Appendix A -- Questions and Answers

Introduction

Review

1. What is the primary difference between Windows 2000 Professional and Windows 2000 Server?

   Windows 2000 Professional is optimized for use alone as a desktop operating system, as a networked computer in a peer-to-peer workgroup environment, or as a workstation in a Windows 2000 Server domain environment. Windows 2000 Server is optimized for use as a file, print, and application server, as well as a Web-server platform.

2. What is the major difference between a workgroup and a domain?

   The major difference between a workgroup and a domain is where the user account information resides for user logon authentication. For a workgroup, user account information resides in the local security database on each computer in the workgroup. For the domain, the user account information resides in the Active Directory database.

3. Which of the integral subsystems is responsible for running Active Directory?

   The Security subsystem.

4. What is the purpose of Active Directory service?

   Active Directory is the directory service included in Windows 2000 Server. It stores information about objects on a network and makes this information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive hierarchical view of the network and a single point of administration for all network objects.

5. What happens when a user logs on to a domain?

   Windows 2000 sends the logon information to a domain controller, which compares it to the user's information in the directory. If the information matches, the domain controller authenticates the user and issues an access token for the user.

6. How would you use the Windows 2000 Security dialog box?

   The Windows 2000 Security dialog box provides easy access to important security options, including the ability to lock a computer, change a password, stop programs that are not responding, log off a computer, and shut down the computer. You can also determine the domains to which you are logged on and the user account that you used to log on.

Chapter 1

Review

1. How do you install the Windows 2000 deployment tools, such as the Setup Manager wizard and the System Preparation tool?

   To install the Windows 2000 deployment tools, display the contents of the Deploy.cab file, which is located in the Support\Tools folder on the Windows 2000 CD-ROM. Select all the files you want to extract, right-click a selected file, and then select Extract from the menu. You will be prompted for a destination and the location and name of a folder for the extracted files.

2. Which five resources must you have to use Remote Installation Services to install Windows 2000 Professional?

   You must have Windows 2000 Server with RIS installed, a DNS server available on the network, a DHCP server available on the network, a Windows 2000 domain to provide Active Directory directory service, and client computers that meet the Net PC specification or have a boot floppy to connect to the RIS server.

3. What utility is provided in Windows 2000 to create boot floppies and how do you access it?

   Windows 2000 ships with the Windows 2000 Remote Boot Disk Generator, rbfg.exe, which is used to create boot disks. It is found on the RIS server in the folder where the Windows 2000 Professional installation files are stored. The path is RemoteInst\Admin\i386\rbfg.exe.

4. You are planning on installing 45 computers with Windows 2000 Professional. You have determined that these 45 computers have seven different network adapter cards. How do you determine whether these seven different types of network adapter cards are supported by the boot floppies you created?

   The boot floppies created using Rbfg only support the PCI-based network adapters listed in the Adapter List. Start Rbfg.exe and then click the Adapter List button to see the list of supported adapters.

5. You have a portable computer running Windows 95 and you want to upgrade it to Windows 2000. The computer has 16 MB of RAM, and this can be upgraded to 24 MB. Can you upgrade this computer to Windows 2000? If not, how would you make it so this computer was able to access Active Directory directory service?

   No, Windows 2000 Professional requires at least 64 MB of memory. You can install the Directory Service Client for Windows 95 or 98. The laptop would then be able to access Active Directory directory service.

6. Name at least two problems the System Preparation tool resolves when creating and copying a master disk image to other computers.

   The System Preparation tool adds a system service to the master image that will create a unique local domain security ID (SID) the first time the computer to which the master image is copied is started.

   The System Preparation tool adds a Mini-Setup wizard to the master disk image that runs the first time the computer to which the master image is copied is started. It guides the user through entering the user-specific information such as the end-user license agreement, the Product ID, user name, company name, and time zone selection.

   The System Preparation tool causes the master image to force the computer on which the master image is copied to run a full Plug and Play device detection. Hence peripherals, such as the network adapter, the video adapter, and sound cards on the computer on which the disk image was copied need not be identical to the ones on the computer on which the image was generated.

7. Your company has decided to install Windows 2000 Professional on all new computers that are purchased for desktop users. What should you do before you purchase new computers to ensure that Windows 2000 can be installed and run without difficulty?

   Verify that the hardware components meet the minimum requirements for Windows 2000. Also, verify that all of the hardware components that are installed in the new computers are listed on the Windows 2000 HCL. If a component is not listed, contact the manufacturer to verify that a Windows 2000 driver is available.

8. You are attempting to install Windows 2000 Professional from a CD-ROM. However, you have discovered that your computer doesn't support booting from the CD-ROM drive. How can you install Windows 2000?

   Start the computer by using the Setup boot disks. When prompted, insert the Windows 2000 Professional CD-ROM, and then continue setup.

9. You are installing Windows 2000 Server on a computer that will be a client in an existing Windows 2000 domain. You want to add the computer to the domain during installation. What information do you need, and which computers must be available on the network before you run the Setup program?

   You need the DNS domain name of the domain that you are joining. You must also make sure that a computer account for the client exists in the domain, or you must have the user name and password of a user account in the domain with the authority to create computer accounts in the domain. A server running the DNS service and a domain controller in the domain you are joining must be available on the network.

10. You are using a CD-ROM to install Windows 2000 Professional on a computer that was previously running another operating system. How should you configure the hard disk to simplify the installation process?

    Use a disk partitioning tool to remove any existing partitions, and then create and format a new partition for the Windows 2000 installation.

11. You are installing Windows 2000 Professional over the network. Before you install to a client computer, what must you do?

    Locate the path to the shared installation files on the distribution server. Create a 500-MB FAT partition on the target computer (1 GB recommended). Create a client disk with a network client so that you can connect from the computer, without an operating system, to the distribution server.

Chapter 2

12. Click Computer Management (Local), and then click the Extensions tab.

    The MMC displays a list of available extensions for the Computer Management snap-in.

    What option determines which extensions MMC displays in the Available Extensions list in this dialog box?

    The available extensions depend on which snap-in you select.

8. Change the working directory to the root directory of drive C (if necessary) or to the root directory of the drive where you mounted your volume, type dir, and then press Enter.

   How much free space does the Dir command report?

   Answer will vary.

   Why is there a difference between the free space reported for drive C and the free space reported for C:\Mount?

   If you mounted your volume on a drive other than drive C, replace C with the appropriate drive letter.

1. On the Quota tab of the Local Disk (C:) Properties dialog box, click the Quota Entries button.

   Windows 2000 displays the Quota Entries For Local Disk (C:) window.

   Are any user accounts listed? Why or why not?

   Yes. The accounts listed are those that have logged on and gained access to drive C.

5. Click OK.

   Windows 2000 displays the Add New Quota Entry dialog box.

   What are the default settings for the user you just set a quota limit for?

   Limit disk space to 10 MB and Set the warning level to 6 MB. These are the default settings that are selected for drive C.

5. Copy the i386 folder from your CD-ROM to the User5 folder.

   Windows 2000 Professional begins copying files from the i386 folder on the CD-ROM to a new i386 folder in the User5 folder on drive C. After copying several files, however, Windows 2000 displays the Error Copying File Or Folder dialog box, indicating that there isn't enough room on the disk.

   Why did you get this error message?

   You have exceeded your quota limit and since the Deny Disk Space To Users Exceeding Quota Limit check box is selected, once you exceed your quota limit, you can't use more disk space.

4. In the details pane, double-click Hardware Resources, and then double-click IRQs.

   Are there any IRQs being shared?

   Answer will vary.

Review

1. What should you do if you can't see any output on the secondary display?

   If you can't see any output on the secondary display, try the following:

   • Activate the device in the Display Properties dialog box.
   • Confirm that you chose the correct video driver.
   • Restart the computer and check its status in Device Manager.
   • Switch the order of the display adapters on the motherboard.
2. You have configured recovery options on a computer running Windows 2000 Professional to write debugging information to a file if a system failure occurs. You notice, however, that the file isn't being created. What could be causing this problem?

   The problem could be one or more of the following:

   • The paging file size could be set to less than the amount of physical RAM in your system.
   • The paging file might not be located on your system partition.
   • You might not have enough free space to create the Memory.dmp file.
3. You installed a new network interface card (NIC) in your computer, but it doesn't seem to be working. Describe how you would troubleshoot this problem.

   You would do the following to troubleshoot the problem:

   • Check Device Manager to determine whether Windows 2000 properly detected the network card.
   • If the card isn't listed in Device Manager, run the Add/Remove Hardware wizard to have Windows 2000 detect the new card. If the card is listed in Device Manager but the icon representing the new card contains either an exclamation mark or a stop sign, view the properties of the card for further details. You might need to reinstall the drivers for the card, or the card might be causing a resource conflict.
4. You install a new 10-GB disk drive that you want to divide into five equal 2-GB sections. What are your options?

   You can leave the disk as a basic disk and then create a combination of primary partitions (up to three) and logical drives in an extended partition; or, you can upgrade the disk to a dynamic disk and create five 2-GB simple volumes.

5. You are trying to create a striped volume on your Windows NT Server to improve performance. You confirm that you have enough unallocated disk space on two disks in your computer, but when you right-click an area of unallocated space on a disk, a dialog box appears indicating that your only option is to create a partition. What is the problem and how would you resolve it?

   You can create striped volumes only on dynamic disks. The fact that you are presented with the option to create a partition rather than a volume indicates that the disk you are trying to use is a basic disk. You will need to upgrade all of the disks that you want to use in your striped volume to dynamic disks before you stripe them.

6. You add a new disk to your computer and attempt to extend an existing volume to include the unallocated space on the new disk, but the option to extend the volume isn't available. What is the problem and how would you resolve it?

   The existing volume is not formatted with Microsoft Windows 2000 File System (NTFS). You can extend only NTFS volumes. You should back up any data on the existing volume, convert it to NTFS, and then extend the volume.

7. You dual boot your computer with Windows 98 and Windows 2000 Professional. You upgrade a second drive—which you are using to archive files—from basic storage to dynamic storage. The next time you try to access your archived files from Windows 98, you are unable to read the files. Why?

   Only Windows 2000 can read dynamic storage.

