS is installed on an NT 4.0 Server on your NT 4.0 domain. You want to use dynamic updates on a DNS database, but company management won't allow an upgrade or the decommissioning of its DNS server. All DNS information must be synchronized between these two DNS servers.

What should you do? (Choose three) A. Create a primary zone on a Windows 2000 DNS Server and import the existing zone file. B. Create a secondary zone on a Windows 2000 DNS Server. C. Delete and recreate a primary zone on an NT DNS Server. D. Delete the existing zone and create a new secondary zone on the NT 4.0 DNS Server. E. Configure a primary zone on the NT DNS Server as the master zone for the secondary zone on the Windows 2000 DNS Server. F. Configure a secondary zone on the NT 4.0 DNS Server to use the Windows 2000 Standard primary zone as its master zone. Answer: A, D, F Microsoft Article #Q300468
Windows NT DNS does not support DDNS, however, it can be a secondary to a W2k server that does. To get the database on the W2k server you can import the existing zone file while creating the new primary zone or you can set the W2k server up as a secondary and then sync it with the primary NT. Once the new zone is setup on the W2k DNS server you can remove the NT DNS and, if need be, change the role of the W2k DNS to primary and set it to allow dynamic updates.
35. You are backup operator of a Windows 2000 domain. The domain has 2 domain controllers. You want the Active Directory database file of both domain controllers to be automatically backed up once a week.

What should you do? A. Schedule a backup job that will backup the System State data once a week. B. Schedule a backup job and select Schema.ini file in the System32 folder and all files in the NTDS folder to be backed up once a week. C. Schedule a task that will run the NTDUTIL once a week. D. Schedule a task that will copy the Ntds.dit file and the SYSVOL folder once a week. Answer: A Microsoft Article #Q300960
When you choose to back up the system state on a domain controller, the items included are: When you back up the system state on a non-domain controller, the items included are: When you back up a member server or dc with Certificate Server installed, additional item are: 36. You are the administrator of your company's network. The network consists of one Windows 2000 domain that spans multiple subnets. You are configuring DNS for host name resolution throughout the network.

You want to accomplish the following goals: You take the following actions:
  1. Create an Active Directory intergraded zone.
  2. In the Zone Properties dialog box, set the Allow Dynamic Updates option to "Only Secure Updates".
  3. On the Name Servers tab of the Zone Properties dialog box, enter the names and addresses of all DNS servers on the network.
  4. Select Allow zone transfers only to servers listed on the network in the Name Servers tab on the Zone Transfers tab of the Zone Properties dialog box.
Which results do these actions produce? (Choose all that apply) A. DNS zone transfer traffic will be minimized on the network. B. Administrative overhead for maintaining DNS zone files will be minimized. C. Unauthorized host computers will not have records created in the zone. D. All zone updates will come only from authorized DNS servers. E. All zone transfer information will be secured as it crosses the network. Answer: A, B, C, D, E (similar to question 20) Action 1 ensures "DNS zone traffic minimized". Creating an AD-integrated zone involves configuring DC's as DNS servers (which automatically become primary servers for the zone). Zone transfers are performed during AD replication and this creates less network traffic than standard zone transfers.
Action 2 ensures "Admin overhead for maintaining DNS zone files minimized". Enabling dynamic updates minimizes admin overhead for zone maintenance because each host auto registers itself with DNS and updates its records as needed.
Action 3 also ensures "Unauthorized host computers will not have records created in zone" because you chose "Only Secure Updates" (only available in an AD-integrated zone). Secure updates specify that only users, groups or computers that have been granted the right to write to the zone or record have the ability to update the record.
Action 4 ensures "All zone updates only to authorized DNS servers". This is done by explicitly listing the IP's of those DNS servers (that will receive zone information) on the Properties > Zone Transfers tab for the zone. Alternatively, you can specify authoritative servers for the zone on the Name Servers tab and then select the option to "Allow zone transfers to Only those server that are listed on the Name Servers tab". Selecting "Allow zone transfers...Name Servers tab" was done so "All zone updates only to authorized DNS servers" is met. Be careful on this point. 37. You are the administrator for your company. You are deploying Windows 2000 on your network of 10,500 users. There are 15 departments in your company. Each department needs to use specific features of Windows 2000 and custom third party applications. You want to minimize the administrative time required to set up the client computers. You also want to provide customized software installations to the users.

What should you do? A. Install and configure a RIS server on your network. Use RIPrep.exe to create multiple images for each department. connect the client computers to the RIS server and deploy the custom images. B. Install and configure a RIS server on your network. Create different installation script files for each department. Deploy the computers by using RIS. C. Create a shared folder on one of the servers. Copy the source files from the Windows 2000 Professional CD-ROM to the shared folder. Perform unattended installations from the shared folder by using script files, and then install the third-party applications. D. Create a shared folder on one of the servers. Copy the source files from the Windows 2000 Professional CD-ROM to the shared folder. Perform attended installations from the shared folder, and then select only the components you need for each department. Answer: A Microsoft Article #Q298750
RIPrep is used to create a master image of a fully configured client computer (W2k Only) which includes all applications. The RIPrep.exe utility removes the SID and all hardware specific settings from the master image.
To prevent user's from installing the wrong image or to limit the people that can install the image, grant rights to the folder based on group membership. If need be, create new groups and add users that need access to that group, as it is not recommended that you grant rights to the folder based on individuals.
38. You are the administrator of a Windows 2000 network. The network's domain structure is shown a graph. The us.litware.com and the eur.litware.com domains are in mixed mode. The litware.com and the treyresearch.com domains are in native mode. The us.litware.com domain has two Windows NT 4.0 BDCs that support legacy applications. When users from the us.litware.com domain attempt to access a shared folder in the litware.com domain, they receive an error message stating that access is denied. There is a universal group that has Read permission to the Sales folder. Sales is assigned Read permission for the shared folder. When you log on as a member of the Sales group from the litware.com domain, you are able to access the shared folder.

What should you do to correct this problem? A. Switch the us.litware.com domain to native mode. B. Add a global catalog server to the us.litware.com domain. C. Create a global group in the us.litware.com domain. Add the user accounts that need access to the shared folder to the global group. Add the global group to the universal group. D. Create a universal group in the us.litware.com domain. Add the user accounts that need access to the shared folder to the universal group. Grant Read permission to the universal group for the shared folder in the litware.com domain. E. Create a global group in the us.litware.com domain. Add the user accounts from the us.litware.com domain to the global group. Grant Read permission to the global group for the shared folder. Answer: E (Updated 5/05/02)

Debated Here:
MCSEBraindumps.com 70-217 Forum
A – Not needed and can’t be done since you have 2 NT BDC’s there for support of legacy applications.
B – Not needed and will not change the rights.
C – There has been much debate whether C or E is the correct answer. At the above link it was proven that C will generate an error
D – The us.litware.com domain is in mixed mode, Universal groups are only available in Native-mode.
E – This is the correct answer and there has been much debate on whether C or E is the correct answer.
Domain Local Groups - can contain any users, global groups, and universal groups from any domain anywhere in the forest, but they can only access resources from within that local domain. It can also contain other local domain groups from same domain.

Global Groups - can contain users and when in native mode, other Global groups from the local domain, but they can access any resource on any domain in the forest.

Universal Groups – can contain any users and any groups (Global or Universal) from any domain anywhere in the forest and they can access any resource anywhere in the forest. (Only available in native-mode)

Recommended method of using groups: AGUDLP
A - Accounts (users)
G - Global Groups
U - Universal Groups (when available - Native Mode)
DL - Domain Local Group
P - Permissions

Assign Users to Global Groups, Global Groups to Universal Groups, Universal Groups to Domain Local Groups, Permissions to the Domain Local Groups. (Obviously in mixed mode Universal groups are not there you would assigned Global Groups directly to Domain Local Groups.)

E obviously does not quite conform to the above but it is the best choice based on the what we have here.
39. You are the administrator of a Windows 2000 domain. The domain has an organizational unit (OU) named Help Desk. All users in the Help Desk OU use an application named PhoneID. The PhoneID application is deployed by using a Group Policy object (GPO) named Phone App on the Help Desk OU. The Phone App GPO is configured to publish the PhoneID application to users by using a Microsoft Windows Installer package for the application. Currently, only the users in the Help Desk OU can start the PhoneID application. You want all users in the domain to be able to install the PhoneID application by using a Start menu shortcut.

What should you do? A. Remove the Phone App GPO link to the Help Desk OU. Assign the Phone App GPO to the domain. Change the configuration of the Phone App GPO to assign the PhoneID application to users. B. Create a new GPO named Phone For All. Assign the Phone For All GPO to the domain. Configure the Phone For All GPO to assign the PhoneID application to computers. C. Configure the Phone App GPO to assign the PhoneID application to users. Configure the permissions on the Phone App GPO to assign Apply Group Policy permission to the Authenticated Users group. D. Configure the Phone App GPO to assign the PhoneID application to computers. Configure the PhoneID Windows Installer package to upgrade the installed PhoneID application. Set the Windows Installer policy to disable rollback. Answer: A You need to reconfigure the already published application to an assigned application and make it for all users and not just the Help Desk OU

Per Windows 2000 Help:
Assigning an application to a user advertises the application on the user's computer without it actually being installed. It only adds the shortcuts to the Start menu and the needed file associations in the registry. The user can then install the application by either launching the program from the Start menu or by opening a file associated with the application. User's can uninstall assigned applications but it will continued to be advertised to them. User assigned applications follow the user and will be installed on any computer they log onto.

Assigning an application to a computer advertises the application on the computer and installs it when it is safe to do so, typically this is when the computer is starting up.
40. You are the administrator of a network that consists of 500 computers. You are deploying Windows 2000 Professional on the computers in the Tech and Sales organizational units (OUs). There is one Windows 2000 Server computer that is running RIS. You create a group named RIS Installers that consists of users from the Tech OU. Only members of the RIS Installers group will use RIS to deploy Windows 2000.

You want to accomplish the following goals: You take the following actions:
  1. Create an OU, then specify the client account location in the RIS properties sheet.
  2. Enter a custom Client computer naming format in the RIS properties sheet.
  3. Place the Mktg computers in a different IP subnet from the Tech and Sales users.
Which results do these actions produce? (Choose all that apply) A. Members of the RIS Installers group can choose client computer names during client computer installation. B. New computer accounts are organized into their corresponding OUs. C. The company naming convention is applied to all new computer accounts. D. Computers that are not in either the Tech OU or the Sales OU cannot download images during RIS deployment Answer: A, C (Updated 4/22/02)

The question and answer combo here seems to leave out some information, or at least cause you to make many assumptions.

It clearly states that you setup a custom computer-naming format, so we can say C is correct. We can also say that A is correct because if this is not an unattended install and the installation is not done without user intervention the field will simply be pre-populated with the custom name and the user can freely change the computer name before moving on.

Your first Action - creates an OU and sets RIS up to create computer accounts somewhere, but it does not state where. The 3 options for directing where computer accounts are created are listed at the end.
Your second Action - You modify the RIS to use a custom client computer-naming format for your computer
Your third action - You have moved the MKTG computers to a different subnet from the others. This does not accomplish anything as the RIS can be used throughout the domain.

When setting up a Remote Install, you can adjust the advance settings to use a Custom client computer naming format and where to install the computer accounts during creation. You have 3 choices where to install them:
In order for user to be able to create computer accounts in the domain, they must be delegated Join a computer to the domain permissions.

There is also no indication as to where the GPO for the RIS was applied or the OU structure, which will determine policy inheritance. This would determine if D is correct or not.
41. You are the administrator of your company's network. Your company has two domains in six sites as shown in an exhibit. Each site has one or more domain controllers. For fault-tolerance and load-balancing purposes, one domain controller in each site is configured as a global catalog server (GC). Users report that, several times a day, network performance and data transfer for an application located in SiteA are extremely poor. You want to improve network performance.

What should you do? A. Configure at least two domain controllers in each site as GC servers. B. Configure the domain controllers in only one site as GC servers. C. Create site links between all sites and use the default replication schedulers. D. Create site links between all sites and set the less frequent replication schedules. E. Create connection object between each domain controller. Use RPC as the transport protocol. F. Create connection objects between each domain controller. Use SMTP as the transport protocol. Answer: D Microsoft Article #Q228866
Two of the factors used to determine when inter-site replication is initiated over a connection include: the replication interval and the replication schedule. This article describes how these two values are used to determine when Windows 2000 initiates inter-site replication.
The replication schedule, defined by site link and connection objects, is used to define the time(s) that replication is allowed to occur. The replication interval is used to define how often replication should occur during a "window of opportunity" based on the schedule.
In environments in which multiple site links must be traversed for replication to occur between two points, the resulting replication schedule is actually an "intersection," or common available time between all site links involved in the communication between the two domain controllers.
You should set a less frequent replication schedule so that replication isn't taking place when the network is in heavy use. Global Catalog servers can also help because they contain info about all resources on a network (once connected to the network, computers immediately contact the nearest GC server). Note that in this question, each site already has a GC server so adding another will have very little effect. 42. You are the enterprise administrator of a Windows 2000 domain named fabrikam.com. The domain contains three domain controllers named DCA, DCB, and DCC. DCA does not hold any operations master roles. You backed up the System state data of DCA two weeks ago. Without warning, the DCA domain controller's hard disk fails. You decide to replace DCA with a new computer. You install a new Windows 2000 server computer.

What should you do next? A. Add the server to the domain. Do an authoritative restore of the original backup of the original DCA System State data that you made two weeks ago. B. Add the server to the domain. Use Windows Backup to create a backup of the DCB System state data, and restore this backup on the new DCA. C. Use the Active Directory installation wizard to make the new computer a replica in the domain. D. Use the NTDSUTIL utility to copy the active Directory database from DCB to the new DCA. Answer: C DC1 did not hold any master roles so there are not any master roles to transfer to another DC. You can simply promote another server to a DC to take it's place and allow the correct information to be copied to it automatically by Active Directory. 43. You are the administrator of a Windows 2000 domain. The domain has two domain controllers named Server1 and Server2. The volume that contains the Active Directory database file on Server1 is running out of disk space. You decide to move the database file to an empty volume on a different disk on Server1.

What should you do? A. Restart Server1 in Directory Services restore mode. Use the NTDSUTIL utility to move the database file to the empty volume. B. Use Windows Backup to create a backup of the System State data of Server1. Restart Server2 in Directory Services restore mode. Restore the system State data to the empty volume. C. Use the Logical Disk Manager console to mount the empty volume in the folder that contains the Active Directory database file. D. Stop the Netlogon service on Server1. Use Windows Explorer to move NTDS.DIT to the empty volume. Start the NetLogon service again. Force replication from Server2. Answer: A The error you'll receive on the domain controller will be Lsass.exe - System Error, Directory Services could not start because of the following error: There is not enough space on the disk. Error Status: 0xc000007f. Please click OK to shutdown this system and reboot into Directory Service Restore Mode, check the event logs for more detailed information.

Microsoft Article #Q315131
The NTDS.DIT database file is locked and you cannot access it unless you boot into DS Restore Mode.

There are two possible resolutions:

Resolution Method #1, clear space on the drive: Resolution Method #2, move the database or log files (correct answer to this question):

You can move the Ntds.dit data file to the new folder that is specified by the location variable. If you do so, the registry is updated so that Directory Service uses the new location when you restart the server.
44. You are the enterprise administrator of a Windows 2000 domain. The domain has three domain controllers named DC1, DC2, and DC3. Because of changed hardware requirements, you want to replace the domain controller named DC1 with a newer computer named DC4. You want DC4 to be a domain controller in the domain. You no longer want DC1 to function as a domain controller.

What should you do? A. Install DC4 as a stand-alone server in a workgroup named WG. Restore a System State data backup of DC1 on DC4. On DC1, use the Active Directory Installation wizard to remove Active Directory from DC1. B. Install DC4 as a stand-alone server in a workgroup named WG. Disconnect DC1 from the network. Rename DC4 to DC1. On DC2, force replication of AD to all its replication partners. C. Install DC4 as a member server in the domain. On DC4, use the Active Directory Installation wizard to install Active Directory on DC4. On DC1, use the Active Directory Installation wizard to remove Active Directory from DC1. D. Install DC4 as a member server in the domain. On DC1, use the Ntdsutil to copy the Active Directory files to DC4. Use the Active Directory Installation wizard to remove Active Directory from DC1. Answer: C Microsoft Article #Q238369
This article describes how to promote or demote a domain controller to a stand-alone server in Windows 2000. Promoting a server to a domain controller is the process of installing Active Directory Services on that server. Demoting a domain controller removes Active Directory and switches to using a local User Accounts System (UAS). Before promoting a server to a domain controller, you must plan your structure to best suit your organizational needs and network topologies.

DCPROMO initiates the Active Directory Installation Wizard. The Active Directory Installation Wizard is used to install Active Directory on a member server in the domain (thus creating a domain controller) and to remove AD. 45. You are the network administrator for your company. Your company's main office is in Seattle. Branch offices are in New York, Rome, and Tokyo. The local administrators at each branch office need to be able to control local resources. You want to prevent the local administrators from controlling resources in the other branch offices. You want only the administrators from the main office to be allowed to create and manage user accounts. You want to create an active directory structure to accomplish these goals.

What should you do? A. Create a domain tree that has a top-level domain for the main office and a child domain for each branch office. Grant the local administrators membership in the Domain Admins group in their child domains. B. Create a domain tree that has a top-level domain for the main office and a child domain for each branch office. Grant the local administrators membership in the Enterprise Admins group in the domain tree. C. Create a single domain. Create a group named Branch Admins. Grant the local administrators membership in this group. Assign permissions to the local resources to this group. D. Create a single domain. Create an OU for each branch office and an additional OU named CorpUsers. Delegate authority for resource administration to the local administrators for their own OU's. Delegate authority to the CorpUsers OU only to the Domain Admins group. Answer: D A - Creating additional domains and making them the admins of the domain gives them complete control over that domain, including user accounts.
B - Creating additional domains and making them Enterprise admins gives them complete control over the entire forest, including user accounts.
C - This does not give the local administrators enough power to manage their local domains.
D - Provides the best and most logical way to do it. Local admins will be able to manage their local domains and all user accounts will be managed by the main administrators that are members of the Domain Admins group.

When you use a combination of OU nesting and access control lists (ACL), you can delegate the administration of objects in the directory in a very granular manner. 46. You are the administrator of your company's network. Your company has its main office in Seattle and branch offices in London, Paris, and Rio de Janeiro. The local administrator at each branch office must be able to control users and local resources.

You want to prevent the local administrators from controlling resources in branch offices other than their own. You want to create an Active Directory structure to accomplish these goals.

What should you do? A. Create a top-level OU. Delegate control of this OU to administrators at the main office. B. Create child OUs for each office. Delegate control of these OUs to administrators at the main office. C. Create child OUs for each office. Delegate control of each OU to the local administrators at each office. D. Add the local administrators to the Domain Admins group. E. Create users groups for each office. Grant the local administrators the appropriate permissions to administer these user groups. Answer: C When you use a combination of OU nesting and access control lists (ACL), you can delegate the administration of objects in the directory in a very granular manner. 47. You install a Windows 2000 Server computer on your network. You promote the computer to be a domain controller. This computer also functions as the DNS server for the domain. All client computers are running Windows 2000 Professional. When users attempt to log on they receive an error message stating that a domain controller cannot be located. You verify that Active Directory is installed and functional on the server. You want to ensure that the domain controller is available for user logons.

What should you do next? A. Check DNS for the addition of an appropriate SRV record in the zone. B. Check DNS for the addition of an appropriate A record in the zone. C. Check for the presence of an NTDS folder on the domain controller. D. Check for the presence of a Sysvol folder on the domain controller. E. On the client computers, create a HOSTS file that contains the SRV records for the domain controller. F. On the client computers, create a HOSTS file that contains the A record for the DC. Answer: A Microsoft Article #Q241515
After you install Active Directory on a server running the Microsoft DNS service, you can use the DNS Manager Microsoft Management Console (MMC) snap-in to verify that the appropriate zones and resource records are created for each DNS zone. Active Directory creates its SRV records in the following folders:

_msdcs/dc/_sites/default-first-site-name/_tcp _msdcs/dc/_tcp

DNS service (SRV) resource records are necessary to help clients find Active Directory servers. The SRV resource record allows administrators to use several servers for a single domain, to move services from host to host easily and to designate some hosts as primary servers for a service and others as backups. 48. You are the administrator of a Windows 2000 network for Miller Textiles. The network configuration is shown in an exhibit.



The millertextiles.com domain is hosted on Server1 as an Active Directory integrated zone, and on Server3 as a secondary zone.

All client computers on Segment B are running Windows 2000 Professional. All client computers on Segment A are down level client computers. All client computers are DHCP clients as well. You share some network resources on several of the client computers on Segment A. Several days later you attempt to connect to those shared resources from client computers running on segment B, but you are unable to resolve the host names of client computers on Segment A.

How should you correct this problem? A. On the DHCP server, set the DNS Domain Name scope option to millertextiles.com. B. On Server1 for the millertextiles.com zone, change the value of "Allow Dynamic Updates" from the default settings to "Yes". C. Configure the millertextiles.com domain to allow zone transfers to all the computers on the network. D. On Server2, enable updates for DNS clients that do not support dynamic updates. Answer: D Microsoft Article #Q317590
To configure DNS dynamic update for a Windows 2000 DHCP server: 49. You are the administrator of the Contoso, Ltd., company network. You are designing a Windows 2000 domain. Contoso, Ltd., has an Internet presence and owns contoso.com, a registered domain name. The existing DNS zone is hosted on Windows NT 4.0 Server computers.

You want to accomplish the following goals:


The exhibit shows your actions. Which results does your implementation produce? (Choose all that apply) A. Internal host names will not be exposed to the Internet. B. Internal users will be able to resolve external names for access to Internet-based resources. C. Complexity and depth of domain names for Active Directory will be minimized. D. To comply with management requirements, the existing DNS servers that host the zone for Contoso.com will not be upgraded. Answer: A, B, C D (updated 4/22/02)

Debated here:
MCSEBraindumps.com 70-217 Forum

A - With a private network name and internal primary DNS server, internal names will not be exposed to the internet. B - The internal DNS has a secondary zone for the external DNS and there not an internal child domain of the external domain. The internal DNS has an secondary zone for external contoso.com zone so they can resolve external names without the need for forwarders.
C - Everything is pretty simple.
D - It's not necessary to upgrade the external DNS
50. You are the administrator of your company's network. The network consists of one Windows 2000 domain that spans multiple subnets. You are configuring DNS for host name resolution throughout the network.

You want to accomplish the following goals: You take the following actions:
  1. Create an Active Directory integrated zone.
  2. In the Zone Properties dialog box, set the "Allow Dynamic Updates" option to Yes.
  3. On the Name Servers tab of the Zone Properties dialog box, enter the names and addresses of all DNS servers on the network.
Which results do these actions produce? (Choose all that apply) A. DNS zone transfer traffic will be minimized on the network. B. Administrative overhead for maintaining DNS zone files will be minimized. C. Unauthorized host computers will not have records created in the zone. D. All zone updates will be sent only to authorized DNS servers E. All zone transfer information will be secured as it crosses the network. Answer: A, B, E Action 1 ensures "DNS zone traffic minimized". Creating an AD-integrated zone involves configuring DC's as DNS servers (which automatically become primary servers for the zone). Zone transfers are performed during AD replication and this creates less network traffic than standard zone transfers.
Action 2 ensures "Admin overhead for maintaining DNS zone files minimized". Enabling dynamic updates minimizes admin overhead for zone maintenance because each host auto registers itself with DNS and updates its records as needed.
Action 3 almost ensures "All zone updates only to authorized DNS servers". This is done by explicitly listing the IP's of those DNS servers (that will receive zone information) on the Properties > Zone Transfers tab for the zone. Alternatively, you can specify authoritative servers for the zone on the Name Servers tab and then select the option to "Allow zone transfers to Only those server that are listed on the Name Servers tab". Selecting "Allow zone transfers...Name Servers tab" was NOT done so "All zone updates only to authorized DNS servers" was NOT met. Be careful on this point.
To ensure "Unauthorized host computers will not have records created in zone", you need "Only Secure Updates" (only available in an AD-integrated zone). Secure updates specify that only users, groups or computers that have been granted the right to write to the zone or record have the ability to update the record. However, this action wasn't taken in this scenario. 51. You are the network administrator for Arbor Shoes. Part of your multi-site Windows 2000 network configuration is show in an exhibit. You discover an error in several host records that is preventing client computers in Atlanta from accessing some shared resources. You make the necessary corrections on Server1. You want these changes to be propagated to Atlanta immediately.



What should you do? A. On the Action menu for the arborshoes.com zone, click "Update Server Data Files". B. At Server5, perform the Transfer from master action for the arborshoes.com zone. C. At Server1, stop and start the DNS server service. D. At Server5, select Allow zone transfers on the arborshoes.com zone. Answer: B Force a DNS zone transfer by right-clicking the zone name in the DNS snap-in, and then clicking Transfer from Master.

D - would not be correct because the records on Server5 in Atlanta are wrong just as they are on the primary. This indicates that Atlanta is receiving zone transfers. If it was not, it would not have had the wrong DNS entries from Server1 to begin with. Obviously Server3 is going to have this problem as well, but MS is trying to trick you by only stating Atlanta needs these updates immediately.
52. You are the network administrator for LitWare, Inc. You are implementing Windows 2000 on your network. Part of your network configuration is shown in an exhibit. You have installed Server2 and Server4 as domain controllers for LitWare.com. You have installed Server1 and Server3 as DNS servers for the litware.com domain. Each server has a standard primary zone named litware.com. You configure the domain to run in native mode.



When Server2 attempts to contact Server4 by name, it cannot establish a connection. However, you can ping both Server2 and Server4 from any computer in either site. You need to be able to resolve names from within both sites. You want the information to be updated regularly.

What should you do? A. Configure Server1 and Server3 to allow dynamic updates in DNS. B. Configure Server1 and Server3 to allow zone transfers to any server. Then configure the DNS notification options to notify each server of updates. C. Reinstall Server4 as a member server in the same domain as Server2. Create a new site and promote Server4 to a domain controller within the new site. D. Re-create the litware.com zone on Server3 as a secondary zone. Configure Server3 to replicate DNS data from Server1. Answer: D Both of the DNS servers were configured with Primary Zones for the same namespace. One of the DNS servers needs to be configured as a secondary for the zone. Both servers will then maintain the same information for the zone and wrong information will not be provided to requesting clients. A standard secondary zone creates a replica of an existing zone and stores this data in a read-only, standard text file. 53. You are hired by Fabrikam, Inc., to secure its Windows 2000 network. You use Security Templates to create a custom template and save it as Securefab.inf. You need to use this template on five domain controllers in the fabrikam.com domain.

