John is a network administrator for a growing organization. While the company used to have only a single domain, they now have multiple domains. Users are having problems with logon, and John is looking for a way to simplify logon while retaining the current domain structure. What is the easiest way to resolve this problem?
Assign all domains a common name (CN).
Configure Active Directory to use DNS names.
Specify an alternate user principal name (UPN).
Reorganize the domain structure and use OUs instead.
Answer C is correct. You can specify an alternate UPN suffix to simplify logon or provide additional logon security. This name is used only within the forest and does not have to be a valid DNS name.
Mary is installing a new domain controller. She wants the domain controller to be in a separate domain that is not part of an existing forest. What type of domain should Mary install?
A forest root domain
A parent domain
A child domain
A domain in a new domain tree in the existing forest
Answer A is correct. If you want to create a domain that is not part of an existing forest, you must install a forest root domain. Every forest has a forest root domain, which is the first domain created in the forest.
Your organization is upgrading from Windows NT to Windows Server. You are planning the network strategy for Active Directory. On the current network, you have multiple user and resource domains. The SERVICE domain has over 1,500 users and computers from the Customer Service, Help Desk, and Technical Support departments. The MAIN domain is for over 5,000 users and computers from all departments located at the company's main office except for the service departments. The RESOURCE domain has all servers, printers, and other shared resources. There are also domains for each remote office, including SEATTLE, TACOMA, and PORTLAND domains. Users in the remote office are part of the Sales, Customer Service, Help Desk, or Technical Support departments. Which of the following documents will best help you determine where to place global catalog servers?
An organization chart
A spreadsheet with users organized by department, manager, and location
A diagram of the local area network topology
A diagram of the wide area network topology and traffic analysis
Answer D is correct. To determine where to place global catalog servers, you need to understand the types of WAN connections used and details on current network traffic.
The organization has a central office and 18 remote offices. Remote offices are connected over a 256 Kbps link to the central office. You are installing a domain controller in each remote office and want to be sure remote users can always log on. Which of the following provides the best solution while reducing replication traffic?
Configuring remote office domain controllers as global catalog servers
Enabling universal group caching on remote office domain controllers
Granting remote office administrators full control over domain controllers
Installing redundant site links for each site
Answer B is correct. On a domain with domain controllers running Windows Server 2003, universal group membership caching can be enabled. Once caching is enabled, domain controllers no longer need to access global catalogs to obtain universal group membership details.
What type of forest root domain should you configure if you want to use the forest root as a placeholder rather than as a normal part of the directory?
A parent-child root
A tree root
A dedicated root
A nondedicated root
Answer C is correct. A dedicated root is used as a placeholder to start the directory and has no accounts associated with it other than those created when the forest root is installed; except those that are needed to manage the forest. It is not used to assign access to resources.
Which of the following is the default domain functional level when you are not upgrading from Windows NT 4?
Windows 2000 mixed mode
Windows 2000 native mode
Windows Server 2003 interim mode
Windows Server 2003 mode
Answer A is correct. Windows 2000 mixed mode is the default domain functional level unless you're upgrading from Windows NT 4.0.
Which of the following are the forest-wide operations master roles?
Schema master
Domain naming master
Relative ID (RID) master
PDC emulator
Infrastructure master
Answers A and B are correct. The schema master and domain-naming master roles are assigned on a per-forest basis. There is only one schema master and only one domain-naming master in a forest.
You've recently completed an enterprise-wide upgrade. All domain controllers in all domains in the forest are running Windows Server 2003. After the upgrade, the help desk has received sporadic complaints about users not being able to log on after they've changed their password. What is the most likely cause of the problem?
Account lockout policy is causing the users to get locked out and the accounts need to be reset.
Password policy is set so users cannot reuse old passwords.
The PDC emulator master is malfunctioning or unavailable.
Password policy is set so users can only change their password after seven days.
Answer C is correct. The PDC emulator master is responsible for processing password changes. When a user tries to log on to the network but provides an incorrect password, the logon domain controller checks the PDC emulator to see whether there is a recent password change for the user's account. If so, the domain controller retries the logon authentication on the PDC emulator.
Your organization just merged with another company. You want to ensure that users in either forest can access resources in the other forest. You also want to ensure that users can log on in either forest. What type of trust should you create between the forests?
One-way transitive forest trust
Two-way transitive forest trust
One-way nontransitive forest trust
Two-way nontransitive forest trust
Answer B is correct. Forest trusts are one-way or two-way transitive trusts between forest root domains that must be explicitly established by administrators. If you want users in both forests to be able to use and access resources in the other forest, you should establish a two-way transitive trust.