8. You are the administrator for a computer running Windows 2000 Professional. You want to restrict users to 25 MB of available storage space. How do you configure the volumes on the computer?

   Format all volumes with NTFS and enable disk quotas for all of the volumes. Specify a limit of 25 MB and select the Deny Disk Space To Users Exceeding Quota Limit check box.

9. The Sales department archives old sales data on a network computer running Windows 2000 Professional. Several other departments share the server. You have begun to receive complaints from users in other departments that the server has little remaining disk space. What can you do to alleviate the problem?

   Compress the folders that the Sales department uses to store archive data.

10. A friend of yours just installed Windows 2000 Professional on his home computer. He called you to help him configure Advanced Power Management (APM), and when you told him to double-click Power Options in Control Panel and click on the APM tab, he told you he did not have an APM tab. What is the most likely reason there is no APM tab?

    The most likely reason there is no APM is that his computer does not have an APM-based BIOS installed. When Windows 2000 does not detect an APM-based BIOS, Setup does not install APM and there is no APM tab in the Power Options Properties dialog box.

11. Many commercial airlines require you to turn off portable computers during certain portions of a flight. Does placing your computer in Hibernate mode comply with these airline regulations? Why or why not?

    No. Hibernate mode makes your computer appear to be turned off, but it is not. You must shut down your computer to comply with these airline regulations.

12. Your boss has started to manually assign resource settings to all devices, including Plug and Play devices, and wants you to finish the job. What should you do?

    Explain to your boss that it is not a good idea to manually change or assign resource settings for Plug and Play devices. Windows 2000 arbitrates resources, but if you manually assign them, then Windows 2000 will not be able to arbitrate the assigned resources if requested by another Plug and Play device.

13. You receive a call at the Help desk from a user who is trying to configure her fax settings, and she tells you that she does not have an Advanced Options tab. What could the problem be?

    For the Advanced Options tab to be displayed, the user must be logged on as Administrator or have administrator privileges.

Chapter 3

1. In the first example, the Data folder is shared. The Sales group has the shared folder Read permission for the Data folder and the NTFS Full Control permission for the Sales subfolder.

   What are the Sales group's effective permissions for the Sales subfolder when they gain access to the Sales subfolder by making a connection to the Data shared folder?

   The Sales group has the Read permission for the Sales subfolder because when shared folder permissions are combined with NTFS permissions, the more restrictive permission applies.

2. In the second example, the Users folder contains user home folders. Each user home folder contains data that is accessible only to the user for whom the folder is named. The Users folder has been shared, and the Users group has the shared folder Full Control permission for the Users folder. User1 and User2 have the NTFS Full Control permission for only their home folder and no NTFS permissions for other folders. These users are all members of the Users group.

   What permissions does User1 have when he or she accesses the User1 subfolder by making a connection to the Users shared folder? What are User1's permissions for the User2 subfolder?

   User1 has the Full Control permission for the User1 subfolder because both the shared folder permission and the NTFS permission allow Full Control. User1 can't access the User2 subfolder because she or he has no NTFS permissions to gain access to it.

3. Which user is specified in the Notify box? Why? The Notify box currently displays the user Administrator because Administrator printed the document._ To increase the priority of a document

1. In the Readme.txt Document Properties dialog box, on the General tab, notice the default priority.

   What is the current priority? Is it the lowest or highest priority?

   The current priority is the default of 1, which is the lowest priority.

Review

1. A print server can connect to two different types of print devices. What are these two types of print devices, and what are the differences?

   The two types are local and network-interface print devices. A local print device is connected directly to a physical port of the print server. A network-interface print device is connected to the print server through the network. Also, a network-interface print device requires a network interface card.

2. You have added and shared a printer. What must you do to set up client computers running Windows 2000 so that users can print, and why?

   You (or the user) must make a connection to the printer from the client computer. When you make a connection to the printer from the client computer, Windows 2000 automatically copies the printer driver to the client computer.

3. What advantages does connecting to a printer by using http://server_name/ printers provide for users?

   It allows a user to make a connection to a printer without having to use the Add Printer wizard. It makes a connection to a Web site, which displays all of the printers for which the user has permission. The Web site also provides information on the printers to help the user make the correct selection. Also, a Web designer can customize this Web page, for example displaying a floor plan that shows the location of print devices, which makes it easier for users to choose a print device.

4. Why would you connect multiple printers to one print device?

   To set priorities between the printers so that users can send critical documents to the printer with the highest priority. These documents will always print before documents that are sent from printers with lower priorities.

5. Why would you create a printer pool?

   To speed up printing. Users can print to one printer that has several print devices so that documents do not wait in the print queue. It also simplifies administration; it's easier to manage one printer for several print devices than it is to manage one printer for each print device.

6. Which printer permission does a user need to change the priority on another user's document?

   The Manage Documents permission.

7. In an environment where many users print to the same print device, how can you help reduce the likelihood of users picking up the wrong documents?

   Create a separator page that identifies and separates printed documents.

8. Can you redirect a single document?

   No. You can change the configuration of the print server only to send documents to another printer or print device, which redirects all documents on that printer.

9. A user needs to print a large document. How can the user print the job after hours, without being present while the document prints?

   You can control print jobs by setting the printing time. You set the printing time for a document on the General tab of the Properties dialog box for the document. To open the Properties dialog box for a document, select the document in the printer's window, click the Document menu, and then click Properties. Click Only From in the Schedule section of the Properties dialog box, and then set the Only From hour to the earliest time you want the document to begin printing after regular business hours. Set the To time to a couple of hours before normal business hours start. To set the printing time for a document, you must be the owner of the document or have the Manage Documents permission for the appropriate printer.

10. What are the advantages of using a Web browser to administer printing?

    You can administer any printer on a Windows 2000 print server on the intranet by using any computer running a Web browser, regardless of whether the computer is running Windows 2000 or has the correct printer driver installed. Additionally, a Web browser provides a summary page and reports real-time print device status, and you can customize the interface.

11. What is the default permission when a volume is formatted with NTFS? Who has access to the volume?

    The default permission is Full Control. The Everyone group has access to the volume.

12. If a user has Write permission for a folder and is also a member of a group with Read permission for the folder, what are the user's effective permissions for the folder?

    The user has both Read permission and Write permission for the folder because NTFS permissions are cumulative.

13. If you assign the Modify permission to a user account for a folder and the Read permission for a file, and then you copy the file to that folder, which permission does the user have for the file?

    The user can modify the file because the file inherits the Modify permission from the folder.

14. What happens to permissions that are assigned to a file when the file is moved from one folder to another folder on the same NTFS volume? What happens when the file is moved to a folder on another NTFS volume?

    When the file is moved from one folder to another folder on the same NTFS volume, the file retains its permissions. When the file is moved to a folder on a different NTFS volume, the file inherits the permissions of the destination folder.

15. If an employee leaves the company, what must you do to transfer ownership of his or her files and folders to another employee?

    You must be logged on as Administrator to take ownership of the employee's folders and files. Assign the Take Ownership special access permission to another employee to allow that employee to take ownership of the folders and files. Notify the employee to whom you assigned Take Ownership to take ownership of the folders and files.

16. What three details should you check when a user can't gain access to a resource?

    Check the permissions that are assigned to the user account and to groups in which the user is a member.

    Check whether the user account, or a group of which the user is a member, has been denied permission for the file or folder.

    Check whether the folder or file has been copied to any other file or folder or moved to another volume. If it has, the permissions will have changed.

17. The Sales department archives existing sales data on a network computer running Windows 2000 Professional. Several other departments share the server. You have begun to receive complaints from users in other departments that the server has little remaining disk space. What can you do to alleviate the problem?

    Compress the folders that the Sales department uses to store archive data.

18. When a folder is shared on a FAT volume, what does a user with the Full Control shared folder permissions for the folder have access to?

    All folders and files in the shared folder.

19. What are the shared folder permissions?

    Full Control, Change, and Read.

20. By default, what are the permissions that are assigned to a shared folder?

    The Everyone group is assigned the Full Control permission.

21. When a folder is shared on an NTFS volume, what does a user with the Full Control shared folder permissions for the folder have access to?

    Only the folder, but not necessarily any of the folder's contents. The user would also need NTFS permissions for each file and subfolder in the shared folder to gain access to those files and subfolders.

22. When you share a public folder, why should you use centralized data folders?

    When you use centralized data folders you can back up data easily.

23. What is the best way to secure files and folders that you share on NTFS partitions?

    Put the files that you want to share in a shared folder and keep the default shared folder permission (the Everyone group with the Full Control permission for the shared folder). Assign NTFS permissions to users and groups to control access to all contents in the shared folder or to individual files.

Chapter 4

Review

1. What information is required to create a local user account?

   A user name.

2. What are built-in user accounts and what are they used for?

   Windows 2000 automatically creates accounts called built-in accounts. Two commonly used built-in accounts are Administrator and Guest. You use the built-in Administrator account to manage the overall computer network (for example, creating and modifying user accounts and groups, and setting account properties on user accounts). You use the built-in Guest account to give occasional users the ability to log on and gain access to resources.

Chapter 5

6. To verify that the IP address is working and configured for your adapter, type ping 127.0.0.1 and then press Enter.

   What happens?

   Four "Reply from 127.0.0.l" messages should appear.

7. If you have a computer that you are using to test connectivity, type ping ip_address (where ip_address is the IP address of the computer you are using to test connectivity), and then press Enter. If you don't have a computer to test connectivity, skip this step and proceed to step 7.

   What happens?

   Four "Reply from ip_address" messages should appear.

4. Click Obtain An IP Address Automatically.

   Which IP address settings will the DHCP Service configure for your computer?

   IP address and subnet mask.

2. At the command prompt, type ipconfig /renew and then press Enter.

   There will be a pause while Windows 2000 attempts to locate a DHCP server on the network.

   What message appears, and what does it indicate?

   DHCP Server Unreachable.

   Your computer was not assigned an address from a DHCP server because there wasn't one available.

2. Pressing Spacebar as necessary, record the current TCP/IP settings for your local area connection in the following table.

   Setting	Value
   IP address	Answer will vary.
   Subnet mask	Answer will vary.
   Default gateway	Answer will vary.

   Is this the same IP address that was assigned to your computer in Exercise 3? Why or why not?