What should you do? (Choose two) A. Copy the Securefab.inf file to the Sysvol shared folder on one domain controller. B. Create a new security database. C. Import the Securefab.inf file. D. Rename Securefab.inf to Ntconfig.pol E. Create a Group Policy object on the Domain Controller Organizational Unit. Answer: C, E Microsoft Article #Q216735 Windows provides administrators with several different utilities that can be used for configuring computer security throughout an enterprise. This article discusses the following utilities and provides some usage guidelines

The Security Configuration and Analysis tool is used to analyze and configure security settings. Preconfigured template files (stored in Systemroot\security\templates) are used for analysis and to customize for specific security needs. These settings can be exported to an .inf file and applied to a Group Policy Object (using the Group Policy Editor or you can apply them directly to a specific computer using the Security Configuration and Analysis snap-in). 54. You are the administrator for a Windows 2000 network. Your network consists of one domain and two Organizational Units (OU). The OUs are named Corporate and Accounting. A user recently reported that she was not able to log on to the domain. You investigate and find out that the user's account has been deleted. You have been auditing all objects in Active Directory since the domain was created. However, you cannot find a record of the user account deletion. You want to find a record that identifies the person who deleted the account.

What should you do? A. Search the security event logs on each domain controller for account management events. B. Search the security event logs on each domain controller for object access events. C. Search the Active Directory Users and Computers console on each domain controller for the user's previous account name. D. Search the Active Directory Users and Computers console on each domain controller for the user's computer account. Answer: A When you audit account management events, you're able to track changes of user account information (including password changes), additions and deletions. The logs are keep locally on the DC and will have to be viewed there.
55. You are the administrator of your company's network. The network consists of one Windows NT 4.0 domain. You create and implement a security policy that is applied to all Windows 2000 Professional client computers as they are staged and added to the network. You want this security policy to be in effect at all times on all client computers on the network. However, you find out that administrators periodically change security settings on computers when they are troubleshooting or doing maintenance. You want to automate the security analysis and configuration of client computers on the network so that you can track changes to security policy and reapply the original security policy when it has been changed.

What should you do? A. Use Windows NT System Policy to globally configure the security policy settings on the client computers. B. Use Windows 2000 Group Policy to globally configure the security policy settings on the client computers. C. Use the Security and Configuration Analysis tool on the client computers to analyze and configure the security policy. D. Schedule the Secedit command to run on the client computer, analyze and configure the security policy. Answer: D Normally, if the GPOs that define the environment for the user have not changed from the last time Group Policy was applied, the GPO is skipped and not applied again. In either case, specifying "/ENFORCE" on the command line re-applies the policy even if the GPOs that apply to the computer or user have not changed. An example of the command line in this case is: secedit /refreshpolicy machine_policy /enforce

Per W2k Server Help:
Secedit.exe is a command line tool, when called from a batch file or automatic task scheduler, can be used to automatically create and apply templates and analyze system security. Secedit.exe can also be ran dynamically from a command line.
56. You are the administrator of your company's network. The network consists of one Windows 2000 domain. The domain contains four Organizational Units (OU) as shown in an exhibit. All OU's contain user's for their departments. The Network Administrators are in the IT OU. You want to centralize security policy in your domain. You create the following three security templates and Group Policy Objects:

You want the GPOs to apply your security policies to users and computers in the domain. You want to use the fewest assignments possible. Where possible, you want Group Policy to apply at the OU level for more granular administrative control.

How should you apply security policies? NOTE: Policies can be used more then once and may not all be used.


A. Apply Secpol3 to the Domain B. Apply Secpol2 to the Main OU C. Configure "No GPO Applied" to the HR OU D. Leave the Policy blank on the Dv OU E. Apply Secpol1 to the Domain F. Apply Secpol2 to the Dv OU G. Apply Secpol3 to the Main OU H. Leave the Policy blank on the IT OU I. Apply Secpol3 to the HR OU J. Leave the Policy blank on the HR K. Apply Secpol1 to the DV OU L. Apply Secpol2 to the IT OU M. Apply Secpol3 to the IT OU N. Leave the Policy blank on the Main OU Answer: B, D, E, J, M (Updated 4/22/02)

First you must remember that all policies are going to flow down. They will be applied in the following order: Local, Site, Domain, OU, Child OU. Each level will supercede the previous unless policy inheritance has been blocked. There is no indication of that happening here so they will flow as they are suppose to.

57. You edit the default Domain Controllers Group Policy on the arborshoes.com domain to required passwords to be at least eight characters long. However, users are able to create passwords that do not comply with the implemented policy.

What should you do? A. Initiate replication to make sure the Group Policy containers and the Group Policy template (GPT) are replicated. B. Configure each client computer to have a local Group Policy that requires password to be at least eight characters long. C. Edit the default Domain Group Policy to require password to be at least eight characters long. D. Edit the default Domain Controllers Group Policy to force the password to meet complexity requirements. Answer: C Microsoft Article #Q269236
In Windows 2000, password policies are only read at the domain level. The policy must be applied to the domain controllers for the policy to be applied. If you initiate a password change for a domain password from anywhere in the domain, the change actually occurs on a domain controller. 58. You are the Windows 2000 network administrator for your company. You are implementing the company's network security model. Your network has several servers that contain sensitive or confidential information. You want to configure security auditing on these servers to monitor access to specific folders. You also want to prevent users from gaining access to these servers when the security logs become full.

What should you do? A. Create a GPO that applies to the servers. Configure the GPO to enable auditing for object access. Set up the individual objects to be audited in Windows Explorer and then customize the Event Viewer logs to limit the size of the security log to 1,024 kb. B. Create a GPO that applies to the servers. Configure the GPO to enable auditing for Directory Services access. Set up the individual objects to be audited in Windows Explorer and then customize the Event Viewer logs to limit the size of the security log to 1,024 KB. Configure the security event log so that it does not overwrite events. C. Create a GPO that applies to the servers. Configure the GPO to enable auditing for Directory Service access. Set up the individual objects to be audited in Windows Explorer. Configure the Security Event log so that it does not overwrite events. Then configure the GPO to enable the "Shut down the system immediately if unable to log security audits" setting. D. Create a GPO that applies to the servers. Configure the GPO to enable auditing for object access. Setup the individual objects to be audited in Windows Explorer. Configure the security event log so that it does not overwrite events. Then configure the GPO to enable the "Shut down the system immediately if unable to log security audits" setting. Answer: D The two parts of auditing are to setup an audit policy at either the local or domain level (through a GPO) that defines the types of events to be audited (in this case object access). Secondly, the specific events must be specified (in this case by setting up the objects to be audited using Windows Explorer).

To meet the last requirement of preventing users' access when log is full then you must configure the GPO to enable the "Shut down the system if unable to log" setting. This setting is actually called CrashOnAuditFail in the registry and in this case, must be set to 1. 59. You are the security analyst for Duluth Mutual Life. You are assessing the security weaknesses of the company's Windows 2000 network. The network consists of three sites in one domain. The domain contains three OUs and 11,000 users. There are five domain controllers in the domain. You configure one of the domain controllers to meet the security requirements of the company. You need to duplicate those settings on the other four domain controllers. You want to use the least possible amount of administrative effort.

What should you do? A. Create a GPO for the Domain Controllers OU. Configure the GPO settings to match the settings of the secured domain controller. B. Open Security Configuration and Analysis on the secured domain controller. Export the secured domain controller's security configuration to a template file. Copy the template file to the Sysvol folder on each domain controller. C. Create a GPO for the domain. Assign Domain Users Read and Apply Group Policy permissions. Configure the GPO settings to match the settings of the secured domain controller. D. Open Security Configuration and Analysis on the secured domain controller. Export the secured domain controller's security configuration information to a template file. Open Security Configuration and Analysis on the other domain controllers, import the template file, and then select Analyze Computer Now. Answer: A Microsoft Article #Q216735
Windows provides administrators with several different utilities that can be used for configuring computer security throughout an enterprise. This article discusses the following utilities and provides some usage guidelines

A - Provides the best way to configure all the DC the same (remember you are in 1 domain, not multiple domains).
B - Would only copy the security configuration template to that folder, it will not take effect. Besides the Sysvol folder of DC's is replicated to all DC's so there would be no need to copy it to each folder.
C - Would apply the security setting to all computers in the domain, not just the DC's.
D - Only compares the current policy on the DC to the template you created and imported. To actually apply it, you would need to right-click and choose Configure Computer Now.
60. You are the administrator of a Windows 2000 network. Recently, your network security was compromised and confidential data was lost. You are now implementing a stricter network security policy. You want to require encrypted TCP/IP communication on your network.

What should you do? A. Create a GPO for the domain, and configure it to assign the Secure Server IPSec Policy. B. Create a GPO for the domain, and configure it to assign the Server IPSec Policy and to enable Secure channel: Require strong session key. C. Implement TCP/IP packet filtering, and open only the ports required for your network services. D. Edit the local security policies on the servers and client computers and enable Digitally signed client and server communications. Answer: A Microsoft Article #Q253740
Microsoft Article #Q231585
By default, Windows 2000 includes three predefined policies: Client, Secure Server, and Server. The first task is to decide if any of the default policies will apply or if it will be necessary to create a custom policy to meet your needs. None of the preconfigured policies are active by default. The policies are as follows:
Client (Respond Only) - allows the client to respond to other computers requesting security according to the settings in the default response rule. With this policy active, the client will never request security, but will negotiate IPSec based on the connecting host. This would allow you to configure client computers to respond to requests for secure communications, but without initiating the request.
Secure Server (Require Security) - allows the server to require IPSec negotiation prior to allowing a connection. This policy will allow unsecured incoming communications, but outgoing traffic will always be secured. This policy could be implemented in scenarios where data must always be secured.
Server (Request Security) - allows the server to request IPSec negotiation, but will allow unsecured communications if the other computer is not IPSec aware. You could use this policy to implement security between IPSec enabled computers without sacrificing interoperability with non-IPSec-enabled computers. 61. You are the administrator of your company's network, which consists of one Windows 2000 domain. There is a single top-level OU named Main and five child OUs. The child OUs are named after the company's five departments:
The accounts for all users and computers in each department are defined in the OU for that department. All users and computers in the Finance, Marketing, Sales and HR OUs require the same desktop settings. Users and computers in the IT OU require less restrictive settings.

You want to accomplish the following goals: You take the following actions:
  1. Create the GPO, configure the appropriate settings, and link the GPO to the Main OU
  2. In the Group Policy Options dialog box for the Main OU, select the No Override check box
  3. In the Group Policy dialog box for the IT OU, select the Block Policy inheritance check box.
  4. Assign the Authenticated Users group Full Control permission to the GPO.
Which results do these actions produce? A. All the assigned Group Policy settings as defined by the administrator in the Main OU are applied to all users and computers in the Finance, Marketing, Sales, and HR OUs. B. Group Policy from the Main OU will not be applied to the IT OU. C. Administrators in the IT OU are able to change the Group Policy settings. D. When new child OUs are added to the domain, the Group Policy is applied to them automatically. E. Users cannot change their Group Policy settings. Answer: A, C, D A - Is true because the policy was set at the Main OU and policies flow down by default. Applying the No Override will prevent OU's at a lower level from blocking them.
B - Is not true because the No Override option was enabled preventing the IT OU from blocking inheritance.
C - Is true because Administrators of the IT OU have been given Full Control
D - Is true because as A states, policies flow down.
E - Is not true (see 3rd paragraph below)

Microsoft Article #Q221577
Create an organizational unit (OU) and create a new GPO directly linked to this OU. This can be done by clicking Properties on the context menu of the OU, clicking the Group Policy tab in the Properties dialog box, and clicking the New button. Once the GPO has been created, launch the Delegation Wizard . The Delegation Wizard provides a step-by-step process in which specific functionality may be delegated easily, with a high degree of detail.
Directly access the security settings for the GPO itself, by clicking Properties on the context menu of the specific GPO, and clicking the Security tab. Add your non-administrator user to the list of users for whom security is defined.
Provide your user Full Control - Allow privilege. Full Control provides the user the ability to write to the GPO, and also to change security permissions on the GPO. If you want to prevent this user from setting security, you may decide to give them only the Write - Allow permission. (Everyone Group was given full control so E is not true).

You may also decide that the user should be exempt from the application of this policy, and this may be accomplished by clearing the Apply Group Policy - Allow privilege.
62. You are using RIS to deploy Windows 2000 Professional on 1,500 computers. Your network configuration is shown in an exhibit. You have four RIS servers. You have deployed 100 computers. RIS server1 and RIS server3 are overworked and respond too slowly for the timely deployment of your computers. You need more consistent performance results before you deploy the remaining computers.

What should you do? A. Create computer accounts for all the computers. Complete the Managed By properties for each account. B. Create one OU for each segment. Add users accounts for all the users to the appropriate OUs. Specify the appropriate RIS server in the "Log on to" property for each user's account. C. Create prestaged computer accounts for all of the computers. Specify which RIS server will control each computer. D. Create one site for each segment. Move two RIS servers to each site. Answer: C Microsoft Article #Q298750
By prestaging the client, the administrator can define a specific computer name, and optionally, the RIS server that can service the client: 63. You are the administrator for Arbor Shoes. Part of your network configuration is shown in an exhibit. All the computers are running Windows 2000 Professional and are members of the arborshoes.com domain in the company LAN. All the users are members of the Power Users group on their computers. Andrew has dial-up access to the Internet for a special project he is working on. You do not want other users to share Andrew's Internet connection and to have unrestricted Internet Access.

What should you do? A. Create a high security zone in MS IE. B. Create a Group Policy Object (GPO) that disables the configuration of connection sharing. Grant Andrew Read and Apply group Policy permissions to the GPO. C. Create a Group Policy Object (GPO) that disables the configuration of connection sharing. Grant Michel, Laura, and Anita Read and Apply Group Policy permissions to the GPO. D. Remove the Internet connection from the All Users profile on Andrew's computer and then recreate the connection in Andrew's personal profile. Answer: B Andrew's ability to configure Internet Connection Sharing (ICS) needs to be disabled so he cannot share the connection with other users.

Andrew is the user who needs to have "Read and Apply" to this GPO so that his ICS is disabled. 64. You are the administrator of a Windows 2000 domain. You want to deploy a new application named Finance that will be used by all users in the domain. The vendor of the Finance application supplied a MS install package for the application. You decide to deploy the Finance application in two phases. During Phase 1, only members of a security group named Finance Pilot will use the Finance application. During Phase 2, all users in the domain will be able to install the Finance Application.

You want to accomplish the following goals: You take the following actions:
  1. Create a new GPO named Deploy Finance and link the deploy Finance GPO to the domain.
  2. Configure the Deploy Finance GPO to assign the Finance application to users.
  3. For Phase 1, create a software category named Finance Pilot. ASSIGN the Finance application to the Finance Pilot software category.
  4. For Phase 2, remove the Finance application from the Finance Pilot software category.
Which results do these actions produce? A. During Phase 1, the Finance application will not be installed automatically when users log on. B. During Phase 1, users who are members of the Finance Pilot group can install the Finance application by using a Start menu shortcut. C. During Phase 1, users who are not members of the Finance Pilot group cannot install the Finance application by using a Start menu shortcut. D. The Finance application is installed automatically the first time any user in the domain logs on after Phase 2 has begun. Answer: A, B By default all user's of the domain are going to have the application assigned to them (this makes B correct). You only want the Finance Pilot group to get it, they will, but so will everyone else. (This makes C wrong)

Per Windows 2000 Help:
Assigning an application to a user advertises the application on the user's computer without it actually being installed (This makes A correct). It only adds the shortcuts to the Start menu and the needed file associations in the registry. The user can then install the application by either launching the program from the Start menu or by opening a file associated with the application. User's can uninstall assigned applications but it will continued to be advertised to them. User assigned applications follow the user and will be installed on any computer they log onto.

Assigning an application to a computer advertises the application on the computer and installs it when it is safe to do so, typically this is when the computer is starting up (This would need to be done in order for D to be correct).

Additional Information
Assigned software: Software that is assigned to a user has a shortcut appear on a user's Start > Programs menu, but is not installed until the first time they use it. Software assigned to a computer is installed the next time the user logs on regardless of whether or not they run it. When software is assigned to a user, the new program is advertised when a user logs on, but is not installed until the user starts the application from an icon or double-clicks a file-type associated with the icon. Software assigned to a computer is not advertised - the software is installed automatically. When software is assigned to a computer it can only be removed by a local administrator - users can repair software assigned to computers, but not remove it.
Published software: Published applications are not advertised. They are only installed through Add/Remove Programs in the Control Panel or through invocation (a user double-clicks on an unknown file type). Published applications lack resiliency (do not self-repair or re-install if deleted by the user). Finally, applications can only be published to users, not computers. 65. You are the enterprise administrator of a Windows 2000 network. The network has three domains:



All three domains are in a site named Boston. All three domains contain OUs as shown in the above exhibit. You want to implement new desktop policies for all users on the network. The policies are configured in a Group Policy Object named Gpdesktop. You also want to implement a logon script for users from the W2 OU. The logon script policy is configured in a GPO named Gpscript. The users from the W2 OU always log on to Windows 2000 Professional computers defined in the W3 OU. You do not want to use Group Policy filtering. You want to use the fewest GPO assignments possible.

What should you do? (Choose all that apply)

NOTE: Policy may be applied more then once A. Apply the Gpdesktop GPO to the Contoso domain B. Apply the Gpscript GPO to the west.contoso domain and filter it to the w3 OU C. Apply the Gpscript GPO to the W3 OU D. Apply the Gpdesktop GPO to the east.contoso domain E. Apply the Gpscript GPO to the W2 OU F. Apply the Gpdesktop GPO to the west.contoso domain G. Apply the Gpdesktop GPO to the Boston site. H. Apply the Gpscript GPO to the west.contoso domain Answer: E, G Take note that the other 2 domains are child domains of Domain 1 so they will not inherit the policy by default (see below article). You can apply GPO's to a Site, Domain, or OU. You could link the GPO to each domain as well, but this would require 3 assignments instead of 1.

You want to implement the desktop policies to all users in all domains. To do this with the fewest possible GPO assignments you would assign the GPDesktop policy on the Boston Site.

Microsoft TechNet Policy Inheritance
In general, Group Policy is passed down from parent to child containers within a domain, which you can view by using the Active Directory Users and Computers snap-in. Group Policy is not inherited from parent to child domains, for example, from contoso.com to west.contoso.com. The Active Directory Domains and Trusts snap-in, which you can use to manage relationships of this type, is not related to Group Policy.
66. You are the administrator of a Windows 2000 network. You are deploying Windows 2000 Professional to 200 client computers. A custom configuration is required for each one of 50 of the client computers. You are using SMS Server to install various applications on all the client computers. You want to use RIS to install Windows 2000 on all of the client computers.

What should you do? A. Create a CD-based RIS image and different answer files for each custom configuration. B. Create an RIPrep image for each configuration. Grant Read And Execute permission to users for the image folder. C. Install a test client computer for each custom configuration. Use the Setup Manager wizard to create an answer file for each configuration. D. Use the Setup Manager wizard to create a Sysprep answer file. Use third-party imaging software to create a separate image for each configuration. Answer: A Microsoft Article #Q298750#8
RIPrep is used to create a master image of a fully configured client computer (W2k Only) that includes all applications. The RIPrep.exe utility removes the SID and all hardware specific settings from the master image.
To prevent user's from installing the wrong image or to limit the people that can install the image, grant rights to the folder based on group membership. If need be, create new groups and add users that need access to that group, as it is not recommended that you grant rights to the folder based on individuals.

Unattended installations rely on an "answer file" to provide information during setup process that is usually provided through manual user input. Answer files can be created manually using a text editor or by using the Setup Manager Wizard (SMW) (found in the Windows 2000 Resource Kit Deployment Tools).
B - You would not want to implement this because you are going to need to create 50 different images. It is much more efficient to just create 50 configuration files (answer files) and use those.
67. You are the administrator of a Windows 2000 domain. The domain has 20 users and a Windows 2000 Server computer named Glasgow. Users in the domain frequently work on different Windows 2000 Professional computers. All Windows 2000 Professional computers are in the domain.

You want to accomplish the following goals: What should you do? A. On each Windows 2000 Professional computer, delete the Systemdrive\Documents and Settings\Default User folder. B. On each Windows 2000 Professional computer, rename the Sytemroot\System32\Config\Stem file to System.man. C. Configure a roaming profile for each user in the domain. Use \Glasgow\profiles\%username% as the profile path. On the Glasgow server, rename the ntuser.dat file to ntuser.man for each user. D. Create a GPO named Delprofile. Assign the Delprofile GPO to the domain. Configure the Delprofile GPO to delete the local copy of a user's profile when the user logs off. Answer: C Microsoft Article #Q302082
Mandatory user profiles that can not be changed as they are read-only. They are created by renaming the ntuser.dat file to ntuser.man. When using a mandatory profile user are able to change desktop settings while they are logged on, but the settings will not be saved since it is read-only.
68. You are the network administrator for Just Togs. Your Windows 2000 network consists of 15,000 users. Users have recently reported that documents are missing from the servers. You need to track the actions of the users to find out who has been deleting the files. You create a GPO on the justtogs.com domain and assign the appropriate permissions to the GPO.

What actions should you audit? (Choose two) A. Directory Services access B. Object access C. Process tracking D. Privileged use E. Delete and Delete subfolders and files Answer: B, E Microsoft Article #Q300549
Before Windows 2000 can audit access to files and folders, you must use the Group Policy snap-in to enable the Audit Object Access setting in the Audit Policy. If you do not, you receive an error message when you set up auditing for files and folders, and no files or folders are audited. After you enable auditing in Group Policy, view the Security log in Event Viewer to review successful or failed attempts to access the audited files and folders.
69. You are the administrator of a Windows 2000 domain. To control the desktop environment of users in the domain, you use a script file named Desktop.vbs to change settings in the current user profile. This script file is deployed as a login script for all users in the domain. The Desktop.vbs script usually takes 15 seconds to complete its work. You want to ensure that each user's desktop appears only aft the Desktop.vbs script is completed.

What should you do? A. For all users in the domain, set the logon script in the user profile to Desktop.vbs. B. Create a new GPO; Assign the GPO to the domain. Add Desktop.vbs to the GPO as a logon script. Configure the GPO to run logon scripts synchronously. C. Create a new GPO; Assign the GPO to the domain. Add Desktop.vbs to the GPO as a logon script. Configure the GPO to set a maximum wait time of 15 seconds for Group Policy scripts. D. Create a new GPO; Assign the GPO to the domain. Add Desktop.vbs to the GPO as a logon script. Configure the GPO to set a timeout of 15 seconds for logon dialog boxes. Answer: B Microsoft Article #Q256320
This interval is particularly important when other computer tasks must wait while the scripts complete. By default, each startup script must complete before the next one runs. Also, you can use the "Run logon scripts synchronously" policy to direct the computer to wait for the logon scripts to complete before loading the desktop. An excessively long interval can delay the computer and inconvenience users. However, if the interval is too short, prerequisite tasks might not be done, and the computer can appear to be ready prematurely.
70. You are the administrator of a Windows 2000 domain named arborshoes.com. You install RIS on the server. You are using RIS to install 35 new client computers. When you start a test client computer, the Client Installation wizard does not appear. You are using network adapter cards that are not PXE compliant. You want to connect to the RIS server.

What should you do? A. From a command prompt, run Rbfg.exe to create RIS a boot disk. B. Identify the GUID of each client computer. C. Set up a DHCP Relay Agent. D. Install Windows 2000 on the test client computer. Run RIPrep.exe from a network share on the RIS server. Answer: A Microsoft Article #Q300483 RIS Overview
The remote installation boot disk can be used with computers that do not contain a remote boot-enabled ROM on the network card. The boot disk is designed to simulate the PXE boot process for computers that lack a supported DHCP PXE-based remote boot ROM. The boot disk generator utility is called RBFG.EXE and is located within the \RemoteInstall\admin directory on every Remote Installation Server.
The RBFG.exe utility is also contained within the Administrator Tools package that ships with Windows 2000 Server. The Administrator Tools package can be deployed across your organization using either Systems Management Server 2.0 or using the new Software Management feature, which is part of the Group Policy infrastructure.
To create a Remote Installation Boot Floppy, run the RBFG.exe utility from the RIS server or a computer with the administrator tools package installed. NOTE: E:\ drive should be the drive letter where you setup the REMOTE INSTALLATION SERVICES in Step 2

To see a list of network adapters supported, click Adapter List. (Note: the RBFG.exe utility does not allow you to add network adapters). To create a remote installation boot disk, insert a disk into the appropriate drive and then select Create Disk.
71. You are installing a new Windows 2000 Server computer on your existing Windows NT network. You run DCPromo.exe to promote the server to a domain controller in a domain named domain.local. You receive the following error message:

"The domain name specified is already in use on the network".

There are no other Windows 2000 domains on your network.
What should you do? A. Place an entry in your DNS server host table for the domain.local domain name. B. Place an entry in your WINS database for the domain.local domain name. C. Change the domain name to domain.com. D. Change the down level domain name to domain1. Answer: D (This question is identical to #89, which has the proper domain name)

Microsoft Article #Q163409
The NetBIOS naming convention allows for 16 characters in a NetBIOS name. Microsoft, however, limits NetBIOS names to 15 characters and uses the 16th character as a NetBIOS suffix.
This is the NetBios-compatible name issue. The downlevel name of the server is the same as one already being used elsewhere on the network. 72. You are the administrator of your company's network. The company has two native-mode domains in six sites. Each site has one or more domain controllers.Users report that at times of high network usage, authentication and directory searches are extremely slow. You want to improve network performance.