Your organization is restructuring its domains. You've been asked to install a new domain in a new domain tree and three child domains in that domain tree. The root domain for the new tree is seattle.local. The child domains are tech.seattle.local, eng.seattle.local, and support.seattle.local. You install the root domain and the first two child domains with no problems. However, before you can install the third child domain, one of the domain controllers in the seattle.local domain has an unrecoverable hardware problem and goes offline permanently. When you try to install the support.seattle.local, you are unable to. What can you do to resolve this problem?
Transfer the infrastructure master role in the seattle.local domain to a new domain controller.
Configure a domain controller in the seattle.local domain as a global catalog server.
Configure a domain controller in the seattle.local domain as a preferred bridgehead server.
Seize the domain-naming master role in the seattle.local domain and transfer it to a new domain controller.
Answer D is correct. The domain-naming master is responsible for adding or removing domains from the forest. If the domain-naming master cannot be contacted when you are trying to add or remove a domain, you will not be able to add or remove the domain.
Which of the following is used to install Active Directory and establish a server as a domain controller?
Ntdsutil
Dcpromo
Gpotool
Gpresult
Answer B is correct. Use the Active Directory Installation Wizard (DCPROMO.EXE) to install the Active Directory directory service.
Which of the following is used to uninstall Active Directory and demote a domain controller?
Ntdsutil
Dcpromo
Gpotool
Gpresult
Answer B is correct. Use the Active Directory Installation Wizard (DCPROMO.EXE) to uninstall the Active Directory directory service and demote domain controllers.
Your company has merged with another company. You want to merge the forest structures of the two companies using an extended two-way forest trust, and you need to restructure some of the domains. What are the requirements to do these tasks?
The forest functional level must be set to Windows 2000. The domain controllers must be running Windows 2000 or later.
The forest functional level must be set to Windows Server 2003 interim mode. The domain controllers must be running Windows 2000 or later.
The forest functional level must be set to Windows Server 2003 mode. The domain controllers must be running Windows 2000 or later.
The forest functional level must be set to Windows Server 2003 mode. The domain controllers must be running Windows Server 2003.
Answer D is correct. Forests operating in Windows Server 2003 mode can use many Active Directory features, including extended two-way trusts between forests, domain rename, domain restructure using renaming, and global catalog replication enhancements. In this mode, only Windows Server 2003 domain controllers are supported.
You organization has a central office and remote office locations in Seattle, New York, Memphis, and Los Angeles. The central office is has separate 512 Kbps WAN connections to each remote office. The Seattle and New York offices have a 256 Kbps WAN connection between them. The Memphis and Los Angeles offices have a 256 Kbps WAN connection between them. What is the best way to configure sites for these locations?
Create a single site for the entire network and have each office location on a separate subnet.
Create a separate site for each location and have each office location on separate subnets.
Create a separate site for each location, connect the sites with site links, and have each office location on separate subnets as appropriate for the related sites.
Create a separate site for each location and connect the sites using two-way trusts.
Create a single site for the entire network and connect the subnets using two-way trusts.
Answer B is correct. When office locations are connected over relatively slow links, individual sites should represent the individual LANs within an organization, and the WAN links between locations should mark site boundaries.
You organization has a central office in Austin, Texas and remote office locations in Dallas, Houston, and San Antonio. The central office has separate, dedicated 512 Kbps WAN connections to each remote office. The Dallas and Houston offices have a dedicated 256 Kbps WAN connection between them. The Houston and San Antonio offices have a dedicated 256 Kbps WAN connection between them. What is the best way to configure site links for these locations?
Configure site links between the central office and remote office using SMTP; configure remote office to remote office links using SMTP.
Configure site links between the central office and remote office using SMTP; configure remote office to remote office links using RPC over IP.
Configure site links between the central office and remote office using RPC over IP; configure remote office to remote office links using SMTP.
Configure site links between the central office and remote office using RPC over IP; configure remote office to remote office links using RPC over IP.
Answer D is correct. All WAN connections are dedicated. RPC over IP should be used when there are reliable, dedicated connections between sites.
For the site link configuration discussed in Question 14, you want to ensure that replication traffic between the Dallas and Houston office goes over the dedicated 256 Kbps WAN connection between the offices whenever possible. How can you do this?
By configuring the Dallas-Houston site link so it has the lowest link cost.
By setting the replication schedule for the Dallas-Houston site link to 24 hours a day, 7 days a week.