   No, the IP address isn't the same as the one assigned in Exercise 3. In this exercise, the Automatic Private IP Addressing feature of Windows 2000 assigned the IP address because a DHCP server wasn't available. In Exercise 3, the DHCP Service assigned an IP address.

5. If you have a computer to test TCP/IP connectivity with your computer, type ping ip_address (where ip_address is the IP address of the computer that you are using to test connectivity), and then press Enter. If you don't have a computer to test connectivity, skip this step and proceed to Exercise 5.

   Were you successful? Why or why not?

   Answers will vary. If you don't have a computer that you can use to test your computer's connectivity, you can't do this exercise.

   • No, because the computer you are using to test your computer's connectivity is configured with a static IP address in another network and no default gateway is configured on your computer.
   • Yes, because the computer you are using to test your computer's connectivity is also configured with an IP address assigned by Automatic Private IP Addressing. Further, it is on the same subnet so a default gateway is unnecessary.

Review

1. Your computer running Windows 2000 Client for Microsoft Networks was configured manually for TCP/IP. You can connect to any host on your own subnet, but you can't connect to or even ping any host on a remote subnet. What is the likely cause of the problem and how would you fix it?

   The default gateway might be missing or incorrect. You specify the default gateway in the Internet Protocol (TCP/IP) Properties dialog box (under Network And Dial-Up Connections in My Network Places). Other possibilities are that the default gateway is offline or that the subnet mask is incorrect.

2. While you're using the Network Connection wizard, you must configure two new settings regarding sharing the connection. Describe the difference between these two settings.

   The settings are whether you want to allow others that use the computer to use the connection (access to the connection) and whether you want to allow other computers to access resources through this port (sharing the connection once it is established).

3. What is callback and when might you want to enable it?

   The callback feature causes the remote server to disconnect and call back the client attempting to access the remote server. By using callback, you can have the bill for the telephone call charged to your telephone number rather than to the telephone number of the user who called in. You can also use callback to increase security by specifying the callback number. Even if an unauthorized user calls in, the system calls back at the number you specified, not the number of the unauthorized user.

Chapter 6

2. Restart the computer.

   What error do you receive when attempting to restart the computer?

   NTLDR is missing. Press Ctrl+Alt+Del to restart.

Review

1. What benefits do you gain by Microsoft digitally signing all system files?

   Windows 2000 drivers and operating system files are digitally signed by Microsoft to ensure the files have not been tampered with. Some applications overwrite existing operating files as part of their installation process. These files may cause system errors that are difficult to troubleshoot. Device Manager allows you to look at the Driver tab and verify that the digital signer of the installed driver is correct. This can save you many frustrating hours of trying to resolve problems caused by a file that replaced one or more original operating system drivers.

2. What are three tools/utilities Microsoft has provided to help you make sure the files on your system have the correct digital signature?

   Windows 2000 provides Device Manager, which allows you to verify that the digital signer of the installed driver is correct. Windows 2000 also provides two utilities to verify the digital signatures. The first utility is the File Signature Verification utility (sigverif). Windows 2000 also provides System File Checker (SFC), a command-line utility that you can use to check the digital signature of files.

3. You need to schedule a maintenance utility to automatically run once a week on your computer, which is running Windows 2000 Professional. How do you accomplish this?

   Use Task Scheduler to schedule the necessary maintenance utilities to run at specific times.

4. You need to create a custom console for an administrator who needs to use only the Computer Management and Active Directory Manager snap-ins. The administrator
   1. Must not be able to add any additional snap-ins.
   2. Needs full access to all snap-ins.
   3. Must be able to navigate between snap-ins.

   Which console mode would you use to configure the custom console?

   User mode, Full Access.

5. A user calls the help desk in a panic. She spent 15 hours editing a proposal as an offline file at her house. Over the weekend, her boss came into the office and spent about 4 hours editing the same proposal. She needs to synchronize the files, but she doesn't want to lose her edits or those made by her boss. What can she do?

   If both her cached offline copy of the file and the network copy of the file are edited, she should rename her version of the file so that both copies will exist on her hard disk and on the network. She can then compare the two and edit her version, adding any edits made by her boss.

6. You install a new device driver for a SCSI adapter in your computer. When you restart the computer, however, Windows 2000 stops responding after the kernel load phase. How can you get Windows 2000 to restart successfully?

   Select the Last Known Good Configuration option to use the LastKnownGood configuration control to start Windows 2000 because it doesn't contain any reference to the new, and possibly faulty, driver.

Chapter 7

1. Use the Group Policy snap-in to configure the following Account Policies settings:
   • A user should have at least five different passwords before he or she accesses a previously used password.
   • After changing a password, a user must wait 24 hours before he or she can change it again.
   • A user should change his or her password every three weeks.

   Which settings did you use for each of the three listed items?

   Set Enforce Password History to 5 so that a user must have at least five different passwords before he or she can access a previously used password.

   Set Minimum Password Age to one day so that a user must wait 24 hours before he or she can change it again.

   Set Maximum Password Age to 21 days so that a user must change his/her password every three weeks.

2. Change your password to waters.

   Were you successful? Why or why not?

   You were successful because the minimum password length is set to 6, and the password waters contains six characters.

3. Change your password to papers.

   Were you successful? Why or why not?

   You weren't successful because you must wait 24 hours (one day) before you can change your password a second time. A Change Password dialog box appeared indicating that you can't change the password at this time.

5. Use Account Lockout Policy settings to do the following:
   • Lock out a user account after four failed logon attempts.
   • Lock out user accounts until the administrator unlocks the user account.

   Which Account Lockout Policy settings did you use for each of the two conditions?

   Set Account Lockout Threshold to 4 to lock out a user account after four failed logon attempts. When you set one of the three Account Lockout Policy options and the other two options have not been set, a dialog box appears indicating that the other two options will be set to default values.

   Set Account Lockout Duration to 0 to have locked accounts remain locked until the administrator unlocks them.

2. Start Windows Explorer and open the file File1.txt in the Secret folder.

   What happens?

   A Notepad dialog box appears indicating that Access Is Denied.

Review

1. Why should you use groups?

   Use groups to simplify administration by granting rights and assigning permissions once to the group rather than multiple times to each individual member.

2. How do you create a local group?

   Start the Computer Management snap-in and expand Local Users And Groups. Right-click Groups, and then click New Group. Fill in the appropriate fields and then click Create.

3. Are there any consequences to deleting a group?

   When you delete a group, the unique identifier that the system uses to represent the group is lost. Even if you create a second group with the same name, the group will not have the same identifier, so you must grant the group any permissions or rights that it once had, and you must reassign membership to users who need to be a member of that group.

4. What's the difference between built-in local groups and local groups?

   You create local groups and assign the appropriate permissions to them. You can customize local groups to meet your specific needs.

   Windows 2000 Professional comes with precreated built-in local groups. You can't create built-in local groups. Built-in local groups give rights to perform system tasks on a single computer, such as backing up and restoring files, changing the system time, and administering system resources.

5. What two tasks must you perform to audit access to a file?

   Set the audit policy for object access and configure the file for the type of access to audit.

6. Who can set up auditing for a computer?

   By default, only members of the Administrators group can set up and administer auditing. You can also give other users the Manage Auditing and Security log user right, which is required to configure an audit policy and review audit logs.

7. Why would you want to force users to change passwords?

   Forcing users to change passwords regularly decreases the chances of an unauthorized person breaking into your computer. If a user account and password combination for your computer falls into unauthorized hands, forcing users to change their passwords regularly makes it more likely that the user account and password combination will fail, providing more security to the computer.

8. Why would you want to control the length of the passwords used on your computers?

   Longer passwords are more difficult to figure out because there are more characters to discover. In general, you want to do what you can to make it difficult to get unauthorized access to your computers.

9. Why would you want to lock out a user account?

   If a user forgets his or her password, he or she can ask the administrator to reset the password. If someone repeatedly enters an incorrect password, the person is probably trying to gain unauthorized access to your computer. Setting a limit on the number of failed logon attempts and locking out any user account that exceeds this number makes it more difficult for someone to gain unauthorized access to your computers.

10. Why would you want to force users to press Ctrl+Alt+Del before they can log on to your computers?

    To increase security on your computers, you can force users to press Ctrl+Alt+Del before they can log on. This key combination is recognized only by Windows and ensures that only Windows is receiving the password and not a Trojan horse program waiting to capture your password.

11. How do you prevent the last user name from being displayed in the Windows Security or Log On To Windows dialog box?

    To prevent the last user name from being displayed in the Windows Security or Log On To Windows dialog box, click the Local Policies node in the console tree of the Local Security Settings window, and then click Security Options. In the details pane, right-click Do Not Display Last User Name In Logon Screen, click Security, and then enable this feature.

Chapter 8

5. What folder appears directly under the win2000dist folder that does not appear in the i386 folder?

   $OEM$

16. What is the purpose of the UDF file?

    The UDF file allows each automated setup to be customized with the unique settings contained in the file. To start an unattended setup, the UniqueID contained in the UDF file is specified on the command line. During setup the unique data in the UDF file is merged into the answer file.

Review

1. If you are installing Microsoft Windows NT in a dual-boot configuration on the same computer, which file system should you choose? Why?

   The best choice is FAT. Although both Windows 2000 and Windows NT support NTFS, Windows 2000 supports advanced features provided by NTFS 5.0. For example, file encryption is supported in NTFS 5.0, but previous versions of NTFS did not support file encryption. Therefore, when Windows NT is running on a dual-boot computer, it will not be able to read encrypted files created in Windows 2000.

2. Which licensing mode should you select if users in your organization require frequent access to multiple servers? Why?

   Per Seat licensing is the best choice for this environment. A Per Seat license is more expensive per client computer than Per Server licensing but becomes much less expensive when many client computers access several servers. If Per Server licensing is used in this environment, each server must be individually licensed for client computer access.

3. You are installing Windows 2000 Server on a computer that will be a member server in an existing Windows 2000 domain. You want to add the computer to the domain during installation. What information do you need, and what computers must be available on the network, before you run the Setup program?