What should you do? A. Move all domain controllers into one site. B. Promote more Windows 2000 Server computers in each site to be domain controllers. C. Install a DNS server in each site and configure it to use Active Directory integration. D. Designate a domain controller in only one site as a global catalog server (GC). E. Designate a domain controller in each site as a global catalog server (GC). Answer: E Microsoft Article #Q223346 FSMO Placement and Optimization
Microsoft Article #Q196464 AD Overview (Global Catalog section)
The Global Catalog contains a partial replica of every Windows 2000 domain in the directory and is built automatically by the Active Directory replication system. This lets users and applications find objects in an Active Directory domain tree given one or more attributes of the target object. The catalog also contains the schema and configuration of directory partitions. This means the global catalog holds a replica of every object in the Active Directory, but with only a small number of their attributes. Attributes in the global catalog are those most frequently used in search operations (such as a user's first and last names, logon names, and so on), and those required to locate a full replica of the object.
Using this common information, users can find objects of interest quickly without knowing what domain holds them and without requiring a contiguous extended namespace in the enterprise. If the object cannot be found in the Global Catalog, then the search utility can query your local domain partition for information.
You can use the Schema Manager tool to change the schema and define which attributes are stored in the Global Catalog. Since the Global Catalog is replicated on changes made to all Global Catalog servers, it is a good practice to limit the amount of attributes stored in the local partition for both performance and maintenance purposes.
73. You are deploying Windows 2000 Professional on your network. You recently installed a RIS server to expedite the deployment process. Your network is now configured as shown in an exhibit. When you attempt to use the RIS server to deploy Windows 2000 on Julia's and Carlos's computers, you cannot establish the initial connection. Anita and Peter installed Windows 2000 from CD-ROM and did not have any problems with the installation.

What should you do to correct the problem? A. Integrate the DNS server's zones into Active Directory. B. Install a DHCP server and authorize it in Active Directory. C. Install a WINS server and configure the DNS server to use it for name resolution. D. Create computer accounts in Active Directory for Julia and Carlos, and specify the name of the RIS server on the Remote Install tab of the Computer Accounts property sheet. Answer: B Microsoft Article #Q298750
You can use Remote Installation Services (RIS) for Windows 2000 to install a local copy of the operating system to other computers from remote locations. You can start up your computer, contact a Dynamic Host Configuration Protocol (DHCP) server for an Internet Protocol (IP) address, and then contact a boot server to install the operating system.
RIS requires several other services. These services can be installed on individual servers, or all of these services can be installed on a single server. The type of installation depends upon your network design: 74. You are the enterprise administrator of a Windows 2000 domain. The domain is in native mode. You want to implement a policy to disable the ShutDown command for all users in the domain except for the members of the Domain Admins security group. You create a new Group Policy object (GPO) named Shutdown. You configure the Shutdown GPO to disable the Shutdown option. You assign the Shutdown GPO to the domain. You want to ensure that the policy does not apply to the members of the Domain Admins group.

What should you do? A. On the Shutdown GPO, deny the Apply Group Policy permission to the Domain Admins group. B. On the Shutdown GPO, remove the Apply Group Policy permission from the Authenticated Users group. Grant the Apply Group Policy permission to the Users group. C. Add the Domain Admins group to the Group Policy Owners group. D. Create a new OU named No Shutdown. Move the Domain Admins group to the No Shutdown OU. Configure the No Shutdown OU to block policy inheritance. E. On the computers that the members of the Domain Admins group use to log on, configure the local GPO to enable the Shutdown option. Answer: A Microsoft Article #Q315675
This step-by-step article describes how to keep domain group policies from also applying to administrator accounts and/or selected users. Windows 2000 uses group policies to control operating system behavior and security settings for users and computers in a Windows 2000 network, and group policies can be applied to either users and/or computers, at the site, domain, or organizational unit level.

In most circumstances, if you want a group policy to apply only to specific accounts (either user accounts, machine accounts, or both), you can accomplish this by placing the accounts in an organizational unit, and then applying a group policy at that organizational unit level. However, there may be situations in which you want to apply a group policy to an entire domain, but you may not want those policy settings to also apply to administrator accounts or other specific users or groups. The following procedure can keep a group policy from applying to administrative accounts (or any other group or user account you specify) by editing the ACL (Access Control List) for the policy
75. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 Server computer named Toronto. Users in the domain frequently work on different Windows 2000 Professional computers. All Windows 2000 Professional computers are in the domain. You want to enable roaming profiles for all users.

You want to accomplish the following goals: What should you do? (Choose two) A. Configure a roaming profile for each user in the domain. Use \\Toronto\Profiles\%Username% as the profile path. B. Configure a roaming profile for each user in the domain. Use \\Toronto\Profiles\%Username%\Ntuser.man as the profile path. C. Create a new Group Policy object (GPO) named Profilescript. Assign the Profilescript GPO to the domain. Configure the Profilescript GPO to assign a logon script to all users. Include the runas/profile explorer.exe command in the logon script. D. Create a new Group Policy object (GPO) named Docs. Assign the Docs GPO to the domain. Configure the Docs GPO to redirect the My Documents folder to the \\Toronto\Docs\%Username% location. E. Create a new Group Policy object (GPO) named Profiledocs. Assign the Profiledocs GPO to the domain. Configure the Profiledocs GPO to exclude the My Documents folder from each user's roaming profile. Answer: A, D Microsoft Article #Q142682 Create and Copy a Roaming User Profiles
A roaming profile will make all users' desktop settings available on all computers and since it isn't mandatory, the users will be able to change their settings.

Microsoft Article #Q216463
You can use a group policy to redirect the My Documents folder to a different network path on the domain for all users without having to set up an individual policy for each user.
76. You are deploying Windows 2000 Professional on your network of 1,000 users. Part of your network is shown in an exhibit. You have recently installed a RIS server to assist in the deployment process. You confirm that the client computers meet the requirements for RIS deployment. However, you still cannot connect the RIS client computers to the RIS server. Existing client computers are able to connect to all servers for network resources.
What can be causing the problem? (Choose all that apply) A. The RIS server has no client-side tools installed. B. The RIS server is not trusted for delegation. C. The RIS server is not authorized in Active Directory. D. The client computers are not configured to use DHCP. E. The RIS server is not configured to respond to client computers requesting service. Answer: C, E Microsoft Article #Q298750
When RIS is successfully installed, you must authorize the RIS server in Active Directory. If you do not authorize the RIS server, it cannot service clients that request a network service boot. The next section outlines these steps.
To authorize an RIS server in Active Directory, you must be logged on to your computer as an enterprise administrator or a domain administrator of the root domain. You can complete the following steps on any domain controller, member server of the domain, or a Windows 2000 Professional-based workstation that has installed the Administrator Tools Package that contains the DHCP Server Management snap-in.

The next screen enables you to configure client support. By default, the RIS server does not support clients until you have set up RIS and configured the server. If you want the server to begin supporting clients immediately after the setup of RIS, select the Respond to clients requesting service option. If you select this option, the server can respond to clients and provide them with operating system installation options. If you do not select this option, the RIS server does not respond to the clients that request service.
77. You are the administrator of your company's network. The network consists of two Windows 2000 domains named contoso.com and mktg.contoso.com. You create separate zones for each domain on your DNS server. Later, you add a second DNS server to the network. This server also functions as a domain controller. You convert the contoso.com zone to an Active Directory integrated zone and set the zone to allow only secure updates to the zone database. You discover that unauthorized computers are registering themselves in the mktg.contoso.com domain. You check the zone's properties and discover that the zone is allowing unsecured dynamic updates. You also discover that the option to select Secure Dynamic Updates is not available.

What should you do to correct this problem? A. Initiate a zone transfer between the mktg.contoso.com zone and the contoso.com zone. B. Reinstall mktg.contoso.com as a standard secondary zone. C. Reinstall contoso.com as a standard primary zone. D. Convert mktg.contoso.com to an Active Directory integrated zone. Answer: D "Only Secure Updates" is only available in an Active Directory integrated zone. 78. You are the network administrator for Enchantment Lakes Corporation. Enchantment Lakes Corporation and Five Lakes Publishing are planning a merger. The planned Windows 2000 network configuration is shown in an exhibit. You want to host the fivelakespublishing.com domain on the enchantmentlakes.com DNS server called Server1. The fivelakespublishing.com domain uses an Active Directory integrated zone on its DNS server called Server5. Five Lakes Publishing will retain its domain structure after the merger is complete. You want to set up the enchantmentlakes.com DNS server to host the fivelakespublishing.com domain.



What should you do? A. On Server1, create an Active Directory integrated zone named fivelakespubliching.com. Enable WINS lookup, and specify Server7 as the IP address for the WINS server. B. On Server5, create a secondary zone named fivelakespublishing.com. Configure DNS zone transfers to allow Server1 to replicate data. C. On Server5, configure DNS zone transfers to allow Server1 to replicate data. On Server1, create a secondary zone named fivelakespublishing.com. D. On Server1, create an Active Directory integrated zone named fivelakespublishing.com. Configure DNS zone transfers to allow Server5 to replicate data. Answer: C In order for enchantmentlakes to host DNS services for the AD integrated fivelakespublishing DNS server it will have to be setup as a secondary zone of fivelakespublishing.com. Fivelakespublishing DNS will then have to allow enchantmentlakes to receive zone updates. C is the only answer that does that.

Microsoft Article #Q172953 Install and Configure DNS

Primary zones hold the master copy of a zone and can replicate it to secondary zones. All changes to a zone are made on the primary zone. Secondary zones contain a read-only copy (replica) of zone information that can provide increased performance and resilience. Information in a primary zone is replicated to the secondary by use of the zone transfer mechanism. Active Directory integrated zone is a MS proprietary zone type, where the zone info is held in the Windows 2000 Active Directory (AD) and replicated using AD replication.
Traditionally, the master copy of each zone is held in a primary zone on a single DNS server. On that server, the zone has a Start Of Authority (SOA) record that specifies it to be the primary zone. To improve performance and redundancy, a primary zone can be automatically distributed to one or more secondary zones held on other DNS servers. 79. You create a new Windows 2000 Active Directory network. Five months after deployment of the network, you receive a report that the Active Directory database file takes too much disk space on the ServerA domain controller. You want to reduce the size of the Active Directory database file.

What should you do? (Choose three) A. Restart ServerA in Directory Services restore mode. B. Stop the Net Logon service on ServerA. C. Run Windows Backup to back up the System State data. Immediately run Windows Backup again to restore the System State data from the backup. D. Use the NTDSUTIL utility to compact the database to a folder. Move the compacted database file to the original location. E. Restart ServerA and boot normally. F. Start the Net Logon service on ServerA. Answer: A, D, E Microsoft Article #Q229602
Online Defragmentation With online defragmentation, database pages are effectively rearranged within the data file, but no space is released back into the file system. Online defragmentation is performed automatically by ESE at regular intervals following the garbage collection process.
Offline Defragmentation Offline defragmentation cannot be performed while the computer is running as a domain controller; it must be performed with the computer running in Directory Services Repair mode, in which the computer is effectively running as a member server. In Directory Services Repair mode, an administrator can use the Ntdsutil.exe command-line tool to defragment the Ntds.dit file.
You can run Directory Services Repair mode by restarting the computer and selecting the appropriate item from the Boot menu. This menu is accessible on Intel-based computers by pressing F8 during startup.
Upon completion of the defragment operation, Ntdsutil.exe places a defragmented version of the Ntds.dit file into a separate folder. You can then move the defragmented file into the Ntds folder after archiving the original Ntds.dit file.

Reboot server normally
80. You are the administrator of a Windows 2000 network. The network is composed of four domains within the forest:


There are two Windows NT 4.0 BDCs in the arborshoes.com and sa.arborshoes.com. Graphic artists place finished artwork for Fabrikam, Inc. in a shared folder located on a Windows 2000 domain controller named bna01.fabrikam.com. Read and Write permissions are granted to the Artists Domain local group in the fabrikam.com domain. Sharon is a member of the Graphic Artists global distribution group in the na.arborshoes.com domain. She is unable to gain access to the shared folder. You want to allow Sharon access to the shared folder.
What should you do? A. Change the Graphic Artists group type to "Security" and add it to the Artists Domain local group. B. Change the Artists Domain local group to a universal group and add it to the Graphic Artists group. C. Change the Graphic Artists group to a Domain local group and add it to the Artists Domain local group. D. Change the mode of the domain controller in na.arborshoes.com to native mode. Add the Graphic Artists group to the Artists Domain local group. Answer: A It has been determined that none of these answers are actually right for the setup of the network from the exhibit. I am going to venture a guess based on the choices that it is A and that the exhibit will show that both na.arborshoes and Fabrikam are in native mode.
You can not change the Graphic Artists type to "Security" because in a mixed mode domain you cannot change the type of group. You also cannot add it to the Artists Domain local group because this is only possible if the Frabrikam domain is in Native Mode. In order for this to work both the na.arborshoes.com and Fabrikam would have to be in Native Mode or converted to it.
You cannot change the domain local group to a universal group unless the domain (Frabrikam) is in native mode. Even then the Grahpic Artist group is still a distribution group and it cannot be used to control access (see below again).
You cannot change the Graphic Artists group to a Domain Local group because the domain is in Mixed Mode, nor can you add it to the Artists Domain Local group because they are in different domains. This would be true even if both domains were in Native mode as Domain local groups can only be added to other domain local groups in the same domain (see below).
Changing the mode of na.arborshoes.com to native mode and adding the Graphic Artists group to the Artists Domain would not work because the Graphic Artists group is a distribution group and distribution groups cannot be used to control access (see below). The group would have to first be changed to a Security group.
Microsoft Article #Q231273
In Windows 2000 and later, there are two types of groups: Security and Distribution. In addition, there are three scopes: Universal, Global, and Domain Local.
Types of Groups
Security
Security groups are used to control access to resources. They can also be used as e-mail distribution lists.
Distribution
Distribution groups can be used only for e-mail distribution lists, or simple administrative groupings. These groups cannot be used for access control because they are not "security enabled." In Native-mode domains, a group type can be converted at any time. In Mixed-mode domains, a group's type is fixed at the time of creation and cannot be changed.
Scopes of Groups
Domain local - can contain user accounts, global groups and universal groups from any domain in forest, as well as other domain local groups in same domain.
Global - can contain user accounts and global groups from the same domain. Global groups can be used in any domain in the forest and can be assigned permissions for resources located in any domain in the forest.
Universal - can contain user accounts, global groups and universal groups from any domain in the forest. Universal groups can be used in any domain in the forest and can be assigned permissions for resources located in any domain in the forest. Universal group membership is validated at logon by Global Catalog servers. 81. You are the network administrator of a Windows 2000 network. The network domain name is Litware.com. The distinguished name for the Sales OU is:

ou=sales ou=north america dc=litware dc=com

You want to assign Andrew the ability to manage all the objects in the Sales OU.

What should you do? A. Add Andrew to the Domain Admins group. B. Grant Andrew Full Control permission to the North America OU and disable inheritance at the Sales OU. C. Grant Andrew Read and Write permissions to the Sales OU. D. Grant Andrew Full Control permissions to the Sales OU. E. Move Andrew's user account to the Sales OU. Answer: D A - Gives Andrew more rights to the domain then he needs for the requested task.
B - Gives Andrew Full Control to all objects in the domain EXCEPT the Sales OU.
C - Does not give Andrew the ability to manage all objects of the OU as requested.
D - Gives Andrew Full Controll of only the Sales OU and the objects in it.
E - Does not give Andrew any additional rights to manage the OU.

Microsoft Article #Q315676
This step-by-step article describes how to delegate administrative authority in Windows 2000. An administrator can use this feature in Windows 2000 to delegate administrative authority over one or more organizational units (OUs) to a user or group, without giving that user or group administrative authority throughout the domain. This increases the flexibility with which administrators can assign responsibility over a specified set of user/group accounts, printers, or other resources that can be placed into an organizational unit.
Permissions that can be delegated include the permission to create and delete a particular type of object (such as user accounts) in an OU, permission to change the properties of the OU itself, or permissions to change properties of objects in the OU.
A user to whom authority has been delegated can delegate his/her authority, or a subset of it, to another user or group
82. You are the network administrator of a Windows 2000 domain. The domain has a Windows 2000 Server computer named MainApps. The MainApps server is not a domain controller. Members of the Domain Users group have the right to logon locally at the MainApps server. When these members logs on locally, you want a script named Setperms.vbs to be executed. This script defines environment variables settings in the current user profile that are needed for the MainApps server.

What should you do? A. Copy the Setperms.vbs script to the Netlogon share of the MainApps server. B. Place the Setperms.vbs script in the Sysvol share on the MainApps server. C. Add the Setperms.vbs script to the local group policies as a logon script. D. Add the Setperms.vbs script to the local group policies as a startup script. Answer: C Microsoft Article #Q258286
This article describes how to assign a logon script to a profile for a local user's account on a Windows workstation or a Windows server. This logon script runs when the local user logs on locally to the computer. This logon script does not run when the user logs on to the domain.

The default location for local logon scripts is the %Systemroot%\System32\Repl\Imports\Scripts folder. The %Systemroot%\System32\Repl\Imports\Scripts folder is not created on a new installation of Windows. Therefore, the %SystemRoot%\System32\Repl\Imports\Scripts folder must be created and shared out with the share name netlogon .
If you do not want to create the netlogon share in the default location, place the script in any folder that the user can access during logon. It is recommended that this folder be shared.
If the logon script is stored in a subfolder of the domain controller's logon script path (Sysvol\DomainName\Scripts), precede the file name with the relative path, for example, Clerks.bat or Our_users \ user_1 .cmd 83. You are the administrator of a Windows 2000 domain. The domain is in native mode. The domain contains 15 Windows 2000 Server computers that are functioning as domain controllers and 1,500 Windows NT Workstation client computers. During a power outage, the first domain controller that you installed suffers a catastrophic hardware failure and will not restart. After the power outage, users report that password changes do not take effect for several hours. In addition, users are not able to log on or connect to resources by using their new passwords.

What should you do to correct this problem? A. Using the Ntdsutil utility, connect to another domain controller and transfer the PDC emulator role. B. Using the Ntdsutil utility, connect to another domain controller and seize the PDC emulator role. C. Using the Ntdsutil utility, connect to another domain controller and transfer the domain naming master role. D. Using the Ntdsutil utility, connect to another domain controller and seize the domain naming master role. Answer: B The PDC emulator role is assigned to a Win2000 DC in a mixed or native mode domain. In mixed mode domains, the PDC emulator allows replication between Win2000 and NT 4.0 servers, as well as allowing NT 4.0 clients to write to the directory database. The failed DC (that was acting as the PDC emulator) which is the cause of the problems in this scenario.
Microsoft Article #Q223787
This article describes how Flexible Single Master Operations (FSMO) roles are transferred from one domain controller to another and how this role can be forcefully appointed in the event that the domain controller that previously held the role is no longer available.

Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment.
When the administrator seizes an FSMO role from an existing computer, the "fsmoRoleOwner" attribute is modified on the object that represents the root of the data directly bypassing synchronization of the data and graceful transfer of the role. The "fsmoRoleOwner" attribute of each of the following objects is written with the Distinguished Name (DN) of the NTDS Settings object (the data in the Active Directory that defines a computer as a domain controller) of the domain controller that is taking ownership of that role. As replication of this change starts to spread, other domain controllers learn of the FSMO role change.
84. When you run DCPromo.exe to install the new domain, you receive an error message stating that the existing domain cannot be contacted. Installation of the new child domain will not proceed.

What should you do to correct this problem? A. Create an Active Directory integrated zone for the child domain on the new domain controller. B. Install WINS on the new domain controller. C. Configure the new domain controller with the address of an authoritative DNS server for the existing domain. D. Configure the new domain controller with the address of an existing WINS server. E. Add SRV (service) records for the domain naming master to a Hosts file on the new domain controller. Answer: C A - is done on the DNS server, not on a domain controller.
B, D, and E - all use "outdated" technologies that MS is actually trying to get away from. They also will not resolve the problem because AD requires DNS to function properly. It does not require WINS or Hosts files.
C - DNS must be configured before or during the creation of AD. If DNS cannot be contacted the AD cannot be installed.

Microsoft Article #Q238369 Installing and Removing Domain Controllers

Microsoft Article #Q237675 Setting up the DNS for AD
The Domain Name System (DNS) is the Active Directory locator in Windows 2000. Active Directory clients and client tools use DNS to locate domain controllers for administration and logon. You must have a DNS server installed and configured for Active Directory and the associated client software to function correctly. This article guides you through the required DNS configuration.
Microsoft Article #Q283133 (Not related to current situation, but good article)
When you attempt to run the Active Directory Installation wizard (Dcpromo.exe) for a new domain controller or you attempt to join a computer that is running Windows 2000 Server or Windows 2000 Professional to a domain, you may receive the following error message: The system log may report the following information: If you run the Dcdiag tool on the domain controller, you may also receive Sysvol errors, and you may not be able to resolve any operation manager roles. When you attempt to resolve these roles, you receive an "error 1355" message.
85. Your name is Avi Gaspan and you are the administrator of your company's WAN. Your company has four locations connected by dedicated 256-Kbps leased lines. You install and configure a Windows 2000 domain controller at each location. For network performance reasons, you want to control the bandwidth usage and replication schedule of directory information to each domain controller in each location.

What should you do? (Choose two) A. Create a site for each location. B. Create a site that spans all the locations. C. Create server objects for each domain controller in every site. D. Create server objects for each domain controller in its own site. E. Copy all server objects from Default-First-Site-Name to each site. F. Move each server object from Default-First-Site-Name to the appropriate site. Answer: A, F Microsoft Article #Q199174 Directory Replication Basics (Sites and Site Links)

A site is a collection of one/more IP subnets that contain one/more DCs. Everything (subnets, DCs) within a site should be connected by high-speed, reliable connections. DCs located in the same site perform replication as needed. Replication between sites is controlled and scheduled rather than as needed. 86. You are the administrator of your company's network. Your company has its main office in North America and has branch offices in Asia and Europe. The locations are connected by dedicated 256-Kbps lines. The network consists of one Windows 2000 domain. To minimize logon authentication traffic across the slow links, you create a site for each office and configure the site links between the sites. Users in the branch offices report that it takes a long time to log on to the domain. You monitor the network and discover that all authentication traffic is still being sent to the domain controllers in the North America site.

What should you do to correct this problem? A. Schedule replication to occur more frequently between the sites. B. Schedule replication to occur less frequently between the sites. C. Create a subnet for each physical location, associate the subnets with the North America site and move server objects to the North America site. D. Create a subnet for each physical location, associate each subnet with its respective site and move each server object to its respective site. Answer: D Microsoft Article #Q199174 Directory Replication Basics (Sites and Site Links)

Windows 2000 Server introduces a new concept of replication topology by using sites, site links, and site-link bridges. The site configuration (or physical structure) is really a model of the physical network. Because Windows 2000 is not aware of the physical network (routed entities, and so on), you must create a site configuration that reflects the physical network.
Similarly, the domain, or logical structure, is defined separately from the site structure. Although the domain, site, and physical structures are defined and configured independently from each other, they have interdependencies that affect replication.
This is a matter of making sure the DC's in each respective site are being used for authentication, instead of just the North America DC's. A GC server in each site would also help. 87. You are the administrator of your company's network. Your company's network is shown in the exhibit.



Three smaller branch offices are located within each region. The regional offices are connected to the main office by T1 lines. The branch offices are connected to the regional offices by ISDN lines. Branch offices in Boston, Dallas, and San Diego also have direct ISDN connections with Seattle as shown. The network consists of one Windows 2000 domain. For fault tolerance and load balancing purposes, each office has its own Windows 2000 domain controller. Each office is configured as its own site and all site links have been created.
You want to create a replication topology that allows only the regional offices to communicate with the main office. You also want to ensure that each branch office communicates only with the closest regional office.

What should you do? A. Manually create connection objects between the domain controllers in the main office and the regional offices Use SMTP as the transport protocol. B. Manually create connection objects between each branch office and the closest regional office. Use SMTP as the transport protocol. C. Allow the Knowledge Consistency Checker (KCC) to automatically create the connection objects between the main office and all other offices. D. Allow the Knowledge Consistency Checker (KCC) to automatically create the connection objects between the branch offices and the regional offices. Answer: C (Updated 6/21/02)

Debated here:
MCSEBraindumps.com 70-217 Forum
and here: MCSEBraindumps.com 70-217 Forum

Microsoft Article #Q214677 Automatic Detection of Site Membership for Domain Controllers
Microsoft Article #Q224815 The Role of the Inter-Site Topology Generator

The Knowledge Consistency Checker (KCC) is an Active Directory component that is responsible for the generation of the replication topology between domain controllers. This article describes the role of one server per site, known as the Inter-Site Topology Generator, which is responsible for managing the inbound replication connection objects for all bridgehead servers in the site in which it is located.

Microsoft Technet - Chapter 6 - Active Directory Replication

Replication between sites over SMTP is supported for only domain controllers of different domains. Domain controllers of the same domain must replicate by using the RPC over IP transport. Therefore, replication between sites over SMTP is supported for only schema, configuration, and Global Catalog replication, which means that domains can span sites only when point-to-point, synchronous RPC is available between sites. 88. You are the administrator of your company's network. Your company's main office is in Chicago with the company operations divided into two regions - East and West.
Company IT policy states that Group Policy must be applied only at the organizational unit (OU) level and that user groups must correspond to departments.

You want to accomplish the following goals: You implement an OU structure as shown in the exhibit.


Which result or results does your implementation produce? (Choose all that apply)
A. Control of users and resources can be delegated to local and departmental administrators. B. The IT department can control Group Policy for the entire enterprise. C. A single GPO can be applied to the sales and marketing departments. D. User environments can be customized by city. Answer: ABC You can delegate control of any OU to Local or Departmental administrators. NOTE: The local administrators will have control over entire departments which include users from places other then their local office. There is no indication in this question that this is a bad thing.
Applying a GPO at the Corp OU level gives IT the ability to manage Group Policy over the entire enterpise.
Windows TechNet - Linking GPO's to a Site, Domian or OU
A single GPO can be applied directly to only the Sales and Marketing OU's by creating a GPO on one of them (Sales or Marketing) and then linking it on the GPO properties of the other OU.
The OU's are organized by departments which contain users from other cities. This prevents you from applying a GPO that only effects users in certain cities. The only way to do that would be to have user's in a group according to cities and then applying rights to GPO's based on that. There is no indication that this is done in this question. 89. You are the network administrator for the Lucerne Real Estate Company. The network consists of one Windows 2000 domain named lucernerealestate.local. The network is not currently connected to the Internet. You are installing a new domain named lucernerealestate1.local. During the promotion process, you receive the following error message:

"The domain name specified is already in use on the network".