By reducing the replication schedule for the Dallas-Houston site link, allowing replication to occur every 30 minutes.
By using RPC over IP rather than SMTP as the transport protocol fro the Dallas-Houston site link.
Answer A is correct. If there are multiple possible routes to a site, the route with the lowest site link cost is used first.
You work for an organizational with global operations in 17 countries. The central office in the United States is connected to the central office in the United Kingdom over a dedicated, high-speed WAN link. You notice that this link is being saturated with replication traffic. You investigate the issue and find almost all replication traffic is passing over the U.S.-U.K. link multiple times. What is a possible cause of this problem and how can this problem be resolved?
By default, replication is scheduled to occur over the site link 24 hours a day, 7 days a week, at an interval of at least 180 minutes. If you have limited bandwidth, you can alter the schedule to allow user traffic to have priority during peak usage times.
By default, intersite replication topology is optimized for a maximum of three hops. You can resolve this problem by disabling site link transitivity and configuring site link bridges.
By default, intersite replication does not use compression, and replication partners do not notify each other when Active Directory changes need to be replicated. You can resolve this problem by enabling compression and configuring replication partners to notify each other of changes.
By default, intersite replication uses RPC over IP. You can resolve this problem by configuring site links to use SMTP as the transport.
Answer B is correct. By default, intersite replication topology is optimized for a maximum of three hops. In large site configuration, this can have unintended consequences, such as the same replication traffic going over the same link several times. In this case, you want to disable automatic site link bridging and manually configure site link bridges.
You work for an organization with a very large extended network. The organization has three central offices, which are each connected over T-1 WAN links. Each central office has up to eight remote offices to which it is connected. Central offices and remote offices are connected over 512 Kbps WAN links. You've noticed a recurring problem with high latency. In some cases, changes to the directory are not replicated throughout the enterprise for days. At the same time, much of the network is being restructured, and you notice that the bridgehead servers at most locations have 100 percent processor utilization at all times. To resolve this problem, you configured one preferred bridgehead server on each site. However, this made the problem worse, and now most changes to Active Directory are not being replicated to other sites. Users have also reported problems with DNS. What is the best way to resolve this problem?
Remove all servers as preferred bridgehead servers, and then allow the ISTG to select the bridgehead servers that should be used.
For each site, configure a preferred bridgehead server for each Active Directory partition that needs to be replicated.
For each site, configure a preferred bridgehead server for each Active Directory and DNS partition that needs to be replicated.
Upgrade the domain controller hosting the Inter-Site Topology Generator (ISTG) in each site.
Answer C is correct. You must configure a preferred bridgehead server for each partition that needs to be replicated. This means you must configure at least one domain controller with a replica of each directory partition as a preferred bridgehead server.
You are a network administrator for a company setting up a new network. You've been asked to plan the domain structure. The company has two office locations: an office in London, England and an office in Paris, France. The organization has three administrative groups: IT Admins, which are responsible for administration throughout the enterprise, Desktop Support, which is responsible for user support at all levels, and Help Desk, which is responsible for level 1 support. Members of the Help Desk team need to be able to reset user passwords for all users. What is the best way to configure the domain structure?
Create a forest with a London domain and a Paris domain. Make all IT Admins members of the Enterprise Admins group. Make all Desktop Support members of the Domain Admins group. Make all Help Desk members of the Administrators group.
Create a forest with a dedicated root domain. Create two additional domains: one for London and one for Paris. Make all IT Admins members of the Enterprise Admins group. Make all Desktop Support members of the Domain Admins group. Make all Help Desk members of the Administrators group.
Create a single domain. Create a top-level OU within the domain called IT. Create second-level OUs called London and Paris. Make the IT administrators members of the Domain Admins group. Grant Desktop Support administrators full control over the London and Paris OUs. Grant Help Desk administrators the right to reset passwords in the London and Paris OUs.
Create a forest with a dedicated root domain. Create two additional domains: one for London and one for Paris. Create a top-level OU within each domain called IT. Create second-level OUs called London and Paris within each domain. Make the IT administrators members of the Enterprise Admins group. Grant Desktop Support administrators full control over the London and Paris OUs in each domain. Grant Help Desk administrators the right to reset passwords in the London and Paris OUs in each domain.
Answer C is correct. There is no requirement to create a dedicated root domain. In this case, a single domain with a top-level OU called IT and second-level OUs for London and Paris meets all requirements.