   You need the DNS domain name of the domain that you are joining. You must also make sure that a computer account for the member server exists in the domain or you must have the user name and password of a user account in the domain with the authority to create computer accounts in the domain. A server running the DNS service and a domain controller in the domain you are joining must be available on the network. If dynamic IP addressing is configured during setup, a server supporting DHCP must be available to assign an address to the computer.

4. You are using a CD-ROM to install Windows 2000 Server on a computer that was previously running another operating system. There is not enough space on the hard disk to run both operating systems, so you have decided to repartition the hard disk and install a clean copy of Windows 2000 Server. Name two methods for repartitioning the hard disk.
   1. Use a disk partitioning tool like MS-DOS fdisk to remove any existing partitions, and then create and format a new partition for the Windows 2000 installation.
   2. Start the computer by booting from the Windows 2000 Server Setup disk. During the Text-mode portion of installation, you can delete the partition and then create and format a new one. Continue the installation of Windows 2000 Server to the new partition.
5. You are installing Windows 2000 over the network. Before you install to a client computer, what must you do?

   Locate the path to the shared installation files on the distribution server. Create a 671-MB FAT partition on the target computer (2 GB recommended). Create a client disk with a network client so that you can connect from the computer, without an operating system, to the distribution server.

6. A client is running Windows NT 3.5 Server and is interested in upgrading to Windows 2000. From the list of choices, choose all possible upgrade paths:
   1. Upgrade to Windows NT 3.51 Workstation and then to Windows 2000 Server.
   2. Upgrade to Windows NT 4.0 Server and then to Windows 2000 Server.
   3. Upgrade directly to Windows 2000 Server.
   4. Run Convert.exe to modify any NTFS partitions for file system compatibility with Windows 2000, and then upgrade to Windows 2000 Server.
   5. Upgrade to Windows NT 3.51 Server and then to Windows 2000 Server.

   b and e

   Answer a is wrong because Windows NT Workstation (3.5x or 4.0) cannot be upgraded to Windows 2000 Server.

   Answer c is wrong because Windows NT 3.5 cannot be directly upgraded to Windows 2000 Server.

   Answer d is wrong because the Windows 2000 Setup process automatically upgrades NTFS to NTFS version 5.0.

7. In your current network environment, user disk space utilization has been a major issue. Describe three services in Windows 2000 Server to help you manage this issue.

   Answer 1: Disk quotas in NTFS version 5.0 allow you to control per-user disk space usage by disk.

   Answer 2: Disk compression allows you to compress data at the disk, directory, or file level. Disk compression does not affect a user's allocated quota. Quotas are calculated based on the uncompressed file size.

   Answer 3: Remote Storage Services provides an extension to disk space by making removable media accessible for file storage. Infrequently used data is automatically archived to removable media. Archived data is still easily accessible to the user; however, data retrieval is slower than with unarchived data.

8. What is the purpose of using the /tempdrive: or /t: installation switches with Winnt32.exe or Winnt.exe, respectively?

   The Winnt32.exe /tempdrive: switch and the Winnt.exe /t: switch copy the Windows 2000 Server installation files to the drive specified with the switch. For example, Winn32.exe /tempdrive:d copies all Windows 2000 installation files to the D: partition. Using this switch also tells Setup which partition should be the boot partition for the installation of Windows 2000 Server.

9. You are asked to develop a strategy for rapidly installing Windows 2000 Server for one of your clients. You have assessed their environment and have determined that the following three sets of computers require Windows 2000 Server:
   • There are 30 unidentical computer configurations currently running Windows NT Server 4.0 that need to be upgraded to Windows 2000 Server.
   • There are 20 identical computers that need a new installation of Windows 2000 Server.
   • Remote sites will run a clean installation of Windows 2000 Server. You want to make sure that they install a standard image of Windows 2000 Server that is consistent with your local configuration of the operating system. You will provide them with hard disks that they will install in their servers.

   What are the steps for your installation strategy?

   For the 30 computers that need to be upgraded, build an answer file and a distribution share using Setup Manager. Further customize the answer file with a text editor. Use a product such as SMS to automate the distribution of operating system upgrades. If SMS is not available, run winnt32 with the /unattend switch and the other switches described in Lesson 1 that are designed to automate the installation process.

   For the 20 identical computers, set up one computer with the operating system and all applications that you need to replicate on all other computers. Copy sysprep.exe, sysprepcl.exe, and sysprep.inf (answer file format) into the $OEM\$1\Sysprep folder. Make sure the [GuiRunOnce] section of the answer file calls sysprep.exe with the -quiet switch to continue the setup without any user interaction. Create an image with a third-party image utility, and copy this image to each of the 20 identical computers. Upon reboot, Mini-Setup will run using information in sysprep.inf to complete the setup.

   For the remote sites, use /Syspart to prepare the disks for the second half of the installation. Ship the disks to the remote sites and instruct the local administrators to install them in their servers as the bootable drive, usually by setting the SCSI ID to 0 or 7, depending on the SCSI hardware.

   You can also use the bootable CD-ROM method. If you use this method, include a floppy disk containing the winnt.sif file to automate Setup.

10. What is the purpose of the $OEM$ folder and the subfolders created beneath it by Setup Manager?

    The $oem$ folder contains the optional cmdlines.txt file and subfolders for original equipment manufacturer (OEM) files and other files needed to complete or customize automated installation. Folders below $oem$ hold all files that are not part of a standard installation of Windows 2000 Server. These folders map to specific partitions and directories on the computer running an unattended installation. The folders below $oem$ and their purposes are as follows:

    $$	Copies files from this distribution folder location to $windir$ or $systemroot$. For a standard installation of Windows 2000 Server, these variables map to C:\Winnt. There are other folders below this one too, such as Help for OEM help files and System32 for files that must be copied to the System32 directory.
    $1	Copies files from this distribution folder location to the root of the system drive. This location is equivalent to the %systemdrive% variable. In a typical installation of Windows 2000 Server, this variable maps to the C:\ root. The $1 folder contains a drivers folder for third-party driver installation.
    Drive letter	Folders named after a specific drive letter map to the drive letter on the local computer. For example, if you need to copy files to the E: drive during setup, create an E folder and place files or folders in this folder.
    Text mode	Contains any special HALs or mass storage device drivers required for installing and running Windows 2000 Server.

11. How does Cmdlines.txt differ from [GuiRunOnce]?

    Cmdlines.txt runs commands before a user is logged on and in the context of the system account. Any command line or installation that can occur without a user logon can complete using Cmdlines.txt. [GuiRunOnce], a section in the answer file, runs in the context of a user account and after the user logs on for the first time. This is an ideal place to run user specific scripts, such as scripts that add printers or scripts that automatically configure a user's e-mail configuration.

12. How does Syspart differ from Sysprep?

    Syspart is a switch of Winnt32.exe. This switch completes the Pre-Copy phase of Windows 2000 Server Setup. After it is complete, the disk used for the Pre-Copy phase can be installed in another computer. Upon booting from this disk, the Text-mode phase of setup continues. Syspart is ideal for dissimilar systems that require a faster setup procedure than is provided by running Windows 2000 Setup manually. Syspart can be further automated by calling an answer file as well as Syspart from the Winnt32 command line.

    Sysprep prepares a computer for imaging. After the operating system and applications are installed on a computer, Sysprep is run to prepare it for imaging. Next, an imaging utility is used to create an image of the prepared disk. The image is downloaded to identical or nearly identical computers, and Sysprep Mini-Setup continues to complete the installation. The Mini-Setup process can be further automated with a Sysprep.inf file.

Chapter 9

10. What is the purpose of the default response rule?

    The default response rule enables negotiation with computers requesting IPSec. A default response rule is added to each new policy you create, but it is not automatically activated. A default response rule can be used for any computer that does not require security, but must be able to appropriately respond when another computer requests secured communications. It can also be used as a template for defining custom rules.

Review

1. What is the purpose of a subnet mask?

   A mask is a portion of the IP address that enables IP to distinguish the network ID from the host ID.

2. What is the minimum number of areas in an OSPF internetwork?

   An OSPF internetwork always has at least one area called the backbone, whether or not it is subdivided into areas.

3. What is the NWLink Auto Detect feature?

   The Windows 2000 NWLink Auto Detect feature detects the frame type and network number that are configured on NetWare server(s) on the same network. NWLink Auto Detect is the recommended option for configuring both the network number and the frame type. If the Auto Detect feature selects an inappropriate frame type and network number for a particular adapter, you can manually reset an NWLink frame type or network number for that given adapter.

4. By what standards group is IPSec defined?

   IPsec is defined by the Internet Engineering Task Force (IETF) IP Security working group.

5. Define the difference between secret- and public-key cryptography.

   Secret key cryptography uses a single preshared key. Public key cryptography uses a key pair, one for encrypting data and verifying digital signatures and the second for decrypting data and creating digital signatures.

6. What functionality does ISAKMP/Oakley provide?

   ISAKMP/Oakley establishes a secure channel between two computers for communication and establishes an SA.

7. What are rules comprised of?

   Rules are comprised of IP filters, negotiation policies, authentication methods, IP tunneling attributes, and adapter types.

8. What is an IP filter used for?

   IP filters are used to check datagrams for a match against each filter specification. This allows for filtering based on the source and destination address, DNS name, protocol, or protocol ports.

9. How do System Monitor and Network Monitor allow you to monitor security on your network?

   System Monitor is used to monitor anything from hardware to software, and can also monitor security events such as Errors Access Permissions, Errors Granted Access, Errors Logon, and IIS Security. Network Monitor focuses exclusively on network activity to allow you to understand the traffic and behavior of your network components. If you install the full version available from Systems Management Server, you can capture and view every packet on the network.

10. How is Event Viewer used to monitor security?

    Although you can use Event Viewer to gather information about hardware and software problems, it can also be used to monitor Windows 2000 security events such as valid and invalid logon attempts. The security log can also contain events related to resource use, such as creating, opening, or deleting files or other objects.

11. How do you enable remote access logging in Windows 2000?

    You can enable event logging in the Event Logging tab on the properties of a remote access server in Routing and Remote Access.

Chapter 10

1. Describe the differences between primary, secondary, and master name servers.

   A primary name server has zone information in locally maintained zone files. A secondary name server must download the zone information, they do not maintain a local file. A master name server is the source of the downloads for a secondary name server (which could be a primary or secondary name server).