What is the most likely cause of the problem? A. The default-generated DNS domain name is already in use. B. DNS domain names cannot be named interactively. C. The default-generated NetBios domain name is already in use. D. NetBios domain names cannot be named interactively. Answer: C Microsoft Article #Q163409
The NetBIOS naming convention allows for 16 characters in a NetBIOS name. Microsoft, however, limits NetBIOS names to 15 characters and uses the 16th character as a NetBIOS suffix.
This is the NetBios-compatible name issue. The downlevel name of the server is the same as one already being used elsewhere on the network. Both downlevel names are going to be lucernerealesta, which is not allowed.
90. You are the administrator of your company's network. The Network consists of one Windows 2000 domain. Your company has two locations, which are connected by a dedicated T1 line. Users frequently report that logons to the network, file transfers, and directory searches are extremely slow. When you monitor the network, you discover that replication between domain controllers is generating excessive network traffic between the locations.

You want to accomplish the following goals: You take the following actions:
  1. Configure a domain controller in each location to be a global catalog server (GC).
  2. Create a new subnet in Active Directory for each location.
  3. Modify the location attribute of each domain controller's server object.
Which result or results do these actions produce? (Choose all that apply) A. Replication traffic between locations is reduced. B. Logon response time for users is improved. C. Average file transfer rates for users are improved. D. Directory search response times are improved. E. All domain controllers have up-to-date replicas of the directory. F. Fault tolerance for domain logons and directory searches is maintained. Answer: A, B, C, D, E, F A - This will be reduced because you have configured GC in each location.
B - This will be improved because you have configured a GC in each location.
C - This will be improved because of the GC and because you have subnetted the AD for each location. D - This will be improved because you have configured a GC in each location.
E - This will be accomplished because all DC maintain a copy of AD.
F - This will be accomplished because you have configured a GC in each location.

Microsoft Article #Q196464 Global Catalog Servers
Microsoft Article #Q313994 Creating and Moving Global Catalog Servers
Microsoft Article #Q199174 Directory Replication Basics (Sites and Site Links)
91. You are the administrator of a newly installed Windows 2000 network for a call center. You need to rename the Administrator account on all computers on your network. You do not want to manually edit each account. Because of a recent security breach, you must implement this policy immediately.

What should you do? (Choose all that apply) A. Use Group Policy to rename the Administrator account at the Default Domain Group policy. B. Use Group Policy to implement a user logon script. C. Send a network message to all users to restart their computers. D. Use Group Policy to force all users to log off within 30 minutes. Answer: A, C You can rename the Administrator account through a GPO linked to the domain. "Rename administrator account" is located at Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options in the group policy. The computers will have their Admin account renamed when they startup or log on (or a refresh occurs, which occurs every 90 minutes for GPO's).
This one is a little tricky. There are 2 GP's located in the same place, that are called:
Automatically log off users when logon time expires
Automatically log off users when logon time expires (local)

However, there is no explanation to clarify this and there is not a setting there to set the time to expire. This would be located elsewhere, I assume.

I would choose C over D because if you set a group policy to log off the users, the users have to refresh their policy before that policy will take effect anyway. They are only going to do that after a default refresh or after a restart/relog on. Which defeats the whole purpose in forcing them since when they do that to implement the log off policy, they will be implementing the renaming of the admin account.

Obviously with C you are not going to FORCE the user's to re-log. However, the question states that you want to implement the policy immediately, which is done once you create it and assign it to users. It does not state that you want it to be enforced immediately, which is done when the users refresh their policies.

There are other utilities that can be used to force user's machines to shutdown or restart. None of those are mentioned in the answer choices.
92. You are the administrator of a DNS server that runs on a Windows 2000 Server computer. You receive a report that the Windows 2000 Server computer constantly uses more than 80 percent of the CPU. You want to monitor the number of DNS queries that are handled by the DNS server.

What should you do? A. Run the Nslookup command-line utility. B. Use the Event Viewer and monitor the DNS server log. C. Use the monitoring function of the server properties in the DNS console. D. Use the DNS counters in System Monitor. E. Check the contents of the Netlogon.dns file. Answer: D System Monitor has DNS counters that monitor performance. Some DNS related counters include: Total Query Received - total number of lookup queries received Total Query Received/Sec - total number of queries received per second Failed DNS Resolutions - failed resolutions Pending DNS Resolutions - pending resolutions Successful DNS Resolutions - successful resolutions 93. You are the administrator of your company's network. You have been auditing security events on the network since it was installed. A user on your network named JOHN THORSON recently reported that he was no longer able to change his password. Because there have been no recent changes to account policies, you suspect that someone has been modifying the properties of user accounts in Active Directory. There are thousands of entries in the event logs, and you need to isolate and review the events pertaining to this problem in the least possible amount of time.

What should you do? A. In the security log, create a filter for events matching the following criteria: Event source: Security Category: Account Management User: JTHORSON. B. In the directory service log, create a filter for events matching the following criteria: Event source: NTDS Security Category: Security. Search the remaining items for events referencing John Thorson's account. C. In the directory service log, create a filter for events matching the following criteria: Event source: NTDS Security Category: Global Catalog User: JTHORSON. D. In the security log, create a filter for events matching the following criteria: Event source: Security Category: Account Management. Search the remaining items for events referencing John Thorson's account. Answer: D To view a subset of events that have specific characteristics, click Filter Events on the View menu of Event Viewer. Filtering has no effect on the actual contents of the log, it changes only the view. If you archive a log from a filtered view, all records are saved, even if you select a text format or comma-delimited text format file. 94. You are the administrator for a Windows 2000 network. Your network consists of one domain and two organizational units (OUs). The OUs are named Corporate and Accounting. A user recently reported that she was not able to log on to the domain. You investigate and find out that the user's account has been deleted. You have been auditing all objects in Active Directory since the domain was created, but you cannot find a record of the user account deletion. You want to find a record that identifies the person who deleted the account.

What should you do? A. Search the security event logs on each domain controller for account management events. B. Search the security event logs on each domain controller for object access events. C. Search the Active Directory Users and Computers console on each domain controller for the user's previous account name. D. Search the Active Directory Users and Computers console on each domain controller for the user's computer account. Answer: A Account Management Events are used to log the creating, deleting, and modifying of user accounts. The logs are keep locally on the DC and will have to be viewed there.
95. You are the administrator of your company's network. The network is configured in a Windows 2000 domain as shown in an exhibit. You want to strengthen the security of communications between client computers and servers in the Reps organizational unit (OU). You do not want to decrease overall productivity of the domain.

What should you do? A. Create one Group Policy object (GPO) in the Sales OU. Increase maximum service ticket lifetime in the GPO, and decrease maximum lifetime that a user ticket can be renewed in the GPO. B. Create one Group Policy object (GPO) in the Sales OU. Decrease maximum service ticket lifetime in the GPO, and decrease maximum lifetime that a user ticket can be renewed in the GPO. C. Create one Group Policy object (GPO) in the Reps OU. Decrease maximum service ticket lifetime in the GPO, and increase maximum lifetime that a user ticket can be renewed in the GPO. D. Create one Group Policy object (GPO) in the Reps OU. Decrease maximum service ticket lifetime in the GPO, and decrease maximum lifetime that a user ticket can be renewed in the GPO. Answer: C Microsoft Article #Q231849
Kerberos policies are for domain user accounts and determine Kerberos-related settings, such as ticket lifetimes and enforcement. The Kerberos policies are:
Enforce User Logon Restrictions When this option is enabled, the KDC validates every request for a session ticket by examining the user rights policy on the target computer to verify that the user has the right either to log on locally or to access the computer from the network. It is also a check to ensure the requesting account is still valid. Verification is optional because the extra step takes time and may slow network access to services. Default value: Enabled.
Maximum Lifetime That a User Ticket Can Be Renewed (in this scenario, increase this setting) This is the maximum lifetime of a ticket, either a Ticket Granting Ticket (TGT) or a session ticket, although the policy specifies this is for a "user ticket". No ticket can be renewed after this time. Default value: 7 days.
Maximum Service Ticket Lifetime (in this scenario, decrease this setting) A "service ticket" is a session ticket. Settings are in minutes. The setting must be more than ten minutes and less than the setting for "Maximum user ticket lifetime." Default value: 10 hours.
Maximum Tolerance for Synchronization of Computer Clocks When the KDC clock is this many minutes different from the Kerberos client's clock, tickets are not issued for the client. This is a deterrent in Replay attacks. Settings are in minutes. Default value: 5 minutes.
Maximum User Ticket Lifetime A "user ticket" is a TGT and must be renewed after this time. Default value: 10 hours. 96. You are the administrator of your company's network. Your event log shows that hackers are using brute force attacks to attempt to gain access to your network. You do not want user accounts to be easily accessible. You want to strengthen security to protect against brute force attacks.

What should you do? (Choose two) A. Enable the "Users must log on to change the password" setting. B. Enable the "Store password using reversible encryption for all users in the domain" setting. C. Enable the "Password must meet complexity requirements" setting. D. Increase minimum password length. E. Increase minimum password age. Answer: C, D All the above settings are available in the Security Configuration and Analysis console. The best two choices here are "password must meet complexity requirements" and "minimum password length", which will create a "strong password". A third choice could be setting the "minimum password age", which prevents users from changing their password, then immediately changing it back to their original password. However, the question only asks for two answers. 97. You are the administrator for Arbor Shoes. Administrative control of Active Directory has been delegated to several people in the company. You need to track changes made to the Arborshoes.com domain. To ensure accountability of the other administrators' actions, you want to monitor user and computer account creation and deletion.

What should you do? A. Modify the default Group Policy object (GPO) on the Arborshoes.com domain. Configure the local audit policy to audit account management and directory services access for success and failure. Monitor the security logs for activity on the domain controllers. B. Modify the default Group Policy object (GPO) on the Domain Controllers organizational unit (OU). Configure the local audit policy to audit account management and directory services access for success and failure. Monitor the security logs for activity on the domain controllers. C. Modify the default Group Policy object (GPO) on the Domain Controllers organizational unit (OU). Configure the local audit policy to audit account logon events and object access for success and failure. Monitor the security logs for activity on the domain controllers. D. Modify the default Group Policy object (GPO) on the Arborshoes.com domain. Configure the local audit policy to audit account logon events and object access for success and failure. Monitor the security logs for activity on the domain controllers. Answer: B Account Management and Directory Services access will track changes in user/computer account creation and deletion.
Microsoft Article #Q314955
Auditing is turned off by default. For domain controllers, an audit policy setting is configured for all domain controllers in the domain. To audit events that occur on domain controllers, configure an audit policy setting that applies to all domain controllers in a non-local Group Policy object (GPO) for the domain. You can access this policy setting through the Domain Controllers organizational unit.

Microsoft Article #Q232714
This step-by-step article describes how to enable auditing of Active Directory (Directory Services Access).
Administrators can monitor access to Active Directory, causing successful and "failed" audit attempts to be logged in the Directory Service event log. This event log is present only on Windows 2000 domain controllers.

Microsoft Article #Q300549
This step-by-step instruction guide describes how to enable and apply Windows security auditing.
98. You are the network administrator of your company's Windows 2000 domain. Your company wants to deploy a custom application named Drawing. To configure the Drawing application, you need to get a custom policy setting in the HKCU\Software\Policies location in the registry for every user in the domain.

What should you do? A. Create a GPO named Draw Settings. Assign the Draw Settings GPO to the domain. Configure the Draw Settings GPO to run a startup script that changes the application HKCU\Software\Policies in the registry. B. Create a GPO named Draw Settings. Assign the Draw Settings GPO to the domain. Configure the Draw Settings GPO to run a logon script that changes the application HKCU\Software\Policies in the registry. C. Create a GPO named Draw Settings. Assign the Draw Settings GPO to the domain. Create a new Administrative template that defines the custom policy setting. Add the new Administrative template to the Draw Settings GPO. Configure the Draw Settings GPO to set the appropriate policy. D. Create a registry file that has the .REG filename extension. Edit the registry file to change the appropriate HKCU\Software\Policies location in the registry. Answer: C ADM files are used to modify registry keys. See below article.

Microsoft Article #Q225087

An Administrative template can be created with any text editor and saved as a .ADM file. It can then be loaded into System Policy Editor and deployed to your users.

Administrative (ADM) Templates are files that define settings the administrator can configure through the Group Policy utility. By default, two ADM files are loaded when a new GPO is created. One for the User and one for the computer. These two ADM files are named Inetres.adm (Internet Explorer Settings) and System.adm (Windows 2000 operating system component settings). The ADM templates are included in Windows 2000 and are located in the %SystemRoot%\Inf folder. 99. There are two domains named Treyresearch.com and na.Treyresearch.com. Blake's user account is in Treyresearch.com. Blake needs to use support documents located in na.Treyresearch.com. You create a global group named NASupport in na.Treyresearch.com. NASupport is a member of the domain local group named Support. Support has Read permission to the Support shared folder in the na.Treyresearch.com. Your network contains only Windows 2000 domain controllers. Domains are in native mode. You want to grant Blake Read permission to the Support shared folder.

What should you do? A. Create a universal group in Treyresearch.com. Make Blake a member of this universal group. Add the universal group to NASupport. B. Create a new user account in na.Treyresearch.com. Use the same name and password that Blake uses for his user account in Treyresearch.com. C. Create a global group in Treyresearch.com. Make Blake a member of this global group. Add the global group to NASupport. D. Create a universal group in na.Treyresearch.com. Make Blake a member of this universal group. Add the universal group to the Support group. E. Create a new global group named Global Support in Treyresearch.com. Add Blake to the new global group. Add the Global Support group to the Support group. Answer: E A - Does not work because Global groups cannot contain Universal groups
B - Not needed, we have groups we can do this with.
C - Does not work because the na.Treyresearch.com Global group, NASupport, can only contain other global groups from the same domain.
D - This would work since you are creating a Universal group, adding him to it, and adding it to a Domain Local group. However, MS recommends not adding individual user's to Universal groups, only other groups.
E - This would work because you are creating a Global group in his domain and adding him to it. You are then adding that group to the other domain's Domain Local group.

Microsoft Article #Q231273

E would be the better solution and would be the recommended answer.

Domain Local Groups - can contain any users, global groups, and universal groups from any domain anywhere in the forest, but they can only access resources from within that local domain. It can also contain other local domain groups from same domain.

Global Groups - can contain users and when in native mode, other Global groups from the local domain, but they can access any resource on any domain in the forest.

Universal Groups - can contain any users and any groups (Global or Universal) from any domain anywhere in the forest and they can access any resource anywhere in the forest. (Only available in native-mode)
100. You want to implement a password policy for all users in an organizational unit (OU) named Sales in a Windows 2000 network. All the users in the Sales OU are in a group named Sales Users. You create a Group Policy object (GPO) named PassB to enforce a minimum password length of six characters. You assign the PassB GPO to the Sales OU. There are no other GPOs assigned that specify a minimum password length. However, the week after you assign the PassB GPO to the Sales OU, users from the Sales OU report that they can still change their passwords to consist of fewer than six characters.

How should you correct this problem? A. Ensure that the Sales Users group has Read and Apply Group Policy permissions on the PassB GPO. B. Apply the PassB GPO to the domain instead of to the Sales OU. Filter the policy for the Sales Users group. C. For the Sales OU, block policy inheritance. D. For the Sales OU, enforce policy inheritance on the PassB GPO. Answer: B Microsoft Article #Q269236
In Windows 2000, password policies are only read at the domain level. The policy must be applied to the domain controllers for the policy to be applied. If you initiate a password change for a domain password from anywhere in the domain, the change actually occurs on a domain controller.
You can further filter the policy using the "Read and Apply Group Policy" permission. 101. You are the administrator of a Windows 2000 network for Lucerne Real Estate. The network has 1,200 users. You are delegating part of the administration of the domain to three users. You delegate the authority to create and delete computer accounts to Carlos. You delegate the authority to change user account information to Julia. You delegate the ability to add client computers to the domain to Peter. You want to track the changes made to the directory by these three users.

What should you do?
A. Create a Group Policy object (GPO) for the domain controllers. Assign Read and Apply Group Policy permissions to only Carlos, Julia, and Peter. Configure the GPO to audit directory services access and account management. B. Create a Group Policy object (GPO) for the domain. Assign Read and Apply Group Policy permissions to only Carlos, Julia, and Peter. Configure the GPO to audit directory services access and audit object access. C. Create a Group Policy object (GPO) for the domain controllers. Assign Read and Apply Group Policy permissions to only Carlos, Julia, and Peter. Configure the GPO to audit directory services access and audit object access. D. Create a Group Policy object (GPO) for the domain. Assign Read and Apply Group Policy permissions to only Carlos, Julia, and Peter. Configure the GPO to audit object access and process tracking. Answer: A Account Management and Directory Services access will track changes in user/computer account creation and deletion. By assigning Read and Apply Group Policy permissions to just these users, you filter the GPO to only those users.

Microsoft Article #Q314955
Auditing is turned off by default. For domain controllers, an audit policy setting is configured for all domain controllers in the domain. To audit events that occur on domain controllers, configure an audit policy setting that applies to all domain controllers in a non-local Group Policy object (GPO) for the domain. You can access this policy setting through the Domain Controllers organizational unit.

Microsoft Article #Q232714
This step-by-step article describes how to enable auditing of Active Directory (Directory Services Access).
Administrators can monitor access to Active Directory, causing successful and "failed" audit attempts to be logged in the Directory Service event log. This event log is present only on Windows 2000 domain controllers.

Microsoft Article #Q300549
This step-by-step instruction guide describes how to enable and apply Windows security auditing.
102. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 server computer named Central. Users in the domain frequently work on different Windows 2000 Professional desktop and portable computers. They use the Windows 2000 Professional portable computers to dial in to the network when they are traveling. All Windows 2000 Professional computers are in the domain.

You want to accomplish the following goals:

What should you do? (Choose two)

A. Configure a roaming profile for each user in the domain. Use \\Central\Profiles\%Username% as the profile path. B. Configure a home folder for each user in the domain. Use \\Central\Home\%Username% as the home folder path. C. Create a new Group Policy object (GPO) named Offdocs. Assign the Offdocs GPO to the domain. Configure the Offdocs GPO to prevent the use of the Offline Files folder. D. Create a new Group Policy object (GPO) named Redocs. Assign the Redocs GPO to the domain. Configure the Redocs GPO to redirect the My Documents folder to the \\Central\Docs\%Username% location. E. Create a new Group Policy object (GPO) named Async. Assign the Async GPO to the domain. Configure the Async GPO to apply Group Policy settings for users asynchronously when they log on. Answer: A D Microsoft Article #Q142682 Create and Copy a Roaming User Profiles
A roaming profile will make all users' desktop settings available on all computers and since it isn't mandatory, the users will be able to change their settings.

Microsoft Article #Q216463
You can use a group policy to redirect the My Documents folder to a different network path on the domain for all users without having to set up an individual policy for each user.
103. You are the administrator of your company's network. The network consists of one Windows 2000 domain that has organizational units (OUs) as shown below:

You are designing a domain-wide security policy and want to accomplish the following goals:

You take the following actions:

  1. Create a single GPO
  2. Create one security template that has all required settings.
  3. Import the security template into the GPO.
  4. Link the GPO to the domain.

Which results do these actions produce? (Choose all that apply)

A. The same password and account lockout policies are applied to all users. B. Different security settings are applied to administrative and non-administrative computers. C. Strict audit policies are enforced for only domain controllers and servers. D. The number of GPO links is minimized. Answer: A D Microsoft Article #Q216735
Assigning a GPO at the Domain level will flow down to all child objects in the Domain so first goal is accomplished. However, this prevents your second and thrid goal from happening. In order for the second and third goal to be met and and provide them custom settings you would create 2 more policies, one for OU1, that has strict audit policies and one for OU6 that has different security settings for them. OU policies overwrite domain Policies.
Your last goal was accomplished by only creating 1 policy. You cannot have a policy and have any fewer then that. This would also be true if you created 3 policies to accomplish all 3 task - 1 for the Domain, 1 for the OU1, and 1 for the OU6. By creating those 3 you would have accomplished all goals with the fewest possible GPO links.
104. You are the administrator of a Windows 2000 network. Your network has one domain named parnellaerospace.com. The parnellaerospace.com domain supports 8,000 users at three locations. The network has three sites connected by T1 lines, as shown below:
Each site contains a global catalog server as shown in the exhibit.


You want users located in the West site to query TUL01-GC if the West site global catalog server is offline.
What should you do? A. Create a new subnet, assign it to the West site, and move TULO 1-GC to the West site. B. Configure the site link between the Central site and the West site to have a lower cost than the site link between the West site and the East site. C. Add a global catalog server to the Central site that has an IP address in the West site subnet. D. Configure TUL01-GC as a preferred bridgehead server. E. Set the query policy on LAXO 1-GC to the default query policy. Answer: B Microsoft Article #Q199174 Directory Replication Basics
Link cost determines which link is used first. The link with a lower cost will always be used before a link with a higher cost. To make sure that the high speed line is always used you would configure that link with a lower cost then the low speed line.
105. You are the administrator of a Windows 2000 network named contoso.com. Your network is configured as shown in an exhibit. Your company plans to open a new office in Dallas. Members of your IT staff will be on-site in Dallas next week to install the new 10.1.3.0/24 network. You want to prepare the network in advance so that when the IT staff installs a new domain controller, it will automatically join the appropriate site.

What should you do? A. Delete the Default-First-Site-Name object in Active Directory Sites and Services. B. Create a new subnet for the Dallas network. Create a new site and associate the new subnet with the new site. C. In the Domain Controller OU, create a computer account that has the name of the new domain controller. D. Use RIS to prestage the new domain controller. E. Copy the installation source files to the new domain controller. Create an unattended install file with an automated DCPromo.bat file.
Answer: B Microsoft Article #Q199174 Directory Replication Basics (Sites and Site Links)

Microsoft Article #Q214677 Automatic Detection of Site Membership for Domain Controllers

During the promotion of a server to domain controller, DCPromo (the wizard used for the promotion process) determines the site the domain controller will become a member of. If the domain controller being created is the first in a new forest, a default site named "Default-First-Site-Name" is created and the domain controller becomes a member of this site until appropriate subnets and sites are configured.
An administrator can (and should) create sites in order to effectively use the bandwidth of Local Area Network (LAN) and Wide Area Network (WAN) connections. After the administrator has created sites and associated subnets with those sites, subsequent domain controller promotions are placed into the appropriate sites automatically. During server promotion, DCPromo queries the domain controller that is acting as the source server for site data. If the IP address of the server being promoted falls within the range for a given subnet defined in the Active Directory, DCPromo configures the membership of the domain controller in the site associated with that subnet.
If no subnet objects are defined or the IP address of the server does not fall within the range of the subnet objects present in the Active Directory, the server is placed in the "Default-First-Site-Name" site.
106. You are the administrator of a large Windows 2000 network. You have three domains as shown below:

Eric has recently been hired to assist you with network administration. You want him to be able to manage user accounts, back up servers, and configure services on all workstations and servers only in the eur.adatum.com.

What should you do? A. Add Eric to the Enterprise Admins group and delegate control only at the adatum.com domain. B. Move Eric's user account to the Domain Controllers organizational unit (OU) in eur.adatum.com. C. Add Eric's user account to the Domain Admins group in eur.adatum.com D. Add Eric's user account to the Server Operators and Account Operators group in eur.adatum.com. Answer: C A - Gives Eric too much control over the adatum.com domain
B - This does not do anything for Eric
C - This will give Eric what he needs to configure services on workstations and servers in his domain.
D - This will give Eric most of what he needs. However, he will not have full control over services running on the machines. 107. You create an organizational unit (OU) structure for the blueskyairlines.com domain. You want to delegate administrative control of user objects on your Windows 2000 network. The User OU is a child of the Research OU. You create a group named Research User Admin that includes users who have permissions to create and manage the workstations in the workstation OU. The Research User Admin group has Full Control permission on the Research OU. You want user accounts to be created only in the User OU.

Which three actions should you take? (Choose three) A. Grant Full Control permission to the Research User Admin group on the User OU for computer objects. B. Remove the Research User Admin group from the Research OU ACL. C. Grant Create Contact objects permission on the User OU. D. Disable inheritance of permissions from the Research OU to the User OU. E. Deny Create User objects permission on the Research OU. F. Grant Read and Write permissions to the blueskyairlines.com domain. Answer: A, D, E You goal is to set it up so only user accounts can be created in the User OU.
In order to prevent the members of Research user Admin, who you gave full control to the top OU, from creating users in OU's other then the Users OU you must deny the ability to do that, E accomplishes this.
Since this group was created in the top level OU you must block inheritance on the Users OU or deny will prevent the group from creating accounts in there as well, D accomplishes this.
Since you have now prevented permissions from being passed down to the Users OU you must grant rights to that Research User Admin group in order for them to create user accounts, A accomplishes this.
108. You are administrator of a Windows 2000 domain. The domain has an OU named Trading. You define a logon script for all the users in the Trading OU. The logon script is located at \\server2\docs\tradescript.vbs. You want to use a GPO to assign the logon to the users in the Trading OU.
What should you do? (Choose three) A. Create a new GPO named script and assign the script GPO to the Trading OU. B. Create a new GPO named script and assign the script GPO to the domain. Configure the permissions on the script GPO to grant READ permissions to all users in the Trading OU. C. Copy the tradescript.vbs file to the appropriate folder in Group Policy Template (GPT) of the script GPO. D. Copy the tradescript.vbs file to the folder that shared as netlogon script on the PDC emulator. E. For each user in the trading OU, set the logon script in the user profile to tradescript.vbs. F. Add tradescript.vbs as a logon script to the script GPO. Answer: A, C, F Per Windows 2000 Help:
Scripts - Logon/Logoff. You use this extension, located under the User Configuration node, to specify scripts that are to run when the user logs on or off the computer. These scripts are run as User, not Administrator.

Windows 2000 includes Windows Script Host, a language-independent scripting host for 32-bit Windows platforms that includes both Visual Basic Scripting Edition (VBScript) and Jscript scripting engines. You can use Windows Script Host to run .vbs and .js scripts directly on the Windows desktop or command console, without the need to embed those scripts in an HTML document.