You work for a large enterprise with 3 regional headquarters and 25 additional office locations. Each office location has its own domain and supports 1,000 to 5,000 users on average. The organization uses a dedicated root domain, which is named domain.local. Domains are structured so the regional offices are the top-level domains and all additional offices are configured as child domains of one of the regional office domains. As an example, the Midwest United States regional office is in Chicago, and the domain in Chicago is named chicago.domain.local. The domain in the Springfield office, also in the Midwest United States, is named springfield.chicago.domain.local. Due to a new business alliance, users in the Springfield and Newark offices recently have started working very closely together. The Newark office is located under the Northeast United States regional office in New York and has a domain name of newark.newyork.domain.local. When users from Springfield visit the Newark office or try to access file servers at the Newark office, they have problems and often have to wait several minutes to be authenticated. Sometimes authentication fails. The same is true when users from Newark visit the Springfield office or try to access file servers at the Springfield office. What is the best way to speed up the authentication process and make it easier for these offices to work together?
Configure a domain controller at each office to act as a global catalog server and enable universal group caching.
Configure a preferred bridgehead at each office location, and then configure the site links so that the Newark to New York, New York to Chicago, Chicago to Springfield route has the lowest link cost.
Create a shortcut trust between the springfield.chicago.domain.local domain and the newark.newyork.domain.local domain.
Configure a new domain for the Springfield and Newark users and resources, and move all the related objects to this domain.
Answer B is correct. While configuring a domain controller at each office to act as a global catalog server and enable universal group caching can help improve performance by allowing for faster logon authentication and searching, it doesn't resolve the problem with the large trust tree that must be navigated. You can streamline the authentication process by creating a shortcut trust between the domains.
You are a network administrator for a medium-sized business. The company has 535 users. The domain structure for the network is organized into a single domain with multiple OUs. One of the domain controllers has had a hard disk fail. This domain controller is backed up every day, and you have a current backup available. What must you do to restore the server as a domain controller?
Replace the failed hard disk and perform a nonauthoritative restore.
Replace the failed hard disk and perform an authoritative restore.
Replace the failed hard disk and perform a primary restore of the Sysvol.
The domain controller cannot be recovered. Install a new domain controller.
Answer A is correct. To restore Active Directory on a domain controller and have the domain controller get directory updates from other domain controllers, you should repair the server, replacing an failed hardware as necessary, and then perform a nonauthoritative restore. A nonauthoritative restore allows the domain controller to come back online, and then get replication updates from other domain controllers.
You are a network administrator for a medium-sized business. The company has 817 users. When you arrive at work, the office is in a panic. No one can access resources on any of the office's file servers. You check the file servers and find no apparent problems. Later, one of the new administrators says he deleted security groups called FSUsers, FSManagers, FSSales, and FSTechs because he thought they weren't being used after the organization's latest restructure. These groups, however, were the primary groups through which file server permissions were assigned. What is the best way to resolve this problem?
Recreate the security groups, and make the appropriate users members of the appropriate groups.
Recreate the security groups, make the appropriate users members of the appropriate groups, and configure file shares on the file servers to use these groups as appropriate.
Perform an authoritative restore of Active Directory and restore only the deleted security groups.
Perform an authoritative restore of Active Directory and restore the entire database.
Answer C is correct. To recover the security groups, you can perform an authoritative restore of Active Directory and restore only the deleted security groups.
You are a network administrator at a large company. The company has a single domain spread across five sites. The organization has 17 OUs with the top-level OU as Operations. You've created a separate GPO for the Software Installation policy and want to configure Software Installation policy to deploy an application to all users, with no user intervention required. What is the best way to deploy the software?
Deploy the application using computer assignment and link the Software Installation policy GPO to the domain.
Deploy the application using user assignment and link the Software Installation policy GPO to the domain.
Deploy the application using user publishing and link the Software Installation policy GPO to the domain.
Deploy the application using computer assignment and link the Software Installation policy GPO to each site separately.
Deploy the application using user assignment and link the Software Installation policy GPO to each site separately.
Deploy the application using user publishing and link the Software Installation policy GPO to each OU separately.
Deploy the application using computer assignment and link the Software Installation policy GPO to each OU separately.
Deploy the application using user assignment and link the Software Installation policy GPO to each OU separately.
Answer A is correct. Since all users in the company should get the application, create a GPO for the Software Installation Policy and link it to the domain. Using computer assignment, you can assign the software to client computers so it is installed when a client computer starts automatically and is available to all users on a computer.