2. Describe the difference between a domain and a zone.

   A domain is a branch of the DNS name space. A zone is a portion of a domain. A zone exists as a separate file on the disk storing resource records.

3. Describe the difference between recursive and iterative queries.

   In a recursive query, the client instructs the DNS server to respond with either the requested information or an error that the information was not found.

   In an iterative query, the DNS server responds with the best answer it has. If the information is not available, the typical answeris a referral to another name server that can help resolve the request.

4. List the files required for a Windows 2000 DNS implementation.

   Database file, cache file, and reverse lookup file.

5. Describe the purpose of the boot file.

   The boot file is used in the Berkeley Internet Name Daemon implementation to start up and configure the DNS server.

6. How many zones can a single DNS server host?

   A single DNS server can be configured to host zero, one, or multiple zones.

7. What benefits do DNS clients obtain from the dynamic update feature of Windows 2000?

   Dynamic update enables DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use DHCP to obtain an IP address.

8. Name one benefit and one disadvantage of a caching-only server.

   The benefit provided by caching-only servers is that they do not generate zone transfer network traffic because they do not contain any zones. A disadvantage of a caching-only server is that when the server is initially started, it has no cached information and must build up this information over time as it services requests.

9. List and describe three DNS performance counters.
   • Dynamic update and secure dynamic update counters are used to measure registration and update activity generated by dynamic clients
   • Memory usage counters are used to measure system memory usage and memory allocation patterns created by operating the server computer as a Windows 2000 DNS server
   • Recursive lookup counters are used to measure queries and responses when the DNS Server service uses recursion to look up and fully resolve DNS names on behalf of requesting clients

Chapter 11

1. What is DHCP?

   Dynamic Host Configuration Protocol is a TCP/IP service protocol thatsimplifies the administrative management of IP address configuration by automating address configuration for network clients.

2. Describe the integration of DHCP with DNS.

   A DHCP server can enable dynamic updates in the DNS name space for any DHCP clients that support these updates. Scope clients can then use DNS with dynamic updates to update their computer name-to-IP address mapping information whenever changes occur to their DHCP-assigned address.

3. What is a DHCP client?

   The term client is used to describe a networked computer that requests and uses the DHCP services offered by a DHCP server.

4. What is IP autoconfiguration in Windows 2000?

   IP Autoconfiguration is the ability of Windows 2000-based clients to automatically configure an IP address and subnet mask if a DHCP server is unavailable at system start time.

5. Why is it important to plan an implementation of DHCP for a network?

   Many networks use WINS or DNS (or possibly both) for registering dynamic name-to-address mappings. To provide name resolution services, you must plan for interoperability of DHCP with these services. Most network administrators implementing DHCP also plan a strategy for implementing DNS and WINS servers.

6. What tool do you use to manage DHCP servers in Windows 2000?

   The primary tool that you use to manage DHCP servers is DHCP Manager, which is a Microsoft Management Console (MMC) component that is added to the Administrative Tools menu when you install the DHCP service.

7. What is the source of most DHCP-related problems?

   Most DHCP-related problems are identified as a client IP configuration failure. These failures are most often discovered by clients in one of the following ways:

   • The client might be configured to use an IP address not provided by the server.
   • The server sends a negative response back to the client, and the client displays an error message or popup indicating that a DHCP server could not be found.

   The server leases the client an address but the client appears to have other network configuration-based problems, such as the inability to register or resolve DNS or NetBIOS names, or to perceive other computers beyond its subnet.

Chapter 12

1. What is a VPN?

   A VPN is a simulated point-to-point connection using encapsulation. This connection can span any underlying network, including the Internet. Security or some form of encryption is usually required to get the "private" part of the definition.

2. Demand-dial filters can screen traffic based on what fields of a packet?

   Source and destination IP address, IP protocol identifier, source and destination ports, ICMP type, and ICMP code.

3. Is the following statement true or false? When setting dial-in user permissions (Allow Access, Deny Access) through the User Property page, RAPs are not used.

   False. In the user interface it appears that RAP is not used. In actuality, the dial-in user settings work in conjunction with RAP.

4. Is the following statement true or false? DHCP packets are never sent over Routing and Remote Access links.

   False. Routing and Remote Access clients do not use DHCP to get an address, but may use DHCPINFORM packets to get other configuration options. The DHCP relay agent must be installed and using the "internal" interface for this to work.

5. What is the function of BAP?

   To bring up or drop modem or ISDN links as needed for bandwidth on demand.

6. What are some potential security risks you should identify in your security plan?

   It could be possible for competitors to gain access to proprietary product information, or unauthorized users could attempt to maliciously modify Web pages or overload computers so that they are unusable.

7. What is authentication and how can you implement it?

   Authentication is the process of identifying users who attempt to connect to a network. When users are authenticated on your network, they can utilize network resources based on their access permissions. To provide authentication to network users, you establish user accounts.

8. What are some security features of Windows 2000?
   • Security templates
   • Kerberos authentication
   • Public key infrastructure (PKI)
   • IPSec management
   • NT file system encryption
9. How can you secure a connection between your network and the Internet?

   To secure your organization's network for access to and from the Internet, you can put a firewall between the two networks. The firewall provides connectivity for network users to the Internet while minimizing the risks that connectivity introduces. It also prevents access to computers on your network from the Internet, except for those computers authorized to have such access.

10. What are some remote access protocols you can implement for security?
    • Challenge Handshake Authentication Protocol (CHAP)
    • Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
    • Password Authentication Protocol (PAP)
    • Shiva Password Authentication Protocol (SPAP)
    • Extensible Authentication Protocol (EAP)
11. Name two forms of encryption available for demand-dial connections.

    Microsoft Point-to-Point Encryption (MPPE) and Internet Protocol Security (IPSec).

Chapter 13

Review

1. What are three benefits of WINS?
   • Automatic name registration and resolution of NetBIOS names
   • Provides internetwork and interdomain browsing
   • Eliminates the need for a local LMHOSTS file
2. What two methods can be used to enable WINS on a client computer?

   Manual and automatic with DHCP.

3. How many WINS servers are required in an intranet of 12 subnets?

   Only one is required. It is recommended to have multiple servers for redundancy.

4. What types of names are stored in the WINS database?

   NetBIOS unique and group names.

Chapter 14

Review

1. What is the purpose of NAT?

   NAT allows computers on a small network, such as a home office, to share a single Internet connection.

2. What are the components of NAT?

   The translation component is the router on which NAT is enabled. The addressing component provides IP address configuration information to the other computers on the home network. The name resolution component becomes the DNS server for the other computers on the home network. When name resolution requests are received by the NAT computer, it forwards the name resolution requests to the Internet-based DNS server for which it is configured and returns the responses to the home network computer.

3. If a small business is using the 10.0.0.0 private network for its intranet and has been granted the public IP address of 198.200.200.1 by its ISP, to what public IP address does NAT map all private IP addresses being used on network 10.0.0.0?

   The NAT maps (using static or dynamic mappings) all private IP addresses being used on network 10.0.0.0 to the public IP address of 198.200.200.1.

4. What must you do to allow Internet users to access resources on your private network?

   You must configure a static IP address configuration on the resource server including IP address, subnet mask, default gateway, and DNS server. You should exclude the IP address being used by the resource computer from the range of IP addresses being allocated by the NAT computer. Next, you configure a special port, which is a static mapping of a public address and port number to a private address and port number.

Chapter 15

Review

1. What are certificates, and what is their purpose?

   A certificate (digital certificate, public-key certificate) is a digital document that attests to the binding of a public key to an entity. The main purpose of a certificate is to generate confidence that the public key contained in the certificate actually belongs to the entity named in the certificate.

2. What is a certificate authority (CA), and what does it do?

   Certificates are issued by a CA, which can be any trusted service or entity willing to vouch for the identities of those to whom it issues certificates, and the association of those identities with specific keys.

3. What are the four types of Microsoft certificate authorities?

   Enterprise root CA, enterprise subordinate CA, standalone root CA, and standalone subordinate CA.

4. Name one reason for a certificate revocation.
   • Compromise, or suspected compromise, of an entity's private key
   • Fraud in obtaining the certificate
   • Change in status
5. What are the five PKI standard certificate stores?

   MY, CA, TRUST, ROOT, and UserDS.

Chapter 16

Review

1. What is the Active Directory schema?

   The schema contains a formal definition of the contents and structure of Active Directory, including all attributes, classes, and class properties.

2. What is the purpose of an organizational unit (OU)?

   An OU is a container used to organize objects within a domain into logical administrative groups that mirror your organization's functional or business structure. An OU can contain objects such as user accounts, contacts, groups, computers, printers, applications, file shares, and other OUs from the same domain.

3. What are sites and domains and how are they different?

   A site is a combination of one or more IP subnets that should be connected by a high-speed link. A domain is a logical grouping of servers and other network resources organized under a single name. A site is a component of Active Directory's physical structure, whereas a domain is a component of the logical structure.

4. What is the difference between implicit two-way transitive trusts and explicit one-way nontransitive trusts?

   An implicit two-way transitive trust is a trust between domains that are part of the Windows 2000 scalable namespace, for example, between parent and child domains within a tree and between the top-level domains in a forest. These trust relationships make all objects in all the domains of the tree available to all other domains in the tree.

   An explicit one-way nontransitive trust is a relationship between domains that are not part of the same tree. One-way trusts support connections to existing pre-Windows 2000 domains to allow the configuration of trust relationships with domains in other trees.

5. What are the functions of the Active Directory Domains and Trusts, the Active Directory Sites and Services, and the Active Directory Users and Computers consoles?

   The Active Directory Domains and Trusts console manages the trust relationships between domains. The Active Directory Sites and Services console creates sites to manage the replication of Active Directory information. The Active Directory Users and Computers console manages users, computers, security groups, and other objects in Active Directory.

6. When and why would you use an extension?

   You would use an extension when specific snap-ins need additional functionality. Extensions are snap-ins that provide additional administrative functionality to another snap-in. A standalone snap-in provides one function or a related set of functions.

Chapter 17

12. Ensure that the Sysvol folder location is systemroot\SYSVOL. (If you did not install Windows 2000 in the WINNT directory, the Sysvol location should default to a SYSVOL folder in the folder where you installed Windows 2000.)