These can be deployed locally or through GPO's with the following method. Go to the properties of the Computer, Domain, Site, or OU object that you want to create the policy at. Go to the GP tab and either create a new policy or modify an existing one. Open the GP snap-in and go down through User Configuration, Windows Settings, Scripts (Logon/Logoff).

Double-click the script in the details pane and click ADD. Browse for the script file you want to add and add any additional parameters you may need.
109.You are administrator of a Windows 2000 domain. The domain has an OU named North. You want to standardize the start menu for the users in the North OU. Some members of the Domain Admins group are in the North OU. Folders and shortcuts that form the standardized start menu are on the network at \\server2\menu. The Everyone group has Change permission on the menu share.

You want to accomplish the following goals:

You take the following actions:

Which results do these actions produce? (Choose all that apply)

A. Each member of the Domain Admin Group will have a separate start menu that the member can change. B. All users in the North OU, except members of the Domain Admins Group, will use the \\server2\menu start menu. C. Users who use \\server2\menu start menu will not be able to change the contents of the start menu. D. Each user who is not an member in the North OU will have a separate start menu that the user can change. Answer: A, B, D A - Is true because you have deny the Domain Admin group rights to the GPO.
B - Is true because you have assigned it to the North OU and have only excluded the Domain Admin group.
C - Is not true because all users still have the Change permission to the menu share.
D - Is true because you have assigned the GPO only to the North OU. User's outside of that OU will not be effected.
110. You are administrator of a Windows 2000 network. You are configuring RIS to deploy Windows 2000 Professional on new client computers. New users report that when they attempt to install their computers, they are unable to get an IP address.

What should you do? A. Authorize the DHCP server in the DHCP console. B. Configure each computer to boot from a remote installation boot disk. C. Create a reservation in DHCP for each client. D. Start the Boot Information Negotiation Layer (BINL) service on the RIS server. Answer: A Microsoft Article #Q244036 PXE interaction with DHCP and RIS

There can be a few things causing this.

If the new computers do not have a PXE compliant NIC they will not be able to boot to the network to get an address. If that is the case they would have to boot with a disk created with RBFG.exe, provided they have a NIC supported by RBFG.exe.

111. You want to use RIS to deploy Windows 2000 Professional to your computers. You need to find out the GUIDs of the computers in your network.

What should you do? A. Use Network Monitor to capture and view the DHCPDiscover packets. Then search for GUID. B. Use Network Monitor to capture and view the DHCPOffer packets. Then search for GUID. C. Use Network Monitor to capture and view the DNS query packets. Then search for GUID. Answer: A Microsoft Article #Q169289 DHCP Basics

The Globally Unique Identifer (GUID) is supplied by the manufacturer. Since the computer does not have an IP address when it first boots up, it can only provide the DHCP server it's GUID for communications. The first packet that is sent to the DHCP in an effort to lease an IP address is the DHCPDiscover packet.

A RIS client with a PXE remote boot ROM has to use a unique identifier (the globally unique identifier or GUID) so that it can be distinguished from other PXE systems on the network. The client's GUID is placed in DHCPDiscover packets during client startup. So, capture these packets and search for the GUID. 112. You are the network administrator of a Windows 2000 domain. The domain has an Organizational Unit (OU) named Sales. All users in the Sales OU use an application named Planning. The Planning application is deployed by using a Group Policy object (GPO) named Planning App on the Sales OU. The Planning App GPO is configured to assign the Planning application to users by using a Microsoft Windows Installer Package for the application. The Planning application will be replaced by another application in the next month.

You want to accomplish the following goals:

You take the following actions:

  1. Create a new software category named Optional Apps.
  2. Configure the Planning App GPO to add the Planning application to the Optional Apps software category.
  3. Configure the Planning App GPO to remove the Planning application, but select the option to allow users to continue to use the software.

Which results do these actions produce? (Choose all that apply)

A. Users who have not yet installed the Planning application will be prevented from installing the application. B. Users who have already installed the Planning application will be able to continue to use it. C. If key application files are missing when the Planning application starts, the missing files will be reinstalled automatically. D. If the vendor of the Planning App releases a software patch by using a Windows Installer package, you will be able to assign the patch to only the users who have already installed the application. Answer: A, B A - Is correct since you are no longer managing the application user's will not be able to install it.
B - Is correct since you choose the option to allow users to continue using the software, it will not be uninstalled.
C - Is wrong because users will not be able to repair their installations because the application is no longer being managed.
D - Is incorrect because you can redeploy it to the OU, but it will be available to all users again.

Microsoft Article #Q226936 Patching Software Already Deployed
Microsoft Article #Q242479 Windows Installer Technologies Overview
Microsoft Article #Q314934 Remotely Install Software
Microsoft Article #Q240976 MSI Best Practice
Microsoft Article #Q231747 Microsoft Installer - Non-MSI files.
Microsoft Article #Q224330 Assigning MSI's
Microsoft Article #Q302430 Assigning MSI's to a specific group
Microsoft Article #Q257718 3rd Party MSI's
Microsoft Article #Q236943 Working with Transforms (.MST files)
113. Your are the network administrator of a Windows 2000 network. The network consists of 500 Windows 2000 Professional computers. You recently discovered that users of these computers have been using the same passwords since their accounts were created. You need to correct this problem to maintain security in the network. You create a Group Policy object (GPO) and filter it to the users. You want to configure the GPO to require users to create a different password periodically.
Which two should you enable? A. Minimum password length B. User must log on to change the password C. Enforcement of password history D. Minimum password age E. Maximum password age Answer: C, E "Enforce Password History" sets how frequently old passwords can be reused. "Maximum Password Age" determines how long users can keep a password before they have to change it (note that a value of zero specifies that passwords don't expire). The aim is to periodically force users to change their passwords, while preventing them from using the same or a small pool of the same passwords. 114. You are the administrator of a Windows 2000 network that has only one domain. You are configuring the network security settings for the domain's Windows 2000 Professional users. Your Sales team uses portable computers and Routing and Remote Access to connect to the company's network. Sales users need local Administrator rights to their computers so that they can run a third party application. You want to configure the computers to prevent the users from modifying their existing network connections.

What should you do? A. On each portable computer, create only the permitted LAN and Remote and Routing Access connection. At the server, configure the Sales user accounts to permit connect to only the specific computers. B. Create a system policy to hide Network Neighborhood and disable registry editing tools. Apply this policy to all the Sales users. C. Create a Group Policy object (GPO) for the domain. Filter the GPO for the Sales users. Configure the GPO to deny the Sales users access to the properties of the LAN or Remote and Routing Access connection. D. Create a Group Policy object (GPO) for the domain controllers container. Filter the GPO for the Sales users. Configure the GPO to deny the sales users access to the Network Connection Wizard. Answer: C To prevent the Sales user's from modifying their network connections you would configure a policy for all Sales users to disable access to the LAN and RRA connections properties. The filtered GPO created in C will prevent the Sales users access to the properties of the LAN or their RRAS connection.
There are several GPO policies that can be configured to prevent the modification, creation, or deletion of network related connections. They can be found in the User Configuration, Windows Settings, Administrative Template, Network, Network and Dial-up Connections
115. You are the network administrator of a Windows 2000 network. Users in an Organizational Unit (OU) named PROCS need to have a drive mapped to a network location. These users log on from Windows 2000 Professional computers. You want to use a logon script named USERLOG.CMD to implement this drive mapping for all current and future users in the PROCS OU.

What should you do? A. Copy USERLOG.CMD to the NETLOGON share on each domain controller in the domain. Select each user in the PROCS OU and set the logon script to USERLOG.CMD. B. Copy USERLOG.CMD to the SYSVOL share on each domain controller. Assign read permission to the file for all users in the PROCS OU. C. Create a Group Policy object (GPO) that enforces USERLOG.CMD as a logon script. Assign the GPO to the PROCS OU. D. Create a Group Policy object (GPO) that enforces USERLOG.CMD as a startup script. Assign the GPO to the PROCS OU. Answer: C A - Is not correct. Even though the login script does need to be in the Netlogon share so they can access it, you do not need to specify each user to run it. It is more efficient to use a GPO so that all current and future users of Procs OU will use it.
B - Is not correct because logon scripts should be placed in the Netlogon share.
C - Is correct because logon scripts are ran as the user logs on to the desktop.
D - Is not correct because startup scripts are ran before the user sees the logon prompt and they are associated to the computer and not users.

To deploy a .cmd script, create (or use local group policies) a GPO that specifies the .cmd as a logon script.
Per Windows 2000 Help:
Scripts - Logon/Logoff. You use this extension, located under the User Configuration node, to specify scripts that are to run when the user logs on or off the computer. These scripts are run as User, not Administrator.

Though the below only mentions .VBS and .JS files, scripts can be .BAT and .CMD files as well.
Windows 2000 includes Windows Script Host, a language-independent scripting host for 32-bit Windows platforms that includes both Visual Basic Scripting Edition (VBScript) and Jscript scripting engines. You can use Windows Script Host to run .vbs and .js scripts directly on the Windows desktop or command console, without the need to embed those scripts in an HTML document.

These can be deployed locally or through GPO's with the following method. Go to the properties of the Computer, Domain, Site, or OU object that you want to create the policy at. Go to the GP tab and either create a new policy or modify an existing one. Open the GP snap-in and go down through User Configuration, Windows Settings, Scripts (Logon/Logoff). Double-click the script in the details pane and click ADD. Browse for the script file you want to add and add any additional parameters you may need.
116. You are the network administrator of a Windows 2000 network. Your company has 3 locations in North America and 3 locations in Europe. Your network includes 6 sites as shown in the exhibit.



The site link between NorthEast and England is unreliable. What should you do? A. Create an SMTP site link between the NorthEast site and the England site. B. Create an IP site link between the NorthEast site and the England site. C. Create an SMTP site link bridge between the NorthEast site and the England site. D. Create an IP site like bridge between the NorthEast site and the England site. Answer: A Windows 2000 Documentation Replication

SMTP replication. SMTP replication is only used for replication over site links (inter-site), and not for replication within a site (intra-site). Because SMTP is asynchronous, it typically ignores all schedules.
If you choose to use SMTP over site links, you must install and configure an enterprise certification authority. The certification authority (CA) signs SMTP messages that are exchanged between domain controllers, ensuring the authenticity of directory updates. SMTP replication uses 56-bit encryption.

Per Syngress/Osborne Study Guide for 217 (page 579) - SMTP links are better for very slow connections, intermittent connections, and intrasite connections that may not be based on IP, but can pass SMTP messages. Our connection is unreliable so it would be best to use SMTP over IP.

Microsoft Article #Q199174 Directory Replication Basics (Sites and Site Links)
A site-link bridge is a collection of two or more site links that provides a structure to build transitive links between sites and evaluate the least-cost path. For example, you may have three sites, A, B, and C, and you may create the following site links: A-----(3)-----B-----(4)-----C Note that the costs are in parentheses (). 117. You are the network administrator for your company. You are deploying Windows 2000 Professional on your network by RIS. Your company has several departments. To expedite the deployment of Windows 2000 and other third party applications, you have created a group named Department Managers. You want to allow members of the Department Managers group access to create custom images and post them to the RIS servers for deployment. In addition, you want to allow members of the group to install client computers from the RIS server.

What should you do? A. Grant the department managers group Read and Write permissions to the Remoteinstall folder. B. Grant the department managers group Read and Write permissions to the Oschooser folder. C. Grant the department managers group Full Control permissions to the RIPrep.exe. D. Grant the department managers group Full Control permissions to the SysPrep utility. E. Grant the department managers group Read and Write permissions to the admin folder. Answer: A Microsoft Article #Q298750 Setup and Configure Remote Installation Services
The Remoteinstall folder is the folder that images are stored in for Remote Installation Services. The department managers will need Read and Write permissions to that folder to be able to add images to it.
118. Your company's network consists of two windows 2000 domains:contoso.com and newyork.contoso.com. The newyork.contoso.com domain contains three organizational units(Ou's):Sales, Marketing, and Finance. You are a member of the Domain Admins group in newyork.contoso.com. An employee named Maria can reset passwords for the Finance OU. Maria will be moving to the Sales OU and no longer needs access to the Finance OU.

What should you do? A. In the Delegation of Control wizard. Specify that Maria cannot reset passwords for the domain controller to which Maria's user account authenticates. B. Clear the Trust computer for delegation check box in the properties for the domain controller to which Maria's user account authenticates. C. In the security properties of the Finance OU, remove Maria's right to reset passwords. D. Copy Maria's user account to sales OU and then delete the account. Answer: C A - You use the delegation of control wizard to give assign control to users, not take it away.
B - This check box has nothing to do with Maria being able to change passwords in the OU and would probably have far more impact on Maria's ability to access the domain then what you want.
C - Maria needs to have her reset password permission to the Finance OU removed.
D - When you copy a user's account they retain the group and permissions associated with the account. This is like using a template, which is designed for that purpose: make creating new accounts that need the same access and group membership easier and more consistent.
119. You are the administrator of your company's windows 2000 network. The network consists of a single domain, which contains all company user and computer accounts. A new corporate policy states that no employees can have access to the network by means of remote connections. You discover that some employees have configured their windows 2000 computes as remote access servers. You want to ensure that employees cannot configure their computers to use Routing and Remote Access.

What should you do first? A. Configure the Default Domain Group Policy object (GPO) to disable the Routing and Remote access service. B. Create a remote access policy that allows only approved routing and remote access servers to establish connections. C. Configure the Default Domain Group Policy object (GPO) to prohibit the configuration of connection sharing. D. Configure the default domain group policy object (GPO) to prohibit the connecting and disconnecting of a remote access connection. Answer: A A - Under the Domain GPO you can set the RRA to Disabled under Computer Configuration, Windows Settings, Security Settings, System Services, Routing and Remote Access. B - A remote access policy is not going to prevent user's from setting up their computers to be dialed into.
C - Users are not sharing their connection, they are allowing user's to dial into their computers to connect to the network. Connection sharing allows user to configure their system as an Internet gateway.
D - The connecting and disconnecting of a remote access connection setting determines if users can use the Connect or Disconnect options of dialup connections. You could do this and they would not be able to connect to your network, but they would not be able to connect to anything else either.

Per W2k Policy Explanation - You would actually also have to disable the "Enable status statistics for an active connection" policy. Otherwise users can connect and disconnect from the Status page.
120. You are the administrator of your company's network. The network consists of a single DNS domain. A windows NT server 4.0 computer named server1 hosts the primary DNS zone for the domain. You install a new Windows 2000 server computer named server2 to function as the first domain controller in the network. Server2 contains a secondary zone for the domain. During the installation of active directory, you choose to manually update DNS so that it contains the Active directory resource records.

You need to import these records from server2 into DNS. What should you do? A. Import the contents of the Netlogon.dns file to the standard primary zone file on server1, and then restart the DNS server service on both servers. B. Import the contents of the Netlogon.dns file to the standard secondary zone file on server2, and then restart the DNS server service on both servers. C. Import the contents of the root.dns file to the standard primary zone file on Server1,and then restart the Net Logon service on Both servers. D. Import the contents of the Root.dns file to the standard secondary zone file on Server2,and then restart the Net logon service on both servers. Answer: A The secondary zone is a read-only copy of the primary zone so changes cannot be made to that zone and replicated. The changes will have to be made to the primary zone.

Microsoft Article #Q255913
Every Windows 2000 DC has a Netlogon.dns file located in its %SystemRoot%\System32\Config folder. This file contains a list of DNS records that the DC will attempt to register when the Netlogon service starts. It is a good idea to make a copy of this file before making the following changes so that you will have a list of the original records that the DC tries to register with the DNS server. Note that each DC will have different records because these records are specific to each network adapter on each DC. Examine the Netlogon.dns file to identify all A records in the file. You can identify A records by the record type following the "IN" class descriptor.

Microsoft Article #Q178169
As a function of the Netlogon service, Windows 2000 domain controllers can register one or more DNS records. When you view the properties for records that are prefixed with "_ldap", note that these entries are Service Location (SRV) records, that are used in identifying an available service on a host. In the following descriptions, DnsDomainName refers to the DNS domain name used during promotion of the server when the domain tree is joined or created. DnsTreeName refers to the DNS domain name of the root domain. To identify the correct DNS entries that should exist for the Windows 2000 installation, locate and open the Netlogon.dns text file in the %SystemRoot%\System32\Config folder
121. You are the administrator of your company's windows 2000 network. The network contains 10 windows 2000 server computers. You need to create a strict network security policy . You create a security template named Hisecsrvr.inf.

What should you do next? A. Schedule the secedit/analyze/DB config.sdb/CFG hisecsrvr.inf/quiet command and the secedit/configure /DB config.sdb /quiet command to run on each server. B. In the local security policy on each server, export the local policy settings to the Hisecsrvr.inf file. And then move the template to the %systemroot%\system32\secunty folder on each server. C. Schedule the poledit/analyze /DB config.sdb /CFG hisecsrvr.inf/quiet command and the poledit/configure /DB config.sdb /quiet command to run on each server. D. In the Local security Policy on each server, export the effective policy settings to the Hisecsrvr.inf file, and then move the template to the %systemroot%"\system32\security folder on each server. Answer: A

Per W2k Server Help:
Secedit.exe is a command line tool, when called from a batch file or automatic task scheduler, can be used to automatically create and apply templates and analyze system security. Secedit.exe can also be ran dynamically from a command line.

Secedit /analyze /DB filename /CFG filename /quiet
/analyze - checks the system security against the file indicated with the /DB switch.
/DB filename - provides the path to the database that contains the stored configuration that the system will be compared to. If the filename is a new database, the /CFG filename argument must be used.
/CFG filename - used only with /DB and it provides the path to the security template that will be imported into the database for analysis.
/quiet - disables the screen and log output.

Secedit /configure /DB filename /quiet
/configure - configures the system security by applying a stored template
/DB filename - provides the path to the database that contains the security template that is going to be applied.
/quiet - disables the screen and log output.

122. You are the administrator for your company's Windows 2000 network. You have three domain controllers with Active Directory Services deployed. After one of the servers crashes, you decide that you must perform an authoritative restore on the system. You restore the entire directory and override the version increase. You then want to verify that the authoritative restore was successful by checking the version number increase on the directory.

Which tool should you use? a. LDP b. Replmon c. Repadmin d. Ntdsutil Answer: C Microsoft Article #Q229896
Repadmin.exe is a Microsoft Windows 2000 Resource Kit tool that is available in the Support Tools folder on the Windows 2000 CD-ROM. It is a command-line interface to Active Directory replication. This tool provides a powerful interface into the inner workings of Active Directory replication, and is useful for troubleshooting Active Directory replication problems. This article describes the basic use of the Repadmin.exe tool.
123. You are the administrator for a Windows 2000 network that uses Active Directory. You are specifying deployment options for a software package that will deploy Microsoft Outlook 2000 to all Windows 2000 desktops in your company. You also created a transforms file that you want to use in the software package to customize the install. You select the Modifications tab in the Windows 2000 Administration Tools Properties dialog box. What should you do from this tab? A. Add the transforms file to the software package B. Edit installation options for the transforms file C. Set up application categories for the transforms file D. Set automatic installation options based on the transforms file Answer: A When creating the software distribution you have to select the Advanced published or assigned deployment method when working with a transform file (.MST). You can then configure the package to use the MST file in the Modifications tab. MST files cannot be added to an already published or assigned package, they have to be handled differently.
Microsoft Article #Q236943 Working with Transforms
When you are using Active Directory to assign or publish programs, you can update deployed software. With standard MSI files, you can apply a patch (.msp) file and redeploy the software by using the Software Installation section in the Group Policy Microsoft Management Console (MMC). However, a transform (.mst) file must be handled differently and does not allow for redeployment.
124.

Your company recently hired a Directory Services Administrator to oversee the different directory services running on your network. You have three domains, named weconsult.com, account.com, and sales.com. You need to give the Directory Services Administrator permissions to perform the following tasks in the weconsult.com domain only:

You created a user object for the Directory Engineer and granted membership in the Domain Admins global group, the Schema Admins group, and the Account Operators and Backup Operators domain local groups.

Which tasks can the Directory Engineer perform? (Choose all that apply.)

A. Extend the schema B. Back up and restore Active Directory C. Manage DNS and Active Directory integration D. Delete sites, site links, subnets, and inter-site transports E. Create and manage user accounts and groups in the weconsult.com domain Answer: A,B,C,E W2k Resource Kit and W2k Server Help:
Domain Administrator - The Domain Admins global group can represent the users who have broad administrative rights in a domain. Windows 2000 Server places all users with an Administrator account into this group automatically. Because Windows 2000 Server supports administration and delegation of authority, you should not have to grant these broad administrative rights to many users. In fact, it is recommended that you limit the number of users that you place in the Domain Admins group. By default, the Domain Admins group in a domain is a member of the Administrators group in the same domain and has complete control over every object in the domain. It does not contain any user accounts by default

Schema Administrator - The Active Directory Schema console allows members of the Schema Administrators group to manage the schema through a graphical interface. With it, you can create and modify classes and attributes and also specify what attributes are indexed and what attributes are replicated to the Global Catalog. After you start the Active Directory Schema console, the first thing that you must do is to make sure that the tool is focused on the schema master for your enterprise.

Account Operator - Members can administer domain user and group accounts.

Backup Operator - Members have the right to perform backup/restore operations for any file or folder on the computer regardless of their rights to the file or folder. They can also perform backups of the local System Data State, however they are not able to restore the System Data State because they do not have rights to logon to the DC in Directory Service Restore Mode. Only members of the Domain Administrators group have that right.

B - is correct because Domain Administrators can restore the System Data State of any DC in their domain.

D - is not correct because by default only users in the Enterprise Admins group can create or modify routing links if there are multiple domains in your organization. For users in the Domain Admins group to be able to create or modify routing links, they will need to be granted the Create All Child Objects permission for the MsmqServices object. 125. You are the administrator of your company's 2000 network. The network contains 5,000 computers running Windows 2000 Professional. All client computers using dynamic update and DHCP. The network also contains three DNS servers, server1, server2, and server3. Server1 runs Windows 2000 Server and functions as the primary master server. Server2 and server3 are Unix servers that are running the latest version of BIND DNS. Server2 and server3 also function as secondary servers. The DNS server replicate the DNS zone each day. You want to minimize replicate traffic and ensure that the zone on each server is properly sychronized.

What should you do? A. Configure server2 server3 to request the incremental zone transfer method, and then set up zone transfer notification from server1 to server2 and server3. B. Decrease TTL of DNS record in the domain C. Configure server2 and server3 to request the incremental zone transfer method, and then set up zone transfer notification from server2 and server3 to server1. D. Increase TTL of DNS record in the domain Answer: A (Updated 4/22/02)

Debated here:
MCSEBraindump 70-217 Forum

You set the Primary server up to notify the secondary servers of changes. Secondaries cannot make changes to the zone, so they have no reason to notify the primary of any changes.
Windows 2000 TechNet
Incremental zone transfers are described in RFC 1995 as an additional DNS standard for replicating DNS zones. When incremental transfers are supported by both a DNS server acting as the source for a zone and any servers that copy the zone from it, it provides a more efficient method of propagating zone changes and updates.
In earlier DNS implementations, any request for an update of zone data required a full transfer of the entire zone database using an AXFR query. With incremental transfer, an alternate query type (IXFR) can be used instead. This allows the secondary server to pull only those zone changes it needs to synchronize its copy of the zone with its source, either a primary or secondary copy of the zone maintained by another DNS server.

Zone transfers are always initiated at the secondary server for a zone and sent to their configured master servers which act as their source for the zone. Master servers can be any other DNS server that loads the zone, such as either the primary server for the zone or another secondary server. When the master server receives the request for the zone, it can reply with either a partial or full transfer of the zone to the secondary server.

DNS Notify
Windows DNS servers support DNS Notify, an update to the original DNS protocol specification that permits a means of initiating notification to secondary servers when zone changes occur (RFC 1996). DNS notification implements a push mechanism for notifying a select set of secondary servers for a zone when it is updated. Servers that are notified can then initiate a zone transfer as described above to pull zone changes from their master servers and update their local replicas of the zone.

For secondaries to be notified by the DNS server acting as their configured source for a zone, each secondary server must first have its IP address in the notify list of the source server. When using the DNS console to manage zones loaded at Windows 2000 DNS servers, this list is maintained in the Notify dialog box, which is accessible from the Zone Transfer tab located in zone Properties.

In addition to notifying the listed servers, the DNS console permits you to use the contents of the notify list as a means to restrict or limit zone transfer access to only those secondary servers specified in the list. This can help prevent an undesired attempt by an unknown or unapproved DNS server to pull, or request, zone updates
126. Your company's network consist of two domains: contoso.com and sales.contoso.com. The contoso.com domain contains one domain controller and one member server. You are a member of the Domain Admins group in sales.contoso.com. The sales.contoso.com domain contains two domain controllers, Sales DC1 and Sales DC2. The sales.contoso.com domain contains 50 Windows 2000 prefessional computers. All operations master roles are located on Sales DC1. You want to temporily take SalesDC1 offline for service. You want to create 3,000 new accounts in sales.contoso.com while SalesDC1 is offline.

What should you do?
Choose 3, one each for an Action, the role that action should be performed on, and the tool used to do it. A. Transfer B. Seize C. Query D. Infrastructure Master E. RID Master F. PDC Emulator Master G. Schema Master H. Domain Naming Master I. AD Users and Computers J. AD Replication Monitor K. AD Domain and Trust L. AD Sites and Services Answer: AEI Action: Transfer
Role: RID Master
Method (Tool) Used: NTDSUtil or AD Users & Computer
Not sure how how this is actually setup, but since you are voluntarily taking SalesDC1 offline you should transfer the roles needed to another DC. By default, demoting a DC it will tranfer any roles it has to another DC. If the server fails without transfering roles, then you will have to use NTDSUtil to seize control of the RID Master.

Microsoft Article #Q223787 FSMO Transfer and Seizure Process
This article describes how Flexible Single Master Operations (FSMO) roles are transferred from one domain controller to another and how this role can be forcefully appointed in the event that the domain controller that previously held the role is no longer available. Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment.
Microsoft Article #Q197132 Windows 2000 Active Directory FSMO Roles
The Microsoft Windows 2000 Active Directory is the central repository in which all objects in an enterprise and their respective attributes are stored. It is a hierarchical, multi-master enabled database, capable of storing millions of objects. Because it is multi-master, changes to the database can be processed at any given domain controller (DC) in the enterprise regardless of whether the DC is connected or disconnected from the network.