Mary is a network administrator at a small company. The organization has an OU named Sales. Accounts for all sales team members are within the Sales OU. She's created a new GPO to configure folder redirection and linked it to the Sales OU. Since she doesn't want the GPO to apply to anyone except the sales team, she removed rights for Authenticated Users from the GPO. Later, she discovered none of the sales team members are using redirected folders. What is the best way to resolve this problem?
Enforce policy inheritance for the GPO in the Sales OU.
Block policy inheritance from the domain for the GPO in the Sales OU.
Link the GPO to the domain instead.
Create a group for the sales team, add the team as members, and grant the group the right to Read and Apply GPOs for the GPO.
Answer D is correct. By default, the policy settings applied to a GPO apply to all users and computers in the container to which the GPO is linked. The GPO applies to all users and computers because the default settings of GPOs specify that Authenticated Users have Read permission as well as Apply Group Policy permission. If you remove permissions for Authenticated Users, you must grant these permissions to the security groups that should process the GPO.
You are a network administrator at a company that is about to have its first major reorganization. You've been asked to identify possible problems due to the reorganization from an administrative perspective. While you will not be creating new domain structures or OUs, user accounts will be moved according to the realignment. What is the best way to test the effects of moving various user accounts to new OUs?
Use RSoP in planning mode to simulate the effects of moving user accounts to new OUs.
Use RSoP in logging mode to simulate the effects of moving user accounts to new OUs.
Move a sample of user accounts to new OUs and use Gpresult to determine the applied security settings.
Move a sample of user accounts to new OUs and use RSoP in planning mode to determine the applied security settings.
Answer A is correct. When you use RSoP in planning mode, you can simulate the effects of moving user and computer accounts. You do not need to actually move accounts to perform testing. You do not use logging mode for testing.
John is a network administrator at a large company with global operations. He works at the Denver office. At the Phoenix office, the organization has an OU named ProfServices. Accounts for all professional services team members are within the ProfServices OU. He's created a new GPO to configure logon scripts and linked it to the ProfServices OU. He waited for Group Policy to refresh. When he asked a user to log off and then log back on, he discovered the logon script was not being used. In fact, none of the professional services team members were getting the logon script. John checked the GPO and found no problems with permissions. What is the probable cause of this problem?
Active Directory replication has failed.
FRS has failed.
The infrastructure master has failed.
The bridgehead server connecting the site links between offices has failed.
Answer B is correct. The most likely problem is the File Replication Service (FRS) has failed. FRS is responsible for replicating Sysvol files, which includes logon, logoff, shutdown, and startup scripts.
You are installing smart cards for using in the domain. You install an enterprise certificate authority to issue certificates and create smarts cards for all users. Smart cards are loaded with the digital certificates for users. After installing smart card readers and distributing smart cards, you find out users are able to log on without using smart cards. What is the most likely cause of this problem?
Autoenrollment is disabled.
The CA is not validating certificates.
Remote users aren't using EAP for authentication.
The Smart Card Is Required For Interactive Logon option is not selected in user account properties.
Answer D is correct. After you install an enterprise certificate authority and configure smart cards for use, you must also require the use of smart cards for interactive logon. You do this through the Account tab in the user account properties in Active Directory Users And Computers.
Which tool or command-line utility do you use to determine the applied Group Policy settings, security group membership, and the domain controller from which policy was applied?
Group Policy Object Editor
Gpresult
Gpotool
Gpupdate
Answer B is correct. Gpresult provides details on many aspects of Group Policy and can be used in /v and /z verbose modes to get more detail.
You've made changes to User Configuration settings in Group Policy. You do not want to wait for automatic refresh to test these settings. What should you do?
Type gpotool at a command prompt.
Type gpotool /checkacl at a command prompt.
Type gpupdate /target:user at a command prompt.
Type gpupdate /target:computer at a command prompt.
Answer C is correct. To refresh only User Configuration settings, type gpupdate /target:user at the command prompt.
You have applied the hisecws security template to all users in the Sales OU by creating a GPO, importing the template into the GPO, and then linking the GPO to the Sales OU. You later made changes to the GPO settings. These changes caused undesirable results, and you want to change the settings back to the default settings for the hisecws security template. You do not have a backup of the GPO available. What is the fastest way to make this change?
Import the hisecws security template into the GPO a second time.
Edit the policy settings in the GPO.
Use Dcgpofix to restore the default GPOs.
Delete the existing GPO. Create a new GPO, import the template into it, and link it to the Sales OU.
Answer D is correct. Without a backup of a GPO, the fastest and most reliable way to ensure that you get back to the default settings in a security template is to create a new GPO, import the template into it, and link it to the Sales OU.