    What is the one Sysvol location requirement?

    Sysvol must be located on a Windows 2000 partition that is formatted as NTFS 5.0.

    What is the function of Sysvol?

    Sysvol is a system volume hosted on all Windows 2000 domain controllers. It stores scripts and part of the group policy objects for both the current domain and the enterprise. systemroot\SYSVOL\SYSVOL stores domain public files.

3. Double-click My Network Places.

   The My Network Places window appears.

   What selections do you see?

   Add Network Place and Entire Network.

4. Double-click Entire Network, and then double-click Microsoft Windows Network.

   What do you see?

   Your domain set up in the previous exercise, microsoft.com. Answer may vary depending on your domain name.

2. In the console tree, double-click microsoft.com (or the name of your domain).

   What selections are listed under microsoft.com?

   Builtin, Computers, Domain Controllers, and Users.

3. Expand the microsoft.com domain (or the domain you set up).

   The OUs appear as folders with a directory book icon under the domain. Plain folders are specialized containers.

   What are the default OUs in your domain?

   Domain Controllers. The Builtin, Computers, and Users folders are container objects.

2. Click on the Sites folder.

   What objects appear in the details pane?

   Default-First-Site-Name (the default site created by the Active Directory Installation Wizard), the Inter-Site Transports container, and the Subnets container.

1. Open the Inter-Site Transports folder and click the IP folder.

   What object appears in the details pane?

   DEFAULTIPSITELINK, the default site link created by the Active Directory Installation Wizard.

Review

1. What are some reasons for creating more than one domain?

   Some reasons for creating more than one domain are to allow for decentralized network administration, control replication, allow for different password requirements between organizations, manage massive numbers of objects, allow for different Internet domain names, allow for international requirements, and to meet internal political requirements.

2. Your company has an external Internet namespace reserved with a DNS registration authority. As you plan the Active Directory implementation for your company, you decide to recommend extending the namespace for the internal network. What benefits does this option provide?

   Extending an existing namespace provides consistent tree names for internal and external resources, making it easier for users to locate, refer, and use resources. In addition, this plan allows your company to use the same logon and user account names for internal and external resources. Finally, you do not have to reserve an additional DNS namespace.

3. In what two ways does your site configuration affect Windows 2000?

   Your site configuration affects workstation logon and authentication. When a user logs on, Windows 2000 will try to find a domain controller in the same site as the user's computer to service the user's logon request and subsequent requests for network information.

   Your site configuration also affects directory replication. You can configure the schedule and path for replication of a domain's directory differently for intersite replication, as opposed to replication within a site. Generally, you should set replication between sites to be less frequent than replication within a site.

4. What is the shared system volume, what purpose does it serve, where is it located, and what is its name?

   The shared system volume is a folder structure that exists on all Windows 2000 domain controllers. It stores scripts and some of the group policy objects for both the current domain and the enterprise. The default location and name for the shared system volume is systemroot\SYSVOL. The shared system volume must be located on a partition or volume formatted with NTFS 5.0.

5. What is the purpose of the operations master roles?

   Because some changes are impractical to perform in multimaster fashion, one or more domain controllers can be assigned to perform operations that are single-master (not permitted to occur at different places in a network at the same time). Operations master roles are assigned to domain controllers to perform single-master operations.

6. What administrative tool is used to create OUs?

   The Active Directory Users and Computers console are used to create OUs.

7. What four tasks must be completed to configure a site?

   You must create a site, associate a subnet with the site, connect the site using site links, and select a licensing computer for the site.

8. What two site configuration objects does the Active Directory Installation wizard create automatically?

   The Active Directory Installation Wizard automatically creates an object named Default-First-Site-Name in the Sites container and an object named DEFAULTIPSITELINK in the IP container.

9. Which replication protocol uses RPCs for replication over site links (inter-site) and within a site (intra-site)?

   IP replication protocol.

10. What three tasks must be completed to configure inter-site replication?

    Create site links, configure site link attributes (such as site link cost, replication frequency, and replication availability), and create site link bridges.

11. What is the difference between replication frequency and replication availability?

    Replication frequency is the duration between replications on a site link. Replication availability is when a site link is available to replicate directory information.

12. What is the function of a bridgehead server?

    A bridgehead server provides some ranking or criteria for choosing which domain controller should be preferred as the recipient for inter-site replication. The bridgehead server then distributes the directory information via inter-site replication.

Chapter 18

Review

1. What are the advantages of using the Active Directory-integrated zone type?

   Multimaster update and enhanced security are based on the capabilities of Active Directory. Zones are replicated and synchronized to new domain controllers automatically whenever a new zone is added to an Active Directory domain. By integrating storage of your DNS namespace in Active Directory, you simplify planning and administration for both DNS and Active Directory. Directory replication is faster and more efficient than with standard DNS replication.

2. What is the purpose of the source of authority (SOA) resource record?

   The SOA resource record identifies which name server is the authoritative source of information for data within this domain. The first record in the zone database file must be the SOA record. The SOA resource record also stores properties such as version information and timings that affect zone renewal or expiration. These properties affect how often transfers of the zone are done between servers authoritative for the zone.

3. What must be done when you delegate zones within a namespace?

   When you delegate zones within a namespace, you must also create SOA resource records to point to the authoritative DNS server for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers being made authoritative for the new zone.

4. Why is an incremental zone transfer (IXFR) query more efficient than a full zone transfer (AXFR) query?

   An IXFR query allows the secondary server to pull only those zone changes it needs to synchronize its copy of the zone with its source, either a primary or secondary copy of the zone maintained by another DNS server. An AXFR query provides a full transfer of the entire zone database.

Chapter 19

1. In the console tree, right-click on the name of your domain, and then click Find.

   Windows 2000 displays the Find dialog box.

   In the Find dialog box, what object type can you select for a search?

   Users, Contacts, and Groups; Computers; Printers; Shared Folders; Organizational Units; Custom Search, and Remote Installation Clients (if Remote Installation Services [RIS] is installed).

2. Ensure that Users, Contacts, And Groups is selected in the Find box, and then click Find Now. What do you see?

   The list of users and groups in the domain.

4. In the following table, list the groups that have permissions for the Security1 OU. You will need to refer to these permissions in Lesson 5.

   Groups that Have Permissions for the Security1 OU

   User Account or Group	Assigned Permissions
   Account Operators	Advanced permissions
   Administrators	Inherits the Read, Write, and Create All Child Objects permissions and also has advanced permissions
   Authenticated Users	Read
   Domain Admins	Full Control
   Enterprise Admins	Inherits Full Control
   Pre-Windows 2000 Compatible Access	Advanced permissions
   Print Operators	Advanced permissions
   SYSTEM	Full Control

   How can you tell if any of the default permissions are inherited from the domain, which is the parent object?

   The permissions that are assigned to Administrators are inherited from the parent object. The check boxes for inherited permissions are shown as shaded.

2. To view special permissions for Account Operators, in the Permission Entries box, click each entry for Account Operators, and then click View/Edit.

   The Permission Entry For Security1 dialog box appears.

   What object permissions are assigned to Account Operators? What can Account Operators do in this OU? (Hint: Check each permission entry for Account Operators in the Permission Entries box in the Access Control Settings For Security1 dialog box.)

   The permissions that are assigned to Account Operators are Create User Objects, Delete User Objects, Create Group Objects, Delete Group Objects, Create Computer Objects, and Delete Computer Objects. Account operators can only create and delete user accounts, groups, and computers.

   Do any objects within this OU inherit the permissions assigned to the Account Operators group? Why or why not?

   No. Objects within this OU do not inherit these permissions. The Apply To column in the Permission Entries list in the Access Control Settings For Security1 dialog box shows that permissions granted to Account Operators are applied to This Object Only.

4. In the following table, list the groups that have permissions for the Secretary1 user account. You will need to refer to these permissions in Lesson 5. If the dialog box indicates that special permissions are present for a group, do not list the special permissions to which you can gain access through the Advanced button.

   Permissions for the Secretary1 User Account

   Group	Assigned Permissions
   Account Operators	Full Control
   Administrators	Inherits all permissions, except the Full Control and Delete All Child Objects permissions, and also has advanced permissions
   Authenticated Users	Read permission for General, Personal, Public, and Web Information
   Cert Publishers	Advanced
   Domain Admins	Full Control
   Enterprise Admins	Inherits Full Control
   Everyone	Change Password
   Pre-Windows 2000 Compatible Access	Inherits Read, Read Phone and Mail Options, Read General Information, Read Group Membership, Read Personal, Public, Remote Access, Logon, and Web Information, and Read Account Restrictions
   RAS and IAS Servers	Read permission for Group Membership, Remote Access Information, Account Restrictions, and Logon Information
   SELF	Read, Change Password, Receive As, Send As; Read permission for Phone and Mail Options, General Information, Group Membership, Personal Information, Public Information, Remote Access Information, Account Restrictions, Logon Information, and Web Information; Write permission for Phone and Mail Options, Personal Information, and Web Information
   SYSTEM	Full Control

   Are the standard permissions for a user object the same as those for an OU object? Why or why not?

   No. Standard permissions for each type of object are different. The reason for the differences is that different object types are used for different tasks, and therefore the security needs for each object type differ.

   Are any of the standard permissions inherited from Security1, the parent object? How can you tell?

   Only the standard permissions that are assigned to Administrators, and Enterprise Admins are inherited from the parent object. The check boxes for inherited permissions are shown as shaded.

   What do the permissions of the Account Operators group allow its members to do with the user object?

   Account Operators have Full Control. A member of the group can make any changes to a user object, including deleting it.

1. Log on to your domain by using the User21 account.

   Did Windows 2000 require you to specify the OU in which your user account is located as part of the logon process? Why or why not?

   No. Windows 2000 automatically locates the user object in Active Directory, independent of its exact location.

3. In the console tree, expand your domain, and then click Security1.

   What user objects are visible in the Security1 OU?

   The Secretary1 and Assistant1 user accounts, also User20, User 21, and User22.

   Which permissions allow you to see these objects? (Hint: Refer to your answers in Lesson 2.)

   The Assistant1 user account automatically belongs to the Authenticated Users built-in group, which has Read permission for the OU.