The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.

Microsoft Article #Q315131 Manage AD with NTDSUTIL.EXE
NTDSUTIL.EXE (AD Diagnostic Tool) is a command line utility used to perform maintenance and administration to the Active Directory database. One of the utilities functions is that it can be used to seize or transfer FSMO roles to specific DC's.

Per Windows 2000 help the below are the roles and the AD snap-ins used to manage them.
Schema Master - Active Directory Schema
Domain Naming Master - Active Directory Domains and Trusts
Relative Identifier Master - Active Directory Users and Computers
PDC Emulater - Active Directory Users and Computers
Infrastructure Master - Active Directory Users and Computers
127. Your company's network consist of two domains: contoso.com and sales.contoso.com. The contoso.com domain contains one domain controller and one member server. You are a member of the Domain Admins group in sales.contoso.com. The sales.contoso.com domain contains two domain controllers, Sales DC1 and Sales DC2. The sales.contoso.com domain contains 50 Windows 2000 prefessional computers. All operations master roles are located on Sales DC1. You want to temporarily take SalesDC1 offline for service. You want to ensure that Windows NT users can change their password in sales.contoso.com while SalesDC1 is offline.

What should you do?

Choose 3, one each for an Action, the role that action should be performed on, and the tool used to do it. A. Transfer B. Seize C. Query D. Infrastructure Master E. RID Master F. PDC Emulator Master G. Schema Master H. Domain Naming Master I. AD Replication Monitor J. AD Domain and Trust K. AD Sites and Services L. NTDSutil command Answer: AFL Action: Transfer
Role: PDC Emulator
Method (Tool) Used: NTDSUtil or AD Users and Computers

Since you are voluntarily taking SalesDC1 offline you should transfer the roles needed to another DC, not seize control. By default, demoting a DC will cause it tranfer any roles it has to another DC. If the server fails without transfering roles, then you will have to use NTDSUtil to seize control of the PDC Emulator.

Microsoft Article #Q223787 FSMO Transfer and Seizure Process
This article describes how Flexible Single Master Operations (FSMO) roles are transferred from one domain controller to another and how this role can be forcefully appointed in the event that the domain controller that previously held the role is no longer available. Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment.
Microsoft Article #Q197132 W2k Active Directory FSMO Roles
The Microsoft Windows 2000 Active Directory is the central repository in which all objects in an enterprise and their respective attributes are stored. It is a hierarchical, multi-master enabled database, capable of storing millions of objects. Because it is multi-master, changes to the database can be processed at any given domain controller (DC) in the enterprise regardless of whether the DC is connected or disconnected from the network.

In a Windows 2000 domain, the PDC emulator role holder retains the following functions:


Microsoft Article #Q315131 Manage AD with NTDSUTIL.EXE
NTDSUTIL.EXE (AD Diagnostic Tool) is a command line utility used to perform maintenance and administration to the Active Directory database. One of the utilities functions is that it can be used to seize or transfer FSMO roles to specific DC's.

Per Windows 2000 help the below are the roles and the AD snap-ins used to manage them.
Schema Master - Active Directory Schema
Domain Naming Master - Active Directory Domains and Trusts
Relative Identifier Master - Active Directory Users and Computers
PDC Emulater - Active Directory Users and Computers
Infrastructure Master - Active Directory Users and Computers
128. You are the admin of Your Company's Win 2000 Network. The Network Consist of four AD sites as shown in the exhibit.



You want to achieve the followings: Directory replication from London to Los Angles must take place through Atlanta. Directory replication from New York to Los Angles must take place directly.
You want to reconfigure site link cost to support these requirements.

Which cost should you assign to the site link A and E ? A. A=76, E=68 B. A=32, E=36 C. A=26, E=25 D. A=22, E=27 Answer: C (updated 4/22/02)

The way the current setup is, London will go through NY before AT because NY-LA = 80 and AT-LA = 105.

By reducing Link_E to 25 the route to AT-LA will be a total cost of 75 (Link_E + Link_B). Link_A really does not need to be changed in order for NY to go directly to LA, but that is not an option here. So you have to make sure that Link_A has a higher value then E, or London will go through NY instead of AT. AnswersB and D do not accomplish that. Answer A would make the the cost directly between NY and LA (Link_A) so high (76), that it would cost less to get to LA through AT, at a cost of only 75. This makes your second requirement invalid and thus A is wrong.

Microsoft Article #Q199174
A site-link bridge is a collection of two or more site links that provides a structure to build transitive links between sites and evaluate the least-cost path. For example, you may have three sites, A, B, and C, and you may create the following site links: A-----(3)-----B-----(4)-----C Note that the costs are in parentheses ().
If site B is unavailable (if every domain controller in the site is unavailable), site A cannot replicate to site C because there is no site-A-to-site-C link. To resolve this problem, either create a site link from site A to site C with some cost, or create a site-link bridge that consists of links between site A and site B, and between site B and site C. The bridge infers a transitive link between site A and site C with a cost of 7.
129. Your company's network consists of a single Windows 2000 domain named contoso.com. You are a member of the domain admins group. Employees in the Northeast region often modify their display settings, which is against company policy. You link a Group Policy Object named NoDisplay to an OU named NorthEast. The NoDisplay Group Policy Object removes the settings tab from display in control panel. However, when you attempt to use display in control panel to change the display settings on your own computer, the settings tab is gone. You want only members of the domain admins group to be able to use the settings tab in display in control panel.

Which two courses of action can you take? (Each correct answer presents a complete solution. Choose two) A. Create a security group named NorthEast, and add all nonadministrative users accounts in the Northeast OU to the northeast group. Grant only the northeast group the apply group policy permissions and the read permission for the NoDisplay Group Policy Object. B. Create a security group named NorthEast, and add all nonadministrative computer accounts in the Northeast OU to the northeast group. Grant only the northeast group the apply group policy permissions and the read permission for the NoDisplay Group Policy Object. C. Remove the domain admins group from the security list in the NoDisplay Group Policy Object D. Remove the creator owner group from the security list in the NoDisplay Group Policy Object E. Grant the Domain Admins group the full control: Allow permission for the NoDisplay Group Policy object F. Grant the domain admins group the apply group policy: Deny permission for the Nodisplay GPO Answer: A,F C - Would work, but you are also removing the Domain Admins other permissions to the OU's GPO. Those permissions are Full Control, Read, Write, Create All Child Objects, Delete All Child Objects, and Apply Group Policy.
F - Would be a better solution because Denying the the permission to Read or Apply Group Policy would prevent it from running. Just clearing the Allow would be fine, but that is not presented in the choices.

Microsoft Article #Q315675
This step-by-step article describes how to keep domain group policies from also applying to administrator accounts and/or selected users. Windows 2000 uses group policies to control operating system behavior and security settings for users and computers in a Windows 2000 network, and group policies can be applied to either users and/or computers, at the site, domain, or organizational unit level.

In most circumstances, if you want a group policy to apply only to specific accounts (either user accounts, machine accounts, or both), you can accomplish this by placing the accounts in an organizational unit, and then applying a group policy at that organizational unit level. However, there may be situations in which you want to apply a group policy to an entire domain, but you may not want those policy settings to also apply to administrator accounts or other specific users or groups. The following procedure can keep a group policy from applying to administrative accounts (or any other group or user account you specify) by editing the ACL (Access Control List) for the policy.
130. Your company's network contains two domains: contoso.com and sales.contoso.com. Each domain has one Domain Controller and one member server. You are the enterprise adminstrator. You want each domain to contain two domain controllers.

Which two actions should you take? A. Manually install a new server in sales.contoso.com by using Windows 2000 CD-ROM. During this process install the server as a domain controller B. Manually install a new server in contoso.com by using Windows 2000 CD-ROM. During this process install the server as a domain controller C. Install a new member server in sales.contoso.com by using a network installation point. Then promote the server to domain controller D. Install a new member server in contoso.com by using a network installation point. Then promote the server to domain controller. E. Install a new member server in sales.contoso.com by using RIS. Promote the server to a domain controller by using an unattended setup file to script the promotion process. F. Install a new member server in contoso.com by using RIS. Promote the server to a domain controller by using an unattended setup file to script the promotion process. Answer: C, D (Updated 4/22/02)

Question was debated here: MCSEBraindump 70-217 Forum

A network installation point is simply a network share that has had the CD copied to it. You would then manually make the server a DC by running Dcpromo.exe.

E and F would work per below information, however you are only installing 2 servers. It would not make much since to go through all the trouble of getting E and F to work for so few servers.

Per Windows 2000 Help:
Remote Installation Services does not support installing W2k Server. It only supports the installation of Windows 2000 Professional. However, this article changes that: Microsoft Article #Q308508
As these article points out, you CAN add the proper sections and settings to the answer file to automatically install a DC during the installation of W2k Server on a computer..

Microsoft Article #Q223757 Unattended Promotion/Demotion of DC
Microsoft Article #Q224390 Automated Installation of Windows 2000 and a Domain Controller
In Microsoft Windows NT, you can automate the installation of a domain controller using unattended Setup, or while performing a normal, attended installation. In Windows 2000, domain controllers are created after setup, even if you are upgrading to Windows 2000. You can also use a script to run the domain controller promotion (Dcpromo.exe) process. It may be useful to combine Dcpromo.exe with unattended Setup to automate the installation of Windows 2000 and the creation of a domain controller. This article describes how to automate the installation of Windows 2000 and the creation of a domain controller.
131. You are the adminstrator of your company network. Your company has three buildings. Because of budget you can purchase only two domain controllers. You depoly one DC in Buildings 2 and one in Building 3. You create an AD subnet for each building. You want to minimize WAN utilization and ensure all clients have access to Windows 2000 Active Directory.

How should you arrange the AD sites and subnets? A. Create one site to contain all 3 buildings. Assign the 3 subnets with the site B. Create one site for each building. Associate the subnet for each building with its site C. Create one site containing Building1 and Building2. Associate the subnet for Building1 and Building2 with the site. Create one site for Building3. Associate the subnet for Building3 with the site. D. Create one site containing Building2 and Building3. Associate the subnet for Building2 and Building3 with the site. Create one site for Building1. Associate the subnet for Building1 with the site. Ans: C Updated 6/21/02 because my test made no mention of slow links (removed that from question above) Microsoft Article #Q316812 Create and Configure Sites in AD
This step-by-step article describes how to create and configure a site link in Active Directory. Note that for the site link to become active, there must be at least two sites available in Active Directory.
A Site Link object represents a set of sites that can communicate at uniform cost through an inter-site transport. For IP transport, a typical site link connects just two sites and corresponds to an actual wide area network (WAN) link. An IP site link that connects more than two sites might correspond to an asynchronous transfer mode (ATM) backbone that connects more than two clusters of buildings on a large campus, or several offices in a large metropolitan area that are connected through leased lines and IP routers.

MCSEBraindump 70-217 Forum

132. You are consultant for several companies. You design the security policies for computer running Windows 2000 Server and Professional. You use these policies to configue a server named Server1. You want to deploy these settings to computers in your network.

How can you do it by using the least administrative effort? A. Create a GPO that configures the security settings of all computers to match the settings on Server1. Then link the GPO to the domain.
B. In the Security Configuration and Analyze snap-in, analyze Server1 and export the security template to a file. C. In the System Information snap-in, save the system summary as a system information file D. In the Security Template snap-in, export the console list to a file Answer: A This question was modifed from the original post because none of the answers worked.

Microsoft Article #Q216735
Windows provides administrators with several different utilities that can be used for configuring computer security throughout an enterprise. This article discusses the following utilities and provides some usage guidelines

The Security Configuration and Analysis tool is used to analyze and configure security settings. Preconfigured template files (stored in Systemroot\security\templates) are used for analysis and to customize for specific security needs. These settings can be exported to an .inf file and applied to a Group Policy Object (using the Group Policy Editor or you can apply them directly to a specific computer using the Security Configuration and Analysis snap-in). 133. You are a network admin. All client computers run Windows 2000 Professional. You install Windows 2000 server on Server1 and also DNS service. You promote it to DC. When users attempt to log on, they receive error message indicating that a DC can't be located. You discover that the client computers can't locate a DC during LDAP queries. You want to ensure the Server1 is available for users.

What should you do? A. Create a SRV record for Server1 in DNS B. Create a PTR (Pointer) record for Server1 in DNS C. On each client, create a host file that contains the SRV record for Server1 D. On each client, create a host file that contains the PTR record for Server1 Answer: A Microsoft Article #Q241515
After you install Active Directory on a server running the Microsoft DNS service, you can use the DNS Manager Microsoft Management Console (MMC) snap-in to verify that the appropriate zones and resource records are created for each DNS zone. Active Directory creates its SRV records in the following folders: _msdcs/dc/_sites/default-first-site-name/_tcp _msdcs/dc/_tcp
DNS service (SRV) resource records are necessary to help clients find Active Directory servers. The SRV resource record allows administrators to use several servers for a single domain, to move services from host to host easily and to designate some hosts as primary servers for a service and others as backups. 134. You are a domain administrator. Your domain contains the OU structure shown in the exhibit.



Due to security reason, you want:
You give the Corp OU admins the Full Control permission for Corp OU, and the Finance OU admins the Full Control permission for Finance OU.

What should you do next? A. Grant the Servers OU admins the Full Control permission for Servers OU; Grant the Corp OU admins the Full Control permission for Servers OU B. Grant the Servers OU admins the Full Control permission for Servers OU; Block Policy inheritance on Finance OU; Grant the Audit OU admins the Full Control permission for Audit OU C. Grant the Audit OU admins the Full Control permission for Audit OU; Grant the Finance OU admins the Full Control permission for Audit OU D. Something else Ans: B Permissions are going to flow down to all child OU's be default. Currently you have CorpOU Admins with FC to all child OU's and FinanceOU Admins with FC to the Finance and Audit OU's. You need to grant FC to the ServersOU Admins for the ServersOU and FC to the AuditOU Admins for the AuditOU without allowing Corp and Servers Admins to control the Finance or Audit OU's.

When you grant FC to the ServersOU Admins, they now have complete control of all OU's under them. To prevent this you must Block Policy Inheritance on the FinanceOU. Now the ServerOU Admins only have control of their OU and the CorpOU Admins' FC permissions ends at the ServerOU as well.

To grant the AuditOU Admins permissions to the AuditOU, you would simply grant them the FC permissions to that OU. Now both the Finance and Audit OU Admins have FC rights to the AuditOU.
135. You are deploying Windows 2000 Professional via RIS. Your company has several departments. To expedite deployment of 2000 and other 3rd party applications you created a group named Departmental Managers. You want to allow members of departmental managers group access to create custom images and post them to the RIS server. In addition you want to allow members of the group to install client computers from the RIS server.

What should you do? A. Grant Departmental managers group Read & Write over the RemoteInstall folder. B. Grant Departmental managers group Read & Write over the OSchooser folder. C. Grant Departmental managers group Full Control over the RIPREP.exe. D. Grant Departmental managers group Full Control over the SYSPREP.EXE. E. Grant Departmental managers group Read & Write over the Admin folder.
Answer: A During the installation of RIS a folder called RemoteInstall is created as the share point for the images. In order for the managers to be able to add images to the folder they will need the Read & Write permission to the share.
136. You have two domains, contoso.com and eur.contoso.com. You have 300 users in the eur.contoso.com domain that you want to add to the contoso.com domain.

How should you do that? A. Use CSVDE to export the accounts from eur.contoso.com and then import them into contoso.com.
B. Use CSVDE to copy the accounts from eur.contoso.com to contoso.com
C. Use LDIFDE to export the accounts from eur.contoso.com and then import them into contoso.com.
D. Use LDIFDE to copy the accounts from eur.contoso.com to contoso.com
Answer: C I made up part of this as it was not a complete question, but the underlying knowledge needed is there.

Microsoft Article #Q237677
The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file format that may be used for performing batch operations against directories that conform to the LDAP standards. LDIF can be used to export and import data, allowing batch operations such as add, create, and modify to be performed against the Active Directory. A utility program called LDIFDE is included in Windows 2000 to support batch operations based on the LDIF file format standard. This article is designed to help you better understand how the LDIFDE utility can be used to migrate directories.

CSVDE - Is the CSV Directory Exchange Tool (Csvde.exe), which is a close relative to Ldifde.exe, without the same restriction. Csvde.exe uses comma-separated value files. This is all I could find on the CSVDE tool.
137. You have two domains, contoso.com and sales.contoso.com. You only have one DNS server for both zones. You notice that in the contoso.com zone, there is a bunch of stale DNS entries, but none in the other zone.

What two steps do you do to remove the stale entries from contoso without messing up the other one?
Select the proper action to take on both the server object and on the contoso.com zone. A. secure cache against pollution B. Enable Automatic Scavenging of Stale Records C. Disable recursion D. Allow zone transfers E. Scavenge stale resource records F. Use Wins for lookup. Answer: B, E (updated 5/15/02) Enable Automatic Scavenging of Stale Records is enabled on the server of choice. This option is only available on servers.
Scavenge stale resource records is enabled on the zone of choice or you can click on the DNS server and choose to set "Scavenge stale resource records" on all zones of the server. This only applies to AD integrated zones. Primary zones will still need to be specifically set to "Scavenge stale resource records" on their properties.
Microsoft Technet - Chapter 6 - Windows DNS
Microsoft Article #Q296116
If the Aging feature is not enabled at the server level, and you attempt to enable the Aging feature at the zone level, the Aging feature does not work. After you select the appropriate aging periods and you enable the Scavenging feature on the server, outdated records are scavenged.
This article discusses how to configure the Domain Name System (DNS) on a Windows 2000-based server to age records. When any records are orphaned, dynamic DNS on a Windows 2000-based server does not age these records by renaming them or by moving computers to different subnets out of their zones, unless the server is configured to perform this task.
Orphans can occur if a group of computers are installed from an image, and then renamed at a later time on another subnet. The reverse look up pointers may not be deleted if the computer is disconnected from the network immediately after the installation. This action can result in a number of pointer (PTR) records in DNS which do not properly reference a computer.
The automatic deletion of these records is possible by enabling the Aging and Scavenging feature on the DNS server. Additionally, you can initiate the Scavenging feature if you right-click the server name in the left pane, click Scavenge Stale Resource Records, and then click YES when asked if you want to scavenge.
138. Your company's network consists of a two domains that are operating in mixed mode named contoso.com and sports.contoso.com. There is a Windows NT4 server as well as a windows 2000 server and a member server in the sports.contoso.com domain. You and another employee named Mary are members of the Domain Admins group. Mary creates a global security group called sports. You create three global security groups called Squash, Tennis and Hockey, all in the sports.contoso.com domain. You want to add these groups to the Sports group.

What should you do? A. Convert contoso.com to native mode only B. Convert contoso.com to native mode then convert sports.contoso.com to native mode C. Convert sports.contoso.com to native mode then convert contoso.com to native mode D. Convert sports.contoso.com to native mode only
Answer: D An enterprise can cantain both Native Mode and Mixed mode domains within it. Domains are pretty much their own entity within the enterprise.
In order to nest global groups together the domain has to be in Native Mode. It appears in the question that they are creating the groups in the sports domain and want to nest them together. If that is the case they have to upgrade the sports domain to Native Mode (Answer D).
Upgrading the NT server to W2k so this can be done has to be assumed. It is part of the "upgrading to Native Mode" process because if you dont do it, you cant upgrade so there is no need to mention it as a needed step.

Windows 2000 security groups: Domain Local - can contain user accounts, global groups and universal groups from any domain in forest, as well as other domain local groups in the same domain. Domain local groups can be used only in its own domain and can be assigned permissions for resources located only in its own domain.
Global - can contain user accounts and global groups from the same domain. Global groups can be used in any domain in the forest and can be assigned permissions for resources located in any domain in the forest.
Universal - can contain user accounts, global groups and universal groups from any domain in the forest. Universal groups can be used in any domain in the forest and can be assigned permissions for resources located in any domain in the forest. Universal group membership is validated at logon by Global Catalog servers. 139. You are the administrator of your company Windows 2000 network. There are 2 domains called Litware.com and us.litware.com. You need to add 300 users to an existing group in Litware.com from the us.litware.com domain. You want to accomplish this with the least amount of administrative effort.

How should you do that? a) Use the CSVDE utility to modify the group object b) Use the LDIFDE utility to modify the user object c) Use the CSVDE utility to modify the user object d) Use the LDIFDE utility to modify the group object Answer: D Since you are adding user's from one domain group to another domain's group, you would make the modification to the group object of the domain you are importing them into. Per the very last sentence below, the CSVDE utility cannot be used to modify or delete objects already there. It can only be used to add new objects.

Microsoft Technet Step-by-Step Guide to Bulk Import and Export to Active Directory
Microsoft Technet Scroll way down to the extending schema part and you will find the below.
You can import and export objects in a batch mode by using each of these administrative tools: LDIF Directory Exchange (LDIFDE), CSV Directory Exchange (CSVDE), and ADSI scripts. These tools enable you to administer large numbers of objects (such as users, contacts, groups, servers, and printers) in one operation. By using these tools, it is possible to export Active Directory data to other applications and services and to import information from other sources into Active Directory. These tools are installed automatically on all Windows 2000 servers.

LDAP Data Interchange Format
The LDAP Data Interchange Format (LDIF) (file) format has a command-line utility called "LDIFDE" that allows you to create, modify, and delete directory objects. It can be run on a Windows 2000–based server or copied to a Windows 2000–based workstation. For example, LDIFDE can be used to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory with data from other directory services.

LDIF is an Internet standard for a file format to perform batch import and batch export operations for directories that conform to LDAP standards. An LDIF file consists of a series of records that are divided by line separators. A record describes either a single directory entry or a set of modifications to a single directory entry and consists of one or more lines in the file.

Comma-Separated Value File Format
The bulk import and export of data to and from Active Directory can be performed by using files that store data in the Microsoft comma-separated value (CSV) file format, also known as a .csv file. The CSV file format is supported by many other applications, such as Microsoft Excel, that can read and save data in the CSV file format. Also, Microsoft Exchange Server administration tools can import and export data by using the CSV format. The CSV format has a command-line utility called "CSVDE" that allows you only to add new objects. It can be run on a Windows 2000–based server or copied to a Windows 2000–based workstation.
The CSV format consists of a simple text file with one or more lines of data where each value is separated by a comma. The text file contains entries where the initial entry is a comma-separated list of attribute names. Each subsequent entry in the text file represents a single object in the directory. Attribute values are delimited by commas.

Using the CSVDE Tool
The CSVDE tool is executed from the command prompt. At the command prompt, type the command CSVDE. The parameters that are used for the CSVDE tool are the same as those that are used for the LDIFDE tool. However, unlike the LDIFDE tool, CSVDE creates files that can be read from applications other than LDAP servers. For example, if you want to view all Active Directory users in a Excel report, CSVDE is used to export the directory data into the .csv file format, which could then be read by Excel.

Note CSVDE cannot be used to modify or delete objects. It can be used only to add directory objects. A hyphen (-) is required before each parameter. 140. Your network has sites in Paris and Rome, which are connected by Link1. Replication frequency over Link1 is set at 180 minutes and scheduled to take place between 4:00AM to 7:00AM. You add a new site at Nice and connect it to Paris through Link2. Replication frequency over Link2 is set at 60 minutes and scheduled between 6:00AM to 8:00AM. Users in Paris and Nice complain that it takes 2 days to replicate between their sites.
What should you do to ensure that replication only takes 1 day? A. Change replication frequency of Link1 to 60 minutes. B. Change replication frequency of Link2 to 15 minutes. C. Change replication schedule of Link1 to 5:00AM to 8:AM. D. Change replication schedule of Link1 to 6:00AM to 8:00AM. E. Change replication schedule of Link2 to 7:00AM to 9:00AM. Answer: A Link1 is only replicating once a day at 4am because it's window to replicate is too small (4-7am) compared to it's time between replication (3 hours). Because of this the replication of Link2 that occurs at 6am has changes from the previous day. Link1 has already done it's replication for that day at 4am. Therefore, those changes will not be processed until the next day at 4am. 141. You are the administrator of a Windows 2000 domain. You wish to deploy a new application named app1 that will be used by all users in the domain. The vendor of the application did not provide a Microsoft Windows installer package for the application. You want to use group policy to deploy the application.
You want to accomplish the following goals: You take the following actions:
  1. Create a zero administration package (.zap text file) that specifies how to install the app1 application.
  2. Copy the .zap file to a shared folder on the network.
  3. Create a new Group Policy Object named Install app1 and assign the Install app1 Group Policy Object to the domain.
  4. Configure the Install app1 Group Policy Object to publish the app1 application to users by using the .zap file.
Which result or results do these actions produce? (Choose all that apply) A. Users are able to install the application by using add/remove programs. B. Users are able to install the application by using a start menu shortcut. C. Users are able to install the application by using document invocation. D. The application is automatically reinstalled if key application files are missing. Answer: A, C Microsoft Article #Q231747 Microsoft Installer - Non-MSI files.
This step-by-step article describes how to publish programs that are not installed with Microsoft Installer (MSI). Non-MSI program can be published only to users, and are installed using their existing Setup programs. Because non-MSI programs use their existing Setup programs, these programs cannot: Microsoft TechNet Step-by-Step Guide to Software Installation and Maintenance
Published files can be installed from the Add/Remove Programs or by invoking a file type associated with the published application. 142. You are the administrator of your company's Windows 2000 network. The company has two offices that are connected by a WAN link. Each office is configured as an Active Directory site. Both company offices share an Active Directory application. During business hours, the application generates large amounts of changes in Active Directory. You need to reduce the amount of WAN bandwidth used by these changes during business hours.
What should you do? A. Configure the intrasite replication topology generation to occur less frequently during business hours. B. Enable slow link detection in the Default Domain Group Policy Object. C. Enable slow link detection in the Default Domain Controllers Group Policy Object. D. Configure intersite replication to occur less frequently during business hours. Answer: D The offices are configured as separate sites so you can reduce the frequency that the sites replicate during business hours by modifying their intersite replication schedule.
If they were in the same site, you would modify their intrasite replication schedule.
Microsoft Article #Q228866
Two of the factors used to determine when inter-site replication is initiated over a connection include: the replication interval and the replication schedule. This article describes how these two values are used to determine when Windows 2000 initiates inter-site replication.
The replication schedule, defined by site link and connection objects, is used to define the time(s) that replication is allowed to occur. The replication interval is used to define how often replication should occur during a "window of opportunity" based on the schedule.
In environments in which multiple site links must be traversed for replication to occur between two points, the resulting replication schedule is actually an "intersection," or common available time between all site links involved in the communication between the two domain controllers.
You should set a less frequent replication schedule so that replication isn't taking place when the network is in heavy use. Global Catalog servers can also help because they contain info about all resources on a network (once connected to the network, computers immediately contact the nearest GC server). Note that in this question, each site already has a GC server so adding another will have very little effect. 143. You are the administrator of your company's Windows 2000 network. The network contains 100 computers running Windows 95 and 250 computers running Windows 2000 Professional. You need to upgrade all Windows 95 computers to Windows 2000 Professional in the next six months. You configure the DNS servers in the network to allow secure dynamic updates. You use DHCP to configure network settings for all client computers. You configure the DHCP servers to upgrade the A (host) records for the Windows 95 computers in DNS. After the upgrade is complete, you need to ensure that client computers can upgrade their own A (host) records in DNS.
What should you do? A. Install the Active Directory client on the Windows 95 computers before the upgrade. B. Reconfigure the TCP/IP settings on the Windows 95 computers so that the DNS settings must be set manually and so that the IP addresses are set by DHCP. C. Add all the users of the Windows 95 computers to the DNSUpdateProxy group in Active Directory. D. Add all DHCP servers to the DNSUpdateProxy group in Active Directory. Answer: D Microsoft TechNet Windows 2000 DNS
DnsUpdateProxy Group
As described in the "Mixed Environment" section of this paper a DHCP server may be configured so that it would dynamically register A and PTR records for downlevel clients. In this situation a default configuration of the secure update may cause stale records. The following example explains. If a DHCP server performs a secure dynamic update on a name, the DHCP server becomes the owner of that name, and only that DHCP server can update the name. This can cause problems in a few circumstances. For example, suppose the DHCP server DHCP1 created an object for the name myname.mycompany.com. and then went down, and the backup DHCP server, DHCP2, tried to update the name. It would not be able to update the name because it did not own it. In a similar example, suppose DHCP1 added an object for the name myname.mycompany.com., and then the administrator upgraded the myname.mycompany.com. host to Windows 2000. Since the myname.mycompany.com. host did not own the name, it would not be able to update its own name.
The solution to this problem is provided by introduction of a new group called "DNS Update Proxy." Any object created by the members of this group has no security and the first user (that is not a member of the DnsUpdateProxy group) to touch a name becomes its owner. Thus, if every DHCP server registering A records for downlevel clients is a member of the DNS Update Proxy, the problem is eliminated. The DNS Update Proxy group is configurable through the Active Directory manager. At the same time, this solution introduces security holes since any DNS names registered by the computer running the DHCP server are non-secure. An A resource record for the computer is an example of such a record. The security holes may become more significant if a DHCP server (that is, a member of the DnsUpdateProxy group) is installed on a DC. In this case all SRV, A and CNAME records registered by netlogon for that DC are non-secure. To minimize the problem it is not recommended to install a DHCP server on a DC. Another strong argument against running DHCP server on a Domain Controller is, that such DHCP server has full control over all DNS objects stored in the Active Directory, since the DHCP server is running under the computer (in this case, Domain Controller) account. 144. You are the network administrator for Amba Sox. The network's domain structure is shown in the exhibit.



The development team is working on a project that involves Amba Sox and Coroso, Ltd., a European subsidiary of Amba Sox. The development team is located in North America. All the user accounts for the team are in the na.ambasox.com domain. Most of the resources the development team accesses are in na.ambasox.com. Members of the HR team report that it is taking longer than normal to access resources in eur.coroso.com. Network utilization is at 5 percent. You want to improve network performance.
What should you do? A. Move the HR team user accounts from na.ambasox.com to eur.coroso.com. B. Create a shortcut trust between na.ambasox.com and eur.coroso.com. C. Install a Domain Controller for eur.coroso.com in the same site as na.ambasox.com. D. Create a new domain under eur.coroso.com named hr.eur.coroso.com. Answer: B Shortcut trust - A two-way trust relationship that is explicitly created between two Windows 2000 domains in the same forest. The purpose of a shortcut trust is to optimize the inter-domain authentication process by shortening the trust path. All shortcut trusts are transitive and must be created manually in each direction. See also domain tree; forest; transitive trust relationship.
Microsoft TechNet Chapter 1 - Active Directory Logical Structure
145. You are the network administrator for Coroso Ltd. Mike is moving from the IT department to the HR department and will be the technical HR manager for the Atlanta site. The current OU structure is shown in the exhibit.



You move Mike's user account from the IT OU to the Technical HR OU. You want Mike to be able to create user accounts in:
ou=hr, ou=atlanta, dc=coroso, dc=com
What should you do? A. Move Mike's user account to the HR OU. B. Add Mike's user account to the Account Operators group. C. Grant Mike's user account Create User Objects Permission for the HR OU. D. Grant Mike's user account Write permission for the HR OU. Answer: C Create User Objects and Delete User Objects are the permissions needed to add and remove users. This needs to be assigned to the OU that you want Mike to perform these actions on. Since you only want him to be able to create user accounts you would simply grant him the Create User Objects permission to the HR OU. The OU structure really does not matter as assigning him this right to any OU anywhere will give him the ability to create users in that OU and any child OU's that the permissions filter down to. 146. You are the enterprise administrator of a network. The network has four domains in the domain tree. You add a domain to the domain tree. One of the Domain Controllers in the root domain becomes unavailable because of a hardware failure. After the hardware failure you are unable to add an additional domain to the domain tree.
How should you correct this problem? A. On one of the other Domain Controllers seize the domain naming master role. B. Promote a Windows 2000 server computer to be able to be a replica controller in the root domain. C. On one of the other Domain Controllers seize the infrastructure master role. D. In the Active Directory sites and services console a Domain Controller from the root domain and force replication. Answer: A Microsoft Article #Q254933
The domain naming master FSMO role holder is the only computer that can add or remove a domain in a Windows 2000 Active Directory forest, and is the only FSMO role owner contacted by the Active Directory Installation Wizard (Dcpromo.exe). No FSMO role access is required to promote or demote replica domain controllers in an existing domain.
Investigate Domain Name System (DNS) name resolution, network connectivity, and consistency in Active Directory for the current domain naming master FSMO role holder when "naming master" or "FSMO" error messages occur during Dcpromo operations. 147. You are the administrator of a secured Windows 2000 network. The company has several Windows 2000 member servers located in a high­security area of the office building. You create a security policy for these servers by using the security Configuration and Analysis snap­in. You must ensure that the appropriate security settings are applied every four hours.
What should you do? A. Schedule the secedit/refreshpolicy command to run every four hours. B. Schedule the secedit/validate command to run every four hours. C. Change the Active Directory replication transport to SMTP and schedule replication to run every four hours. D. Change the Active Directory replication transport to IP and schedule replication to run every four hours. Answer: A

Per W2k Server Help:
Secedit.exe is a command line tool, when called from a batch file or automatic task scheduler, can be used to automatically create and apply templates and analyze system security. Secedit.exe can also be ran dynamically from a command line.
Secedit /analyze /DB filename /CFG filename /quiet
/analyze - checks the system security against the file indicated with the /DB switch.
/DB filename - provides the path to the database that contains the stored configuration that the system will be compared to. If the filename is a new database, the /CFG filename argument must be used.
/CFG filename - used only with /DB and it provides the path to the security template that will be imported into the database for analysis.
/quiet - disables the screen and log output.
Secedit /configure /DB filename /quiet
/configure - configures the system security by applying a stored template
/DB filename - provides the path to the database that contains the security template that is going to be applied.
/quiet - disables the screen and log output.

148. You are the administrator of your company's Windows 2000 network. The network consists of three domains, and each domain contains computer accounts. The network is configured as shown in the exhibit.



Members of the Domain Admins group and the Help Desk group need to add client computers to each domain. You need to give these employees exclusive permissions to accomplish this task.
Which two actions should you take? A. In the Add workstations to domain policy for Hardware.com, replace the Authenticated Users group with the Help Desk group. B. In the Add workstations to domain policy for each domain, replace the Authenticated Users group with the Help Desk group. C. For each domain, remove permissions for the Authenticated Users group from the Computers container, and grant the Help Desk group the Full Control permission for the Computers container. D. For Hardware.com, remove permissions for the Authenticated Users group from the Computers container, and grant the Help Desk group the Full Control permission for the Computers container. E. In the Bypass traverse checking policy for Hardware.com, replace the Authenticated Users group with the Help Desk group. F. In the Bypass traverse checking policy for each domain, replace the Authenticated Users group with Help Desk group. Answer: B, C B - You want to limit the people that can use the policy, to do so remove the Authenticated Users group and add the group or people that you want to have access to the policy.
C - Further restricts users from adding computers to the Computers container to only the Help Desk Group.
Microsoft Article #Q315675
This step-by-step article describes how to keep domain group policies from also applying to administrator accounts and/or selected users. Windows 2000 uses group policies to control operating system behavior and security settings for users and computers in a Windows 2000 network, and group policies can be applied to either users and/or computers, at the site, domain, or organizational unit level.
In most circumstances, if you want a group policy to apply only to specific accounts (either user accounts, machine accounts, or both), you can accomplish this by placing the accounts in an organizational unit, and then applying a group policy at that organizational unit level. However, there may be situations in which you want to apply a group policy to an entire domain, but you may not want those policy settings to also apply to administrator accounts or other specific users or groups. The following procedure can keep a group policy from applying to administrative accounts (or any other group or user account you specify) by editing the ACL (Access Control List) for the policy. 149. You are a member of the Enterprise Admins group in your company's Windows 2000 network. The network consists of one domain and two Active Directory sites: London and Rome. London and Rome are connected by 56­KB WAN link. Your company opens a new office in New York. You configure a 56­KB WAN link to connect New York with London. The network is now configured as shown in the exhibit.



You want to install a Domain Controller in the New York subnet. You need to minimize the directory replication traffic that is generated by the Domain Controller installation.
What should you do before you install the Domain Controller? A. Create an Active Directory subnet and site for New York. B. Create an Active Directory subnet for New York and associate it with the London site. C. Enable slow link detection in the Default Domain Group Policy Object. D. Enable slow link detection in the default Domain Controllers Group Policy Object. Answer: A Microsoft Article #Q199174 Directory Replication Basics (Sites and Site Links)
Microsoft Article #Q214677 Automatic Detection of Site Membership for Domain Controllers
During the promotion of a server to domain controller, DCPromo (the wizard used for the promotion process) determines the site the domain controller will become a member of. If the domain controller being created is the first in a new forest, a default site named "Default-First-Site-Name" is created and the domain controller becomes a member of this site until appropriate subnets and sites are configured.
An administrator can (and should) create sites in order to effectively use the bandwidth of Local Area Network (LAN) and Wide Area Network (WAN) connections. After the administrator has created sites and associated subnets with those sites, subsequent domain controller promotions are placed into the appropriate sites automatically. During server promotion, DCPromo queries the domain controller that is acting as the source server for site data. If the IP address of the server being promoted falls within the range for a given subnet defined in the Active Directory, DCPromo configures the membership of the domain controller in the site associated with that subnet.
If no subnet objects are defined or the IP address of the server does not fall within the range of the subnet objects present in the Active Directory, the server is placed in the "Default-First-Site-Name" site. 150. Your company's network consists of two domains coroso.com and eur.coroso.com. You are a member of the Domain Admins group in eur.coroso.com. The network contains three Active Directory sites: Site 1, Site 2, and Site 3. Each site is connected to the other sites by means of a WAN link. Site 1 contains three Domain Controllers. Site 2 contains one Domain Controller. Site 3 contains two Domain Controllers. The Domain Controller in Site 2 fails. Users in all three sites report that they cannot log on to the network. You need to allow users to log on to the network.
What should you do? A. Seize the infrastructure master role from the failed Domain Controller. B. Seize the RID master ole from the failed Domain Controller. C. Move a Domain Controller from site C to site 2. D. Create another Domain Controller in site 2. E. Create a Global Catalog server in site 1. Answer: E Microsoft Article #Q196464 Global Catalog Servers
Microsoft Article #Q313994 Creating and Moving Global Catalog Servers
Microsoft Article #Q199174 Directory Replication Basics (Sites and Site Links)
Microsoft Article #Q223346 FSMO Placement and Optimization
The Global Catalog contains a partial replica of every Windows 2000 domain in the directory and is built automatically by the Active Directory replication system. This lets users and applications find objects in an Active Directory domain tree given one or more attributes of the target object. The catalog also contains the schema and configuration of directory partitions. This means the global catalog holds a replica of every object in the Active Directory, but with only a small number of their attributes. Attributes in the global catalog are those most frequently used in search operations (such as a user's first and last names, logon names, and so on), and those required to locate a full replica of the object.
Using this common information, users can find objects of interest quickly without knowing what domain holds them and without requiring a contiguous extended namespace in the enterprise. If the object cannot be found in the Global Catalog, then the search utility can query your local domain partition for information.
You can use the Schema Manager tool to change the schema and define which attributes are stored in the Global Catalog. Since the Global Catalog is replicated on changes made to all Global Catalog servers, it is a good practice to limit the amount of attributes stored in the local partition for both performance and maintenance purposes. 151. You are the administrator of your company's Windows 2000 network. The network contains 200 computers running Windows 2000 Professional. Each computer uses DHCP to acquire its network settings. You discover that outdated DNS records are accumulating in the DNS zone. You need to ensure that these records are removed from DNS on a regular basis.
What should you do? A. Configure DHCP to enable updates for DNS client computers that do not support dynamic update. B. Reconfigure the DNS zone to allow only secure dynamic updates. C. Configure record scavenging to poll the DNS zone. D. Add all client computers to the DNSUpdateProxy group. Answer: C Microsoft Article #Q296116
If the Aging feature is not enabled at the server level, and you attempt to enable the Aging feature at the zone level, the Aging feature does not work. After you select the appropriate aging periods and you enable the Scavenging feature on the server, outdated records are scavenged.
This article discusses how to configure the Domain Name System (DNS) on a Windows 2000-based server to age records. When any records are orphaned, dynamic DNS on a Windows 2000-based server does not age these records by renaming them or by moving computers to different subnets out of their zones, unless the server is configured to perform this task.
Orphans can occur if a group of computers are installed from an image, and then renamed at a later time on another subnet. The reverse look up pointers may not be deleted if the computer is disconnected from the network immediately after the installation. This action can result in a number of pointer (PTR) records in DNS which do not properly reference a computer.
The automatic deletion of these records is possible by enabling the Aging and Scavenging feature on the DNS server. Additionally, you can initiate the Scavenging feature if you right-click the server name in the left pane, click Scavenge Stale Resource Records, and then click YES when asked if you want to scavenge. 152. You are the administrator of your company's Windows 2000 network. The network consists of four domains and five Active Directory sites. The network is configured as shown in an exhibit.
Each domain contains 300 Windows 2000 Professional computers. Five users in each domain are authorized to access data on the Human Resources member servers in Orlando. These member servers are located in an 0rganizational unit named FinanceServers. You want to protect the information on the Finance servers from being read by a network trace. You also want to avoid extra processing loads on computers that do not communicate with the Finance servers.
Which two courses of action should you take? A. In each domain, create an OU for the client computers that require secured access to the servers, and then add the computer accounts to the OU. In Group Policy, set the IP security policy to Secure server (Require Security). B. In each domain, create an OU for the client computers that require secured access to the servers, and then add the computer accounts to the OU. In the Group Policy, set the IP security policy to Client (Respond only). C. In each domain, create an OU for the users who require secured access to the servers, and then add the user accounts to the OU. In the Local Group Policy, set the IP security policy to Secure Server (Require Security). D. For the FinanceServers OU, create a Group Policy Object (GPO) that sets IP security to Client (Respond Only). E. For the FinanceServers OU, create a Group Policy to set IP security to Secure Server (Require Security). Answer: B, E Microsoft Article #Q231585
By default, Windows 2000 includes three predefined policies: Client, Secure Server, and Server. The first task is to decide if any of the default policies will apply or if it will be necessary to create a custom policy to meet your needs. None of the preconfigured policies are active by default.
The policies are as follows:
Client (Respond Only) - allows the client to respond to other computers requesting security according to the settings in the default response rule. With this policy active, the client will never request security, but will negotiate IPSec based on the connecting host. This would allow you to configure client computers to respond to requests for secure communications, but without initiating the request.
Secure Server (Require Security) - allows the server to require IPSec negotiation prior to allowing a connection. This policy will allow unsecured incoming communications, but outgoing traffic will always be secured. This policy could be implemented in scenarios where data must always be secured.
Server (Request Security) - allows the server to request IPSec negotiation, but will allow unsecured communications if the other computer is not IPSec aware. You could use this policy to implement security between IPSec enabled computers without sacrificing interoperability with non-IPSec-enabled computers. 153. Your company's network consists of a single Windows 2000 domain named coroso.com. You are a member of the Domain Admins group. Your company is acquiring Falerika, Inc. The Falerika, Inc., company network consists of a single Windows 2000 domain named falerika.com You want to give the Falerika Inc. employees user accounts in coroso.com.
What should you do? A. Use the Ntbackup utility to back up the falerika.com accounts and then to restore the falerika.com accounts to coroso.com. B. Use the MoveTree utility to move accounts from falerika.com to coroso.com. C. Use a script to re­create the falerika.com accounts in the coroso.com domain. D. Create an external trust between falerika.com and coroso.com. Answer: C Microsoft Technet Scroll way down to the extending schema part and you will find the below.
You can import and export objects in a batch mode by using each of these administrative tools: LDIF Directory Exchange (LDIFDE), CSV Directory Exchange (CSVDE), and ADSI scripts. These tools enable you to administer large numbers of objects (such as users, contacts, groups, servers, and printers) in one operation. By using these tools, it is possible to export Active Directory data to other applications and services and to import information from other sources into Active Directory. These tools are installed automatically on all Windows 2000 servers. 154. You are the administrator of your company's Windows 2000 network. Their network consists of four domains and five Active Directory sites. The network is configured as shown in an exhibit.
Each domain contains 500 Windows 2000 Professional computers. Each domain contains Human Resources administrators who must perform file maintenance on HR member servers located in Orlando. In each domain, you create a global security group for all the HR administrators in that domain. In sales.coroso.com you create a domain local security group named HRadmins. Then, you add the global security groups from each domain to HRadmins. You want to ensure that only the designated global groups from each domain are members of the HRadmins group.
What should you do? A. Create a Group Policy Object for sales.coroso.com that restricts group access to the HRadmins group. B. Create an OU name HR servers that contains only the HR member servers, and then create a Group Policy Object that restricts group access to the HRadmins group. C. In each domain except sales.coroso.com, create a Group Policy Object that restricts group access to the HRadmins group. D. In each domain, create a Group Policy Object that restricts group access to the global security group in that domain. Answer: A Microsoft Article #Q320045 How to: Restrict Group Membership By Using Group Policy in Windows 2000
This step-by-step article describes how to restrict group membership by using group policy.
In some cases, you may want to restrict the membership of certain groups in a Windows 2000 domain to prevent the addition of other user accounts to those groups. 155. You are the administrator of your company's network. The network consists of two Windows 2000 domains. There are 10 Windows 2000 Server computers and 1000 Windows 2000 Professional client computers on the network. Two of the servers in each domain function as Domain Controllers. Both domains are in native mode. When the initial Domain Controller is taken off line for maintenance users receive an error message stating that the Domain Controller cannot be located. Users are not able to logon to the network. Although the other Domain Controllers are still operating.
What should you do to correct this problem? A. Create a primary DNS zone. B. Create a secondary DNS zone. C. Configure at least one other Domain Controller as the Global Catalog server. D. Configure at least one other Domain Controller as a PDC emulator. E. Configure at least one other Domain Controller as a WINS server. Answer: C Microsoft Article #Q196464 Global Catalog Servers
Microsoft Article #Q313994 Creating and Moving Global Catalog Servers
Microsoft Article #Q223346 FSMO Placement and Optimization
The Global Catalog contains a partial replica of every Windows 2000 domain in the directory and is built automatically by the Active Directory replication system. This lets users and applications find objects in an Active Directory domain tree given one or more attributes of the target object. The catalog also contains the schema and configuration of directory partitions. This means the global catalog holds a replica of every object in the Active Directory, but with only a small number of their attributes. Attributes in the global catalog are those most frequently used in search operations (such as a user's first and last names, logon names, and so on), and those required to locate a full replica of the object. 156. You are a member of the Enterprise Admins group in your company's Windows 2000 network. The network contains two Active Directory sites: Rome and Paris. Each site has its own domain that operates in native mode. The network is configured as shown in the exhibit.



Occasionally, the WAN link between Rome and Paris stops functioning, and users in Paris report that they cannot log on to the network. However, users in Rome report no problems. You want to ensure that problems with WAN connectivity do not prevent users from logging on to the network.
What should you do? A. Configure the network as a single Active Directory site, and then associate all subnets with that site. B. Configure DC2 as a Global Catalog server. C. Configure DC2 as a PDC emulator. D. Create a new Group Policy Object in the Paris site to enable slow link detection on client computers. Answer: B Microsoft Article #Q196464 Global Catalog Servers
Microsoft Article #Q313994 Creating and Moving Global Catalog Servers
Microsoft Article #Q223346 FSMO Placement and Optimization

The Global Catalog contains a partial replica of every Windows 2000 domain in the directory and is built automatically by the Active Directory replication system. This lets users and applications find objects in an Active Directory domain tree given one or more attributes of the target object. The catalog also contains the schema and configuration of directory partitions. This means the global catalog holds a replica of every object in the Active Directory, but with only a small number of their attributes. Attributes in the global catalog are those most frequently used in search operations (such as a user's first and last names, logon names, and so on), and those required to locate a full replica of the object. 157. You are a member of the Enterprise Admins group in your company's Windows 2000 network. The network consists of a single domain. The organizational unit (OU) structure of the domain is configured as shown in an exhibit.
To improve security, only members of the Sales Admins and Mngr Admins groups should have permission to log on to servers in the Mngr OU. Similarly, only members of the TC Admins and Sales Admins groups should have permission to log on to servers in the Sales OU. Only members of the TC Admins group should be able to log on to servers in the Servers OU. Some members of the TC Admins group are also members of the Mngr Admins and Sales Admins groups.
You create a new Group Policy Object for the Servers OU, and assign the TC Admins group the Log on locally user right in the GPO. You create a new GPO for the Sales OU named SalesServers. You create a new GPO for the Mngr OU named MngrServers. You need to complete the implementation of the security policy.
What should you do? A. In the SalesServers GPO, assign Sales Admins the Log on locally user right. In the MngrServers GPO, assign Mngr Admins the Log on locally user right. B. In the SalesServers GPO, assign Sales Admins the Log on locally user right. In the MngrServers GPO, assign Mngr Admins the Log on locally user right and assign TC Admins the Deny logon locally user right. C. In the SalesServers GPO, assign TC Admins and Sales Admins the Log on locally user right. In the MngrServers GPO, assign Sales Admins and Mngr Admins the Log on locally user right. D. In the SalesServers GPO, assign TC Admins and Mngr Admins the Log on locally user right and assign TC Admins the Deny logon locally user right. Answer: C A does not assign TC Admins the needed rights to log on locally, so only some of it's members will be able to do so since they are also members of the Sales Admin and Mngr Admins group.
C is the proper way to perform this task.
B and D cannot be used because they are denying access to TC Admins, which we do not want. 158. You are a member of the Enterprise Admins group in your company's network. The company office in London has its own OU named London. You hire Sallie as a LAN administrator for the London office. Sallie needs to create user accounts in the London OU. You do not want Sallie to have permissions to make any other changes to Active Directory. In the Active Directory Users and Computers snap­in, you need to assign appropriate permissions entries for the London OU. You need to decide where these permissions should be applied.
Which option should you choose? A. The Child objects only option. B. The This object and all child objects option. C. The User objects option. D. The Organizational Unit objects option. Answer: B Sallie needs to have rights to administer the OU's in London so that she can create user accounts. This should apply to the London OU and all child OU's. 159. You are the administrator of your company's Windows 2000 network. In the HR folder of a file server, you configure auditing to track all file activity. One week later, you are asked to discover if any files in the HR folder have been accessed by a user account named MHinge.
You verify that the audit log contains data for all HR transaction during the past week. This data includes thousands of transaction events about files accessed by everyone in the company. You want to review only transaction event data for the MHinge user account.
What should you do? A. View the Audit tab of the properties page for the MHinge user account. B. Reconfigure auditing of the files in the HR folder for only the MHinge user account, and then refresh the Event Viewer. C. Export the audit log to CSV format, and then use Microsoft WordPad to display log entries that contain the text "MHinge" D. Apply an event viewer filter that displays only events containing the text "MHinge" in the User field. Answer: D C - would work as well but is not needed since we can filter this down greatly using the built in filters.
To view a subset of events that have specific characteristics, click Filter Events on the View menu of Event Viewer. Filtering has no effect on the actual contents of the log, it changes only the view. If you archive a log from a filtered view, all records are saved, even if you select a text format or comma-delimited text format file. 160. You are the administrator of your company's Windows 2000 network. The network contains five Windows 2000 Domain Controllers. Each Domain Controller contains one hard disk that is configured as drive C. You install an application that uses Active Directory frequently. After the installation, a Domain Controller begins to respond slowly to network logon request. You discover excessive hard disk activity on the Domain Controller. You want to maximize Active Directory performance.
What should you do? A. Add two new hard disks to the Domain Controller. Mirror the new hard disks and configure the volume as drive D. Move the Sysvol shared folder to drive D. Enable the indexing service on both hard disks. B. Add two new hard disks to the Domain Controller. Format each new hard disk separately and configure one volume as drive D and the other volume as drive E. Move the Ntds.dit file to drive D and the log files to drive E. C. Add one new hard disk to the Domain Controller. Format the new hard disk and configure the volume as drive D. Move the Netlogon shared folder to drive D. Enable the indexing service on both hard disks. D. Add one new hard disk to the Domain Controller. Format the new hard disk and configure the volume as drive D. move the Sysvol and Netlogon shared folders to drive D. Answer: B Microsoft Article #Q257420
This article describes how to move the Active Directory database file, Ntds.dit, and the Active Directory log files to different drives to improve performance.
Note, you must restart the computer in Directory Services Restore mode in order to perform maintenance on AD. Then, start NTDSUTIL.EXE and use the "Move DB" command to move the database to the RAID-5 volume. For optimized performance, you can also perform an offline defrag of the NTDS.DIT Active Directory database file. 161. Your company's network consists of a single Windows 2000 Domain. You are a member of the Domain Admins group. All user and computer accounts belong to a group named FinanceGroup and to an Organizational unit (OU) named FinanceOU. A vendor provides you with an application that contains a Setup.exe file. You need to deploy the application to the sales department by using the least amount of administrative effort.
What should you do to complete this? A. Create a GPO to assign an MSI file created from the vendors Setup.exe to users of the FinanceGroup B. Create a ZAP file from the vendors Setup.exe file, add it to a GPO that assigns it to the FinanceGroup C. Create a GPO that publishes an MSI to the Users of the FinanceGroup D. Create a ZAP file from the vendors Setup.exe file, add it to a GPO that publishes it to the FinanceGroup E. Create a GPO to publish a MST file created from the vendors Setup.exe to the users of the FinanceGroup Answer: D ZAP files cannot be assigned, they must be published.
Microsoft Article #Q231747 Microsoft Installer - Non-MSI files.
This step-by-step article describes how to publish programs that are not installed with Microsoft Installer (MSI). Non-MSI program can be published only to users, and are installed using their existing Setup programs. Because non-MSI programs use their existing Setup programs, these programs cannot: Microsoft TechNet Step-by-Step Guide to Software Installation and Maintenance
Published files can be installed from the Add/Remove Programs or by invoking a file type associated with the published application. 162. You are the administrator of your company's Windows 2000 network. The network consists of a single DNS domain named coroso.com. The domain contains a UNIX server named UnixServ1 and a Windows 2000 Server computer named WinServ1. UnixServ1 is running BIND DNS and holds the Start of Authority (SOA) record for the DNS domain. You want to configure WinServ1 as a DNS server for the domain, but UnixServ1 must retain the SOA record for the domain.
You install DNS on WinServ1 and configure the server to contain a primary zone for coroso.com. After the installation, you discover that DNS record changes on UnixServ1 are not being replicated to this new primary zone. You need to enable DNS replication between Unixserv1 and WinServ1.
What should you do? A. On WinServ1, add UnixServ1 to the list of servers that are permitted to perform zone transfers. B. Add WinServ1 to the DNSUpdateProxy group, and then restart the DNS server service. C. Delete the DNS domain from WinServ1, and then create a new secondary zone that is linked to UnixServ1. D. On WinServ1, convert the primary zone to an Active Directory integrated zone. Answer: C You want the UNIX server to be the primary which is indicated by the "holds the SOA record for DNS" statement. However, you configured the new DNS server as the primary so they both think they are the master. Since you want the UNIX server to be the primary you would remove the primary zone from the 2000 DNS server. 163. You are a member of the Enterprise Admins group in your company's Windows 2000 network. Your company consists of 3 offices. Each office has a T1 connection to the internet and uses a virtual private network to establish a direct, secure connection with every other office.
Currently, only two offices, Miami and Toronto, contain Domain Controllers. A site link connects these two offices. Your company wants all offices to contain at least one Windows 2000 Domain Controller. You install a new Domain Controller in the Atlanta office. A portion of the network is now configured as shown in the exhibit.