   For the user account with the logon name Secretary1, change the logon hours. Were you successful? Why or why not?

   No. The Assistant1 user account does not have Write permission for the Secretary1 object.

   For the Assistant1 user account, under which you are currently logged on, change the logon hours. Were you successful? Why or why not?

   No. The Assistant1 user account does not have Write permission for the Assistant 1 object.

4. Attempt to change the logon hours for the Assistant1 and Secretary1 user accounts in the Security1 OU.

   Were you successful? Why or why not?

   Yes. The Assistant1 user account has been assigned Full Control permission for all user objects in the OU. This includes the permission to change the logon hours.

5. Attempt to change the logon hours for a user account in the Users container.

   Were you successful? Why or why not?

   No. The Assistant1 user account has not been assigned any permissions for the Users container.

Review

1. How does the global catalog help users locate Active Directory objects?

   The global catalog contains a partial replica of the entire directory, so it stores information about every object in a domain tree or forest. Because the global catalog contains information about every object, a user can find information regardless of which domain in the tree or forest contains the data. Active Directory automatically generates the contents of the global catalog from the domains that make up the directory.

2. You want to allow the manager of the Sales department to create, modify, and delete only user accounts for sales personnel. How can you accomplish this?

   Place all of the sales personnel user accounts in an OU, and then delegate control of the OU to the manager of the Sales department.

3. What happens to the permissions of an object when you move it from one OU to another OU?

   Permissions assigned directly to the object remain the same. The object also inherits permissions from the new OU. Any permissions previously inherited from the old OU no longer affect the object.

4. The Delegation Of Control wizard allows you to set administrative control at what level?

   OU or container.

5. When backing up Active Directory, what type of data must you specify to be backed up? What is included in this data type?

   You must indicate that you need to back up System State data. For Windows 2000 Server operating systems, the System State data comprises the registry, COM+ Class Registration database, system boot files, and the Certificate Services database (if the server is a certificate server). If the server is a domain controller, Active Directory and the SYSVOL directory are also contained in the System State data.

6. When you restart the computer in Directory Services Restore Mode, what logon must you use? Why?

   When you restart the computer in Directory Services Restore Mode, you must log on as an Administrator by using a valid Security Accounts Manager (SAM) account name and password, not the Active Directory Administrator's name and password. This is because Active Directory is offline, and account verification cannot occur. Rather, the SAM accounts database is used to control access to Active Directory while it is offline. You specified this password when you set up Active Directory.

7. If you experience problems with Active Directory, what item should you investigate first?

   You should examine the directory service event logs in Event Viewer.

8. What is the difference between a performance object and a performance counter?

   A performance object is a logical connection of performance counters associated with a resource or service that can be monitored. A performance counter is a condition that applies to a performance object.

9. What is the difference between a counter log and a trace log?

   Counter logs collect performance counter data for a specified interval. Trace logs record data collected by the operating system provider or one or more nonsystem providers when certain activities such as a disk I/O operation or a page fault occur. When counter logs are in use, the Performance Logs and Alerts service obtains data from the system when the update interval has elapsed, rather than waiting for a specific event, as for trace logs.

10. What actions can be triggered by an alert?

    Alerts can log an entry in the application event log, send a network message to a computer, start a performance data log, or run a program when the alert counter's value exceeds or falls below a specified setting.

11. What does the Active Directory Replication Monitor support tool allow an administrator to do, and how is this tool accessed?

    The Active Directory Replication Monitor tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication through a graphical interface. The Active Directory Replication Monitor is a graphical tool accessed on the Tools menu within Windows 2000 Support Tools.

12. If you want to find out which files are open in a shared folder and the users who have a current connection to those files, what action should you take?

    Click Start, point to Programs, point to Administrative Tools, and then click Computer Management. In the console tree of Computer Management, expand System Tools, and then expand Shared Folders. In the console tree, click Open Files under Shared Folders.

13. What four tasks must be completed to configure a site?

    Create a site, associate a subnet with the site, connect the site using site links, and select a licensing computer for the site.

14. What two site configuration objects does the Active Directory Installation wizard create automatically?

    The Active Directory Installation wizard automatically creates an object named Default-First-Site-Name in the Sites container and an object named DEFAULTIPSITELINK in the IP container.

15. Which replication protocol uses RPCs for replication over site links (inter-site) and within a site (intra-site)?

    IP replication protocol.

16. What three tasks must be completed to configure inter-site replication?

    Create site links, configure site link attributes (such as site link cost, replication frequency, and replication availability), and create site link bridges.

Chapter 20

3. In the console tree, click Start Menu & Task Bar.

   What appears in the details pane?

   The policies available for the Start Menu & Task Bar category appear in the details pane.

5. Click Enabled, and then click OK.

   How can you tell at a glance that this setting is enabled?

   The setting is listed as enabled in the details pane.

2. Press Ctrl+Alt+Delete.

   The Windows Security dialog box appears.

   Are you able to lock the workstation? Why?

   No, the Lock Computer option is not available. Assistant1 is unable to lock the workstation because the DispatchPolicy GPO was linked to the Security1 OU in Exercise 8.

3. Click Cancel, and then click Start.

   Does the Search command appear on the Start menu?

   No.

   Does the Run command appear on the Start menu?

   No.

7. Press Ctrl+Alt+Delete.

   Are you able to lock the workstation? Why?

   Yes, the Lock Computer option is available. Assistant1 is able to lock the computer because the Sales group was filtered from the DispatchPolicy GPO scope in Exercise 7.

Review

1. In what order is Group Policy implemented through the Active Directory structure?

   Group Policy is implemented in the following order: site, domain, and then OU.

2. Name the tasks for implementing Group Policy.

   The tasks for implementing Group Policy are creating a GPO; creating a snap-in for the GPO; delegating administrative control of the GPO; specifying Group Policy settings for the GPO; disabling unused Group Policy settings; indicating any GPO processing exceptions; filtering the scope of the GPO; and linking the GPO to a site, domain, or OU.

3. What is the difference between Block Policy Inheritance and No Override?

   Block Policy Inheritance is applied directly to the site, domain, or OU. It is not applied to GPOs, nor is it applied to GPO links. Thus Block Policy Inheritance deflects all Group Policy settings that reach the site, domain, or OU from above (by way of linkage to parents in the Active Directory hierarchy) no matter what GPOs those settings originate from. GPO links set to No Override are always applied and cannot be blocked using the Block Policy Inheritance option.

   Any GPO linked to a site, domain, or OU (not the local GPO) can be set to No Override with respect to that site, domain, or OU so that none of its policy settings can be overwritten. When more than one GPO has been set to No Override, the one highest in the Active Directory hierarchy (or higher in the hierarchy specified by the administrator at each fixed level in Active Directory) takes precedence. No Override is applied to the GPO link.

4. What is the difference between assigning software and publishing software?

   You assign a software application when you want everyone to have the application on his or her computer. An application can be published to both computers and users.

   You publish a software application when you want the application to be available to people managed by the GPO, should the person want the application. With published applications it is up to each person to decide whether or not to install the published application. An application can only be published to users.

5. What folders can be redirected?

   Application Data, Desktop, My Documents, My Pictures, and Start Menu.

6. What is RIS? What types of remote booting are supported by RIS?

   Remote Installation Services (RIS) are software services that allow an administrator to set up new client computers remotely without having to visit each client. The target clients must support remote booting. There are two types of remote boot-enabled client computers: Computers with Pre-Boot eXecution Environment (PXE) Dynamic Host Configuration Protocol (DHCP)-based remote boot ROMS and computers with network cards supported by the RIS Boot Disk.

7. What does PXE remote boot technology provide?

   Pre-Boot eXecution Environment (PXE) is a new form of remote boot technology that has been created within the computing industry. PXE provides companies with the ability to use their existing TCP/IP network infrastructure with DHCP to discover RIS servers on the network. Net PC/PC98-compliant systems can take advantage of the remote boot technology included in the Windows 2000 OS. Net PC/PC98 refers to the annual guide for hardware developers co-authored by Microsoft with Intel, including contributions from Compaq and other industry hardware manufacturers. PC98 is intended to provide standards for hardware development that advance the PC platform and enable Microsoft to include advanced features, like RIS, in the Windows platform.

8. What is the RIS boot disk?

   For computers that do not contain a PXE-based remote boot ROM, Windows 2000 provides the administrator with a tool to create a remote boot disk for use with RIS. The RIS remote boot disk can be used with a variety of PCI-based network adapter cards. Using the RIS boot disk eliminates the need to retrofit existing client computers with new network cards that contain a PXE-based remote boot ROM to take advantage of the Remote OS Installation feature. The RIS boot disk simulates the PXE remote boot sequence and supports frequently used network cards.

9. What is an RIPrep image?

   The Remote Installation Preparation (RIPrep) image is a clone of a standard corporate desktop configuration, complete with operating system configurations, desktop customizations, and locally installed applications. After first installing and configuring the Windows 2000 Professional OS, its services, and any standard applications on a computer, the network administrator runs a wizard that prepares the installation image and replicates it to an available RIS server on the network for installation on other clients.

10. What is the Client Installation wizard?

    Users of a remote boot-enabled client use the Client Installation wizard to select installation options, OSs, and maintenance and troubleshooting tools. The wizard prompts the user for his or her user name, password, and domain name. After the user's credentials have been validated, the wizard displays the installation options that are available for the user. After the user selects an option, the selected OS installation image is copied to the client computer's local hard disk.

Chapter 21

Record your decisions to audit successful events, failed events, or both for the actions listed in Table 21.7.

Answers may vary. Possible answers include the following:

Account logon events: Failed (for network access attempts)

Account management: Successful (for administrator actions) Directory service access: Failed (for unauthorized access)

Logon events: Failed (for network access attempts)

Object access: Successful (for printer use) and Failed (for unauthorized access)

Policy change: Successful (for administrator actions)

Privilege use: Successful (for administrator actions and backup procedures) Process tracking: Nothing (useful primarily for developers)

System events: Successful and Failed (for attempts to breach the server)

6. In the Access Control Settings For Users dialog box, click the Auditing tab, and then double-click Everyone.

   The Auditing Entry For Users dialog box appears.

   Review the default audit settings for object access by members of the Everyone group. How do the audited types of access differ from the types of access that are not audited?