You want to configure Active Directory to minimize site replication delays between all offices. You also want to be able to reschedule replication traffic between all offices with the least amount of administrative effort. You need to configure directory replication with Atlanta.
Which two actions should you take? A. Create a new site link between Atlanta and Miami. B. Create a new site link between Atlanta and Toronto. C. Add the Atlanta site to the existing link between Miami and Toronto. D. Set the replication cost for all site links to a value of 1. E. Set the replication frequency for all site links to every 15 minutes. Answer: A, B Microsoft Article #Q199174 Directory Replication Basics (Sites and Site Links)
Microsoft Article #Q214677 Automatic Detection of Site Membership for Domain Controllers
During the promotion of a server to domain controller, DCPromo (the wizard used for the promotion process) determines the site the domain controller will become a member of. If the domain controller being created is the first in a new forest, a default site named "Default-First-Site-Name" is created and the domain controller becomes a member of this site until appropriate subnets and sites are configured.
An administrator can (and should) create sites in order to effectively use the bandwidth of Local Area Network (LAN) and Wide Area Network (WAN) connections. After the administrator has created sites and associated subnets with those sites, subsequent domain controller promotions are placed into the appropriate sites automatically. During server promotion, DCPromo queries the domain controller that is acting as the source server for site data. If the IP address of the server being promoted falls within the range for a given subnet defined in the Active Directory, DCPromo configures the membership of the domain controller in the site associated with that subnet.
If no subnet objects are defined or the IP address of the server does not fall within the range of the subnet objects present in the Active Directory, the server is placed in the "Default-First-Site-Name" site. 164. Your company's network consists of a single Windows 2000 Domain. The domain is located in an Active Directory site named Miami. You are a member of the Domain Admins group. Two Group Policy Objects (GPOs) are linked to finance.coroso.com. One GPO removes the Run command from the Start menu. The other GPO removes the Search command from the Start menu. Two GPOs are linked to the Miami site. One GPO disables Control Panel. The other GPO hides all icons that are on the desktop. After the company network users log on and begin working with an application, they report that their desktop icons disappear, Control Panel is disabled, and the Run and Search commands are not visible. You want to ensure that the Control Panel is disabled and that desktop icons are removed when users log on and not after they start working.
What should you do? A. Disable asynchronous policy processing. B. Disable background refresh policy processing. C. Enable Group Policy Loopback processing in merge mode. D. Enable Group Policy Loopback processing in replace mode. Answer: A Microsoft Article #Q315418 Optimize Group Policy for Logon Performance in Windows 2000
This is noted at the bottom of the above link: NOTE: You may receive undesired results when you enable this setting. If you apply policy settings that have conflicting user configuration settings, a user may experience these changes after they log on to the domain. For example, the logged-on user may experience changes on the desktop or Start menu when each policy setting is processed. 165. You are the administrator of your company's Windows 2000 network. The network consists of a single DNS domain named hardware.com. The domain contains one Windows 2000 Domain controller named WinServ1, one UNIX server named UnixServ1, and 250 Windows 2000 Professional computers. UnixServ1 is running BIND DNS and contains the primary zone for the hardware.com zone. You install a new domain controller named Serv2 in the network. However, no client computers are logging on to the new domain controller. You run the Nslookup utility from a client computer. You receive the following results:

You need to enable the client computers to log on to Serv2.
How should you configure Serv2? A. Change the TCP port for the LDAP service from 389 to 390. B. Copy the Netlogon.dns file to UnixServ1. Import the Netlogon.dns file to the primary zone on Unixserv1. C. Install DNS and create a secondary zone for hardware.com. Import the Root.dns file to the secondary zone. D. Change the Internet Address of the A (host) record to a public IP address. Answer: B Microsoft Article #Q255913
Every Windows 2000 DC has a Netlogon.dns file located in its %SystemRoot%\System32\Config folder. This file contains a list of DNS records that the DC will attempt to register when the Netlogon service starts. It is a good idea to make a copy of this file before making the following changes so that you will have a list of the original records that the DC tries to register with the DNS server. Note that each DC will have different records because these records are specific to each network adapter on each DC. Examine the Netlogon.dns file to identify all A records in the file. You can identify A records by the record type following the "IN" class descriptor.
Microsoft Article #Q178169
As a function of the Netlogon service, Windows 2000 domain controllers can register one or more DNS records. When you view the properties for records that are prefixed with "_ldap", note that these entries are Service Location (SRV) records, that are used in identifying an available service on a host. In the following descriptions, DnsDomainName refers to the DNS domain name used during promotion of the server when the domain tree is joined or created. DnsTreeName refers to the DNS domain name of the root domain. To identify the correct DNS entries that should exist for the Windows 2000 installation, locate and open the Netlogon.dns text file in the %SystemRoot%\System32\Config folder
166. You are the administrator of the Windows 2000 network at Morada Zoo. The network has Active Directory installed and contains a DNS server named Serv1. Using the DNS console you see that Serv1's Forward Lookup Zones contains an empty root domain zone as well as the moradazoo.com domain zone.
All client computers in the network are configured to use Serv1 as their DNS server. The client computers can connect to internet sites by using IP addresses. However, they cannot use internet host names or domain names to connect to internet sites. You need to enable internet name resolution for the client computers.
How should you configure Serv1? A. Remove the root domain zone and restart the DNS server service. Configure forwarders to point to the DNS servers at the company's internet service provider. B. Add the DNS servers at the company's internet service provider to the Name Servers configuration tab in the root domain. C. Add the DNS servers at the company's internet service provider to the top of the DNS server order list in the TCP/IP properties on Serv1. D. Clear the DNS cache, and then restart the DNS server service. Answer: A You do not even have the ability to configure the zone as a forwarder when there is a root hint zone installed.
Microsoft Article #Q229840 DNS Server's Root Hints and Forwarder Pages Are Unavailable
A DNS server behaves as a root server if there is a zone named "." on the server. The "." zone indicates that the server is a top-level root server. Because a root server is at the top of the DNS hierarchy, it cannot be configured to forward and does not require root hints.
When you run the Active Directory Installation Wizard (Dcpromo.exe), you can configure a DNS server on the local computer and configure the forward lookup zones. The wizard examines the TCP/IP configuration on the computer and determines whether the computer is configured to use any DNS servers. If so, the Active Directory Installation Wizard queries for the root servers. If the computer is not configured to use any DNS servers, the wizard queries the root servers listed in the Cache.dns file (the Internet root servers). If the wizard cannot contact any root servers, it configures the local computer as a root server and creates the "." zone. 167. Your company's network consists of two Windows 2000 domains: coroso.com and rome.coroso.com. The rome.coroso.com domain contains three organizational units: Sales, Business, and Development. You are a member of the Domain Admins group in rome.coroso.com.
An employee named Fred is the administrator for the Development OU. Fred reports that he cannot edit any Group Policy Object. Administrators for the Sales and Business OUs report no problems editing GPOs. You want Fred to be able to edit the Development GPO.
What should you do? A. Delegate to Fred the ability to manage Group Policy Links for the Development OU. B. Grant Fred the read permission and the create group objects permissions for the Development OU. C. Grant Fred the read permission and the apply group policy objects permission for the GPOs he wants to edit. D. Add Fred to the group policy creator group in the rome.coroso.com domain. Answer: A

Microsoft Article #Q221577 Delegating authority for editing GP objects
Create an organizational unit (OU) and create a new GPO directly linked to this OU. This can be done by clicking Properties on the context menu of the OU, clicking the Group Policy tab in the Properties dialog box, and clicking the New button. Once the GPO has been created, launch the Delegation Wizard . The Delegation Wizard provides a step-by-step process in which specific functionality may be delegated easily, with a high degree of detail. NOTE: Manage Group Policy is a predefined task that you can choose when running the Delegate Authority Wizard.
Provide your user Full Control - Allow privilege. Full Control provides the user the ability to write to the GPO, and also to change security permissions on the GPO. If you want to prevent this user from setting security, you may decide to give them only the Write - Allow permission.
Microsoft Article #Q233548 Fixing a delegate that cannot edit GP objects
After you assign complete control of an Organizational Unit (OU) to a user or group using the Active Directory Users And Computers snap-in for Microsoft Management Console (MMC), that user or group may not be able to edit or create Group Policy objects. NOTE: The user or members of the group can create a new computer, user, group, and printer object in the container.
This issue occurs because the user or group that has control of the OU is not a member of the Group Policy Creator Owners security group. 168. You are the administrator of your company's Windows 2000 network.

The network contains three DNS servers that are configured as shown in the following table: 
Server Name             Operating System                Server role                  DNS Zone Type 
    Serv1                 Windows NT 4.0 Server           BDC Primary                      DNS Zone 
    Serv2                 Windows 2000 Server            Domain Controller         Secondary DNS Zone 
    Serv3                 Windows 2000 Server            Member Server           Secondary DNS Zone

You want to configure the DNS servers to support secure dynamic updates. You must reconfigure the DNS zones appropriately to permit the implementation of secure dynamic updates.
What should you do? (Note: Each DNS zone type can be used more than once) A. Configure Serv1 with a Primary DNS Zone B. Configure Serv2 with a Secondary DNS Zone C. Configure Serv3 with a AD integrated DNS Zone D. Configure Serv3 with a Secondary DNS Zone E. Configure Serv1 with a AD integrated DNS Zone F. Configure Serv1 with a Secondary DNS Zone G. Configure Serv2 with a AD integrated DNS Zone H. Configure Serv2 with a Primary DNS Zone I. Configure Serv3 with a Primary DNS Zone Answer: DFG Only Active Direcory integrated zones can use Secure Dynamic Updates. AD integrated zones can only be implemented on Windows 2000 Domain Controllers so you would have to do that on Serv2. Since the other 2 servers do not qualify to be AD integrated, you would have to make them Secondary DNS servers to the AD integrated DNS Zone.
Secondary DNS Servers are unable to write to the zone, they only contain a read-only copy of the zone. 169. You are the administrator of your company's network. A vendor provides you with an application and four transform files. You need to deploy the application to employees in the Finance department. You deploy the application and the transform files. After the deployment is complete, you test the application and discover that the second transform file is unnecessary. You want to deploy the application so that it includes only the first, third, and fourth transform files. You need to complete this task by using the least amount of administrative effort.
What should you do? A. In the application properties, remove all transform files, and then add the required transform files in order. B. In the application properties, remove the second transform file. Use the Move Up and Move Down buttons to order the files. C. Remove the package definition from Group Policy. Create a new definition for the package. Add the required transform files in order. D. Remove the package definition from Group Policy. Copy the required transform files to the package source in order. Create a new definition for the package. Answer: C When creating the software distribution you have to select the Advanced published or assigned deployment method when working with a transform file (.MST). You can then configure the package to use the MST file in the Modifications tab. MST files cannot be added to an already published or assigned package, they have to be handled differently.
Microsoft Article #Q236943 Working with Transforms
When you are using Active Directory to assign or publish programs, you can update deployed software. With standard MSI files, you can apply a patch (.msp) file and redeploy the software by using the Software Installation section in the Group Policy Microsoft Management Console (MMC). However, a transform (.mst) file must be handled differently and does not allow for redeployment. 170. Your company's network consists of a single Windows 2000 domain named coroso.com. You are a member of the Domain Admins group. Coroso Ltd., wants to create a new division named Falerika Inc. The new division will consist of two domains: falerika.com and sales.falerika.com. You need to create these two new domains. You need to configure all three domains so that they can share resources by using the least amount of administrative effort.
What should you do? A. In the coroso.com domain tree, create a new child domain named falerika.com. Create a new child domain for falerika.com named sales.falerika.com. B. In the coroso.com domain tree, create a new child domain named sales.falerika.com. Create a new parent domain for sales.falerika.com named falerika.com. C. In the existing forest, create a new domain tree for falerika.com. Create a new child domain for falerika.com named sales.falerika.com. D. In a new forest, create a new domain tree for falerika.com. Create a new child domain for falerika.com named sales.falerika.com. Answer: C 2-way Transitive Trust Relationships – When a trust is setup between 2 domains, they are both the trusting and trusted domain (2way) and the trust is passed from one domain trust to another (Transitvite - A trust B, B trust C, so A trust C). This is the default trust relationship for all domains in a W2k Tree or Forest and allows all domains in that tree or forest to access all other resources throughout the tree or forest.
Tree – the logical structure that has more then one domain and share a common namespace or domain name. First domain in logical structure becomes the ROOT domain for that namespace and any additional domains become a part of this tree. (Tree Root - mycompany.com, sales.mycompany.com)
Forest – consist of 2 or more trees that share the same AD, Schema, and Global Catalog, but do not share the same namespace. (Tree Root - mycompany.com, sales.mycompany.com)-------(Tree Root – mycompany2.com, marketing.mycompany2.com) 171. You are a member of the Enterprise Admins group in your company's Windows 2000 network. The network exists in one building and consists of a single Active Directory site. The site contains one subnet. Users in the sales department are moving to a new building named NewBuild. You configure a 56­KB WAN link to connect both buildings. You create a new Active Directory subnet for NewBuild called Subnet B. You want to add a Domain Controller to Subnet B. You also want to minimize directory replication traffic over the WAN.
What should you do before you install the Domain Controller? A. Associate the existing site with both subnets. B. Create a new Active Directory site and associate it only with Subnet B. C. Create a new Active Directory site and associate it with both subnets. D. Associate the existing site only with Subnet B. Answer: B Microsoft Article #Q199174 Directory Replication Basics (Sites and Site Links)
Microsoft Article #Q214677 Automatic Detection of Site Membership for Domain Controllers
During the promotion of a server to domain controller, DCPromo (the wizard used for the promotion process) determines the site the domain controller will become a member of. If the domain controller being created is the first in a new forest, a default site named "Default-First-Site-Name" is created and the domain controller becomes a member of this site until appropriate subnets and sites are configured.
An administrator can (and should) create sites in order to effectively use the bandwidth of Local Area Network (LAN) and Wide Area Network (WAN) connections. After the administrator has created sites and associated subnets with those sites, subsequent domain controller promotions are placed into the appropriate sites automatically. During server promotion, DCPromo queries the domain controller that is acting as the source server for site data. If the IP address of the server being promoted falls within the range for a given subnet defined in the Active Directory, DCPromo configures the membership of the domain controller in the site associated with that subnet.
If no subnet objects are defined or the IP address of the server does not fall within the range of the subnet objects present in the Active Directory, the server is placed in the "Default-First-Site-Name" site. 172. You are the administrator of your company's Windows 2000 network. The network consists of a main office and three branch offices. Each office contains a Windows 2000 DNS server. Users in a branch office report slow response times when they log on to the network. You want to discover why network response times are slow. You must configure the Windows 2000 DNS server to collect the necessary data for this analysis.
What should you do? A. On the DNS server in the branch office, configure System Monitor to log the data on the Total Query Received counter and the Total Response Sent counter. B. On the DNS server in the branch office, configure System Monitor to log the data on the IXFR Success Sent and Received counter and the AXFR Success Sent and Received counter. C. In the DNS server snap­in, configure the DNS server in the branch office to log only notification and update messages. D. In the DNS server snap­in, configure the DNS server in the branch office to log only the question packets and the answer packets. Answer: B Full zone transfer (AXFR)
The standard query type supported by all DNS servers to update and synchronize zone data when the zone is changed. When a DNS query is made using AXFR as the specified query type, the entire zone is transferred as the response.
Incremental zone transfer (IXFR)
An alternate query type that can be used by some DNS servers to update and synchronize zone data when a zone is changed. When incremental zone transfer is supported between DNS servers, servers can keep track of and transfer only those incremental resource record changes between each version of the zone.
AXFRREQUESTRECEIVED
AXFR Request Received is the total number of full zone transfer requests received by the master DNS server. AXFRREQUESTSENT
AXFR Request Sent is the total number of full zone transfer requests sent by the secondary DNS server. IXFRREQUESTRECEIVED
IXFR Request Received is the total number of incremental zone transfer requests received by the master DNS server. IXFRREQUESTSENT
IXFR Request Sent is the total number of incremental zone transfer requests sent by the secondary DNS server. TOTALQUERYRECEIVED
Total Query Received is the total number of queries received by DNS server. TOTALRESPONSESENT
Total Response Sent is the total number of responses sent by DNS server. 173. You are a member of the Enterprise Admins group in your company's Windows 2000 domain. Users in the Business department keep losing their membership in an Active Directory group. You turn on auditing to monitor changes to Active Directory. The next day, you discover that the Business users have been removed from the group again. You open the security event log and find several thousand events. You want to reduce the number of security events you must analyze in order to discover who is removing the Business users from the group. You open the event viewer snap­in. You need to filter the security log to include only the events located in the appropriate category.
Which categories should you choose? (Choose Two) A. Directory service access. B. Account management. C. Privilege use. D. Policy change. Answer: A, B Groups and user accounts are monitored under Directory Service Access and Account Management. 174. Your company's network consists of two divisions: Coroso Ltd, and Falerika Inc. Each division has two domains. All domains are contained in the same forest. Coroso Ltd., contains two domains: coroso.com and sales.coroso.com. Falerika Inc., contains two domains: falerika.com and sales.falerika.com. The sales.coroso.com domain and the sales.falerika.com domain each contain an OU called Development.
Falerika, Inc., is changing its name to Hardware, Inc. You need to create a user principle name (UPN) of Hardware.com. Users in both Development OUs will use the UPN to be authenticated by Active Directory.
At which level in Active Directory should you create the UPN? A. The Development OU in sales.coroso.com and the Development OU in sales.falerika.com. B. The coroso.com domain tree and the falerika.com domain tree. C. The root domain. D. The forest. Answer: D Microsoft Article #Q243629 How to: Add UPN Suffixes to a Forest
This article describes how to add UPN suffixes to a forest. Adding these suffixes gives you the ability to use a friendly user-logon name that does not match the domain's or parent domains' naming structure.
Microsoft Article #Q243280 Users Can Log in Using User Name or User Principal Name
Users can logon to a Windows 2000 domain using two different logon names. For example, you can use your down-level user logon name (such as my_name) or your User Principal Name (UPN) such as my_name@my_domain_name. 175. Your company's network consists of two Windows 2000 domains, coroso.com and sales.contoso.com. You are a member of the Domain Admin group in sales.coroso.com. The sales.coroso.com domain contains an Organizational Unit (OU) named Remote. Users in the Remote OU use portable computers to connect to the network while at home, in hotels, and in the office. You use Internet Explorer maintenance in Group Policy to apply Favorites settings for members of the Remote OU. Users in the Remote OU report problems with their Favorites settings when connecting to the company network. When users connect by means of dial­up connections, Favorites settings are not updated. When users connect by means of broadband connections from home, Favorites settings are not always updated. When users connect from the office, Favorites settings are always updated. You need to ensure that Favorites settings are always applied when users log on to the network.
Which two actions should you take to configure the Remote OU? A. Enable Internet Explorer Maintenance policy processing to allow processing across a slow network connection. B. Enable the Enable Active Desktop policy. C. Enable the Group Policy slow link detection policy to change the definition of a slow connection. D. Set the Group Policy refresh interval for computers policy to 0 minutes. E. Set the Group Policy refresh interval for users policy to 0 minutes. F. Enable the Apply Group Policy for computers asynchronously during startup policy for the computer policies. G. Enable the Slow network connection timeout for user profiles policy. Answer: A, C Microsoft Technet Windows 2000 Group Policy
Internet Explorer Maintenance policy processing
Used to specify when Internet Explorer Maintenance policy settings are processed. Affects all policy settings that use the Internet Explorer Maintenance extension of Group Policy, such as those under the User Configuration\Windows Settings\Internet Explorer Maintenance node, and overrides any customized settings set by the program implementing Internet Explorer Maintenance policy when it was installed.
Three options are available: Allow processing across a slow network connection, Do not apply during periodic background processing, and Process even if the Group Policy objects have not changed.
Setting Policy for Slow-Link Definition To specify policy settings for Group Policy slow link detection for computers, you use the Computer Configuration\Administrative Templates\System\Group Policy node. To set this policy for users, you use the User Configuration\Administrative Templates\System\Group Policy node. The connection speed is set for kilobits per second (Kbps).
For User Profiles, the Slow network connection timeout for user profiles policy is located in the Computer Configuration\Administrative Templates\System\Logon node. This policy has support for both pinging the server and checking the performance of the file system. This is because user profiles can be stored anywhere, and that server may or may not have IP support. Therefore, the user profile code first tries to ping the server. If the server does not have IP support, it falls back to measuring the file system's performance. You must specify connection speeds in both kilobytes per second (Kbps) and milliseconds (ms) when setting this policy. 176. Your company's network consists of a single Windows 2000 domain. You are the administrator for an organizational unit named Finance. Four Group Policy Objects are linked to the Finance OU. They are listed on the Group Policy tab as below: You discover that users in Chicago are making unauthorized changes to their desktop settings by using Display in the Control Panel. You need to ensure that users in the Finance OU cannot access Display in the Control Panel.
What should you do? A. Set the Chicago Disable Display & Remove Run GPO to No override. B. Set the All Users Enable Display & Distribute Software GPO to Block Inheritance. C. Raise the priority of the All Users Enable Display & Distribute Software GPO. D. Lower the priority of the All Users Enable Display & Distribute Software GPO. Answer: D The higher the group policy is listed in the Group Policy tab, the higher it's priority. This means that policies are run from the bottom up, with higher policies over writting lower polices.
In this case, the Disable display and Remove Run GPO is running on the Chicago Users and then the Enable Display and Distribute Software GPO is running on All users. A would also work, however the No Override and Block Policy Inheritance should be avoided if possible.
Microsoft Technet - Group Policy Best Practices Use the Block Policy inheritance and No Override features sparingly.Routine use of these features makes it difficult to troubleshoot policy. If you must use them, see To block policy inheritance and To prevent a Group Policy object from being overridden.
Microsoft Technet - Group Policy precedence
Important
No Override and Block Policy inheritance are advanced options, and they are not recommended for casual use, because they change the default behavior of policy inheritance, as described in the previous paragraph, and this can complicate troubleshooting. 177. Your company's network consists of a single Windows 2000 domain. You are a member of the domain admins group. You install a Windows 2000 member server, and then install Remote Installation Services on the member server. You enable the RIS server to respond to client computers. You successfully load a CD­ based image on the server. You attempt to initiate a RIS session on your first PXE­ compliant client computer, but your RIS server does not respond to the request. You want to ensure that the RIS server responds to client computers.
What should you do? A. Install DNS on the RIS server. B. Install WINS on the RIS server. C. Authorize the RIS server. D. Assign the RIS server an address by means of DHCP. E. Add a reservation for each client computer on the DHCP server. Answer: C Microsoft Article #Q298750
When RIS is successfully installed, you must authorize the RIS server in Active Directory. If you do not authorize the RIS server, it cannot service clients that request a network service boot. The next section outlines these steps.
To authorize an RIS server in Active Directory, you must be logged on to your computer as an enterprise administrator or a domain administrator of the root domain. You can complete the following steps on any domain controller, member server of the domain, or a Windows 2000 Professional-based workstation that has installed the Administrator Tools Package that contains the DHCP Server Management snap-in.