   All types of access that result in a change of the object are audited; types of access that do not result in a change of the object are not audited.

7. Click OK three times to close the Auditing Entry For Users, the Access Control Settings For Users, and the Users Properties dialog boxes.

   On which computer or computers does Windows 2000 record log entries for Active Directory access? Will you be able to review them?

   Windows 2000 records auditing events for Active Directory access at domain controllers, at the organizational unit (OU) level. Because you configured auditing for a domain controller, you will be able to view auditing events for Active Directory access. If you had configured auditing for the Local Computer, or the Default Domain Policy, you would not be able to view auditing events for Active Directory access.

2. Double-click the Account Policies node, and then click the Password Policy security area.

   In the details pane, what is indicated in the Policy column? In the Database Setting column? In the Computer Setting column?

   The Policy column indicates the policy name for the analysis results. The Database Setting column indicates the security value in your template. The Computer Setting column indicates the current security level in the system.

   In the Policy column, what does the red X indicate? What does the green check mark indicate?

   A red X indicates a difference in the data from the database configuration. A green check mark indicates consistency with data in the database configuration.

Review

1. On which computer do you set an audit policy to audit a folder that is located on a member server that belongs to a domain?

   You set the audit policy on the member server; the audit policy must be set on the computer where the folder is located.

2. What is the difference between what the audit policy settings track for directory service access and object access?

   Directory service access tracks whether a user gained access to an Active Directory object. Object access tracks whether a user gained access to a file, folder, or printer.

3. When you view a security log, how do you determine if an event failed or was successful?

   Successful events appear with a key icon. Unsuccessful events appear with a lock icon.

4. How are user rights different from permissions?

   User rights are different from permissions because user rights apply to user accounts and permissions are attached to objects.

5. What is a security template and why is it useful?

   A security template is a physical representation of a security configuration, a single file where a group of security settings is stored. Locating all security settings in one place streamlines security administration.

6. Where does the Security Configuration and Analysis console store information for performing configuration and analysis functions?

   The Security Configuration and Analysis console uses a database to perform configuration and analysis functions.

Chapter 22

1. If Terminal Services is not licensed, what features of Terminal Services will work and for how long?

   Remote Administration mode allows for two remote control sessions with the computer running Terminal Services. No Terminal Service client license is necessary for this function. In Application Server mode, a Terminal Service client license is required for each session. The Terminal Service continues to function for 90 days without Terminal Service client licenses installed on the Terminal Services License server.

Chapter 23

7. With the Web Site tab active, record the TCP Port value appearing in the TCP Port text box.

   Port value will vary but should be between 2000-9999.

Review

1. You are accessing the IIS 5.0 documentation from Internet Services Manager (HTML). All of the documentation appears and you are able to access information via the Index tab. Under the Index tab, you find the phrase Process Accounting. However, when you perform a search on this phrase, the Web browser reports that your search phrase cannot be found. What is the most likely reason that this is happening?

   The indexing service has been started because the Web browser did not report the inability to perform a search. Because the phrase was not found it could be that you have not configured the Indexing Service to catalog the iisHelp folder or the Indexing Service has not completed the task of indexing this folder's contents.

2. You have created a virtual directory for the purpose of Web Distributed Authoring and Versioning (WebDAV) publishing. The home directory of the Web site is accessible from Internet Explorer 5.0, but when you attempt to access the virtual directory for WebDAV publishing, access is denied. Name two reasons why this may happen and how you can solve this access problem.

   WebDAV security is managed by the file system and Internet Services. Therefore, access could be denied because the physical directory for WebDAV has an access compatibility list (ACL) that does not allow the browser client to access the folder. If access is allowed at the file system level, verify that Read, Write, and Directory Browsing on the WebDAV virtual directory is enabled. For Active Server Pages (ASP) support also make sure to enable Script source access.

3. Why is it important that the Microsoft Telnet Client and the Microsoft Telnet service support NT LAN Manager (NTLM)authentication?

   NTLM authentication protects authentication information from being transmitted across a network from the Telnet client to the Telnet server. A user is authenticated in the context of the current logon. If authentication is necessary, NTLM challenge/response authentication protects logon information. This is an important security feature of Windows 2000 Telnet.

Chapter 24

1. How does a mounted drive to an empty folder differ from a Dfs root?

   A mounted drive to an empty folder allows for folder redirection. When you store files in a folder that points to a mounted partition, the files are redirected to the partition. This feature provides limited resource consolidation. A Dfs root provides a central point where disparate resources are consolidated through Dfs links. These links are then presented to the users as a single share containing folders. This feature provides robust resource consolidation.

2. In the Practice "Creating a Dfs Root and Dfs Link," you were asked to notice that New Root Replica and Replication Policy were not available options in the Distributed File System snap-in. Explain why these options are not available.

   New Root Replica and Replication Policy are available only for domain Dfs roots. In the practice a standalone Dfs root was configured. A new root replica makes it possible to replicate the Dfs root to other servers on the network. This feature provides fault tolerance and load balancing. If a server hosting the Dfs root fails, users access the Dfs root from the other replicas. If all servers replicating the Dfs root are available, they will load balance user requests. Replication policy allows you to configure the settings for replicating the Dfs root and Dfs shares below it.

3. How is the Knowledge Consistency Checker (KCC) involved in maintaining Active Directory store synchronization between domain controllers?

   KCC creates a ring topology for intra-domain replication. This topology provides a path for Active Directory store updates to flow from one domain controller to the next. It also provides two replication paths, a path on either side of the ring to continue replication even if the ring structure is temporarily broken.

4. What data does the FRS replicate?

   System Volume data and domain Dfs roots and Dfs links configured for replication.

Chapter 25

1. You have configured a computer to boot Windows 2000 Server as the default operating system, and Windows NT 4.0 Server as the optional operating system. After modifying the attributes of files on %systemdrive% and deleting some of the files, the computer does not display Windows NT 4.0 Server as an operating system to start. Windows 2000 Server starts up properly. The problem is caused because you deleted a file. What is the name of the file, and what can you do to recover from this error?

   You deleted the Boot.ini file. Boot.ini allows for multiboot. If this file is missing, the default operating system starts. To recover this file, run the Emergency Repair Disk (ERD), choose Manual Repair, and then choose Inspect Startup Environment.

2. Why would the Use Hardware Compression, If Available check box be unavailable in the Backup wizard?

   This option is available only if an installed tape device and its driver supports hardware compression.

3. How can you test the configuration of the uninterruptible power supply (UPS) service on a computer?

   You can simulate a power failure by disconnecting the main power supply to the UPS device. During the test, the computer and peripherals connected to the UPS device should remain operational, messages should display, and events should continue to be logged.

   In addition, you should wait until the UPS battery reaches a low level to verify that a graceful shutdown occurs. Then restore the main power to the UPS device and check the event log to ensure that all actions were logged and there were no errors.

   Note that this procedure requires a UPS that communicates with the computer through a Component Object Model (COM) port or a proprietary interface provided with the UPS.

Chapter 26

1. You want to filter out all network traffic except for traffic between two computers, and you also want to locate specific data within the packets. Which Network Monitor filter features should you specify?

   Filter for Address Pairs, where you specify the media access control (MAC) address of each computer, and Pattern Matches, where you filter for specific patterns in Hex or ASCII contained in the frames.

2. You goal is to make sure that only two network management stations in your organization are able to communicate with the Simple Network Management Protocol (SNMP) agents. What measures can you take when configuring the SNMP service to enhance security?

   Using the Security tab of the SNMP Service Properties dialog box, make the following configuration changes:

   • Specify a unique community name and remove the Public community name.
   • Adjust the community rights settings so that the network management station (NMS) can complete the functions you want to enable. If you aren't sure of the community rights you need, configure this for READ ONLY and adjust it by NMS to SNMP service testing.
   • Select the Accept SNMP Packets From These Hosts radio button, and then specify the host name, Internet Protocol (IP), or Internetwork Packet Exchange (IPX) address of the two network management stations.
   • If you will be sending traps to an NMS, make sure to specify the Trap destination(s) under the Traps tab.

Chapter 27

1. Which key is associated with the creation of digital signatures, the public key or the private key? Explain your answer.

   Private keys are associated with the creation of digital signatures. You use a private key to transform data in such a way that users are able to verify that only you could have created the encrypted data. Decrypting the data is achieved through the application of the public key. However, only the private key is used to create the digital signature.

2. What security credential(s) are in use if you are supporting client computers running Windows 2000 and Windows NT that authenticate to servers running Windows 2000 Server and Windows NT Server?

   Windows NT client computers will authenticate to both Windows 2000 and Windows NT Servers using NT LAN Manager (NTLM) credentials (Windows NT domain name, username, and encrypted password). Windows 2000 client computers authenticate to the computers running Windows 2000 Server using Kerberos authentication (domain name, username, Kerberos-encrypted password), and they authenticate to the computers running Windows NT Server using NTLM authentication.

3. How can a security template be used to facilitate configuration and analysis of security settings?

   A template can be applied to a security configuration database created by the Security Analysis and Configuration snap-in. After the database is created, the current settings of the computer can be compared to the settings dictated by the policy. After reviewing discrepancies between policy and computer security settings, the same snap-in can be used to configure the computer's security settings to the template's settings.

4. Where is the Certificate Services Enrollment page and what is its purpose?

   The Certificate Services Enrollment page is a Web page that allows for the easy creation and monitoring of certificate requests, and for the retrieval of CRLs and certificates.

5. What steps must you follow to enable auditing of specific file objects on domain controllers in a domain where Group Policy is enabled?

   Use Active Directory Users And Computers to open a group policy (typically the Default Domain group policy object [GPO] or the Default Domain controller Policy GPO). Navigate to the Audit Policy node below the Windows Settings - Security Settings - Local Policies node. In the details pane, double-click Audit Object Access and enable success or failure attempts as appropriate. Using Windows Explorer, navigate to the specific file or folder that you need to access. Access the properties of the file or folder object, click the Security tab, then click the Advanced button. From the Access Control Settings dialog box, select View/Edit to modify the audit policy of a selected user or group or add a new user or group to audit. Be cautious about how much file object auditing you configure. This feature can be processor intensive if it is configured improperly.