Chapter 9. Answers to Practice Exam 1

Answers A, B, C, and D are correct. The Group Policy Management Console provides a single location in which all GPOs can be created, linked, manipulated, evaluated, disabled, and deleted throughout your forest. The GMPC can be used to manipulate all Group Policy settings, including security settings, configured for OU-, domain-, and site-level applications. User and computer settings are changed through the AD Users and Computers MMC, not the GMPC utility. There is no option for changing forest settings using the GMPC console. Therefore, answers E, F, and G are incorrect.

Answer A is correct. To perform most administrative tasks on a DNS server, John needs to be a member of the local Administrators group on the DNS server computer or have the administrator delegate control to him. DomainAdmins can have authority to manage DNS servers, depending on how the domain is set up, but this is not the default setting; therefore, answer B is incorrect. Neither System Operators or Power Users have proper permissions; therefore, answers C and D are incorrect.

Answer A is correct. The Csvde command-line utility is used to import and export the attributes of Active Directory objects using a comma-separated ( .csv ) file type. Answer B is incorrect because the Dsget utility is used to display selected attributes of a pre-existing object within the directory and is not used to import or export the attributes of Active Directory objects using .csv files. Answer C is incorrect because the Dsmod utility is used to modify the attributes of an existing object. Answer D is incorrect because the Dsquery utility is used to list Active Directory objects that meet a specified set of criteria. Answer E is incorrect because the Ldifde utility is not used in conjunction with .csv files, but rather with its own .ldf format.

Answer A is correct. To perform most administrative tasks on a Windows Server 2003 using the Security Templates, you must be a member of the local Administrators group on the local Windows Server. The Domain Admin group membership grants too much authority, making answer B incorrect. Neither System Operators or Power Users have permission to use Security Templates; therefore, answers C and D are also incorrect.

Answer C is correct. Integrated Windows Authentication uses Kerberos as the authentication protocol and provides a high level of security. Advanced Digest Authentication requires a user account and password and has a medium level of security; therefore, answer A is incorrect. Digest Authentication requires a user account and password and has a medium level of security because user credentials are sent across the network in a hashed message digest; therefore, answer B is incorrect. .NET Passport Authentication provides a single, unified logon, passwords are encrypted, and the level of security is high, but it does not use Kerberos; therefore, answer D is incorrect.

Answers B and C are correct. Driver Rollback and ASR are two new storage management features. Backup is very similar to Windows 2000; therefore, answer A is incorrect. Windows 2003 does not use the ERD feature; therefore, answer D is incorrect. The System State backup is a new feature added to Windows 2000, not Windows Server 2003; therefore, answer E is incorrect.

Answers B and D are correct. To perform most administrative tasks on a Windows Server 2003 domain controller using the Security Templates, you must be a member of either the Domain Administrators group or the Enterprise Admin group on the Windows Server 2003 domain controller. Neither local Administrators, Power Users, nor System Operators have permission to use the Security Configuration and Analysis utility; therefore, answers A, C, and E are incorrect.

Answer A is correct. The Routing and Remote Access service uses the latest remote access technologies, including integrated dial-up and VPN. IIS is a Web site and application server; therefore, answer B is incorrect. Terminal Services deliver applications to client desktops and can also operate in remote administration mode; therefore, answer C is incorrect. SUS is Microsoft's Software Update Service; therefore, answer D is incorrect.

Answers A and D are correct. Denying the Read and Apply Group Policy privileges will prevent the GPO's settings from being applied to the designated account or group ”a process referred to as filtering . Answers B and E are incorrect because the Modify and Full Control privileges are not needed to apply GPO settings. The Change privilege is a share-access right and is not involved in GPO management, making answer C incorrect as well.

Answer C is correct. Microsoft's recommendation is to continue using SMS 2.0 and wait for an SMS-compatible integrated version of SUS to be released. SMS 2.0 cannot automatically deploy critical updates to clients . Using SUS service instead of SMS is not recommended. Microsoft does not recommend waiting for SMS 3.0.

Answer D is correct. The -r parameter is used to specify the LDAP filter criteria for the selection. Answer A is incorrect because the -b parameter is used to specify the username, domain, and password to be used for authentication on the target server. Answer B is incorrect because the -f parameter is used to specify the target .ldf filename that will be created. Answer C is incorrect because the -s parameter is used to specify the name of the target server. Answer E is incorrect because the /? switch is used to query the command's help file for its available parameters.

Answer C is correct. If Max changes the zone type to stub zone, he must specify the source DNS server IP address used for obtaining updated zone information. The target DNS server is the server Max is managing; therefore, answers A and D are incorrect. There is no source DNS server computer name option available; therefore, answer B is incorrect.

Answer C is correct. Madelaine first needs to create a complete backup of the server system files. A full backup is not necessary; therefore, answer A is incorrect. ASR does not back up user data; therefore, answer B is incorrect. The second step is to create an ASR floppy disk; therefore, answer D is incorrect.

Answer B is correct. You can use the Backup All option to back up all the GPOs to a standard location, where they're stored in a versioned manner so that you can select a particular GPO backup from those stored in the location. Answers A, C, and D are incorrect because they specify the separation of backup storage based on GPO or version, which adds unnecessary administrative effort.

Answers B and C are correct. The Ldifde utility can be used to modify the Active Directory schema attributes, making answer D incorrect, whereas the Csvde utility cannot be used to modify the schema, making answer A incorrect as well. The Csvde command-line utility is not used for editing comma-delimited text reports , which makes answer E incorrect.

Answer B is correct. Storage file information is stored on the ASR backup. The Registry, System State, user profiles and user-mapped drives are not stored on the ASR floppy disk and must be backed up separately; therefore, answers A, C, D, and E are incorrect.

Answers B and C are correct. Windows XP Professional and Windows 2000 Servers (SP2) support the Automatic Update client software. The Windows Professional 2000 clients all need SP2 or higher; therefore, answer A is incorrect. Windows 98 clients are not supported; therefore, answer D is incorrect.

Answer B is correct. IIS is a Web site and application server. The Routing and Remote Access Service uses the latest remote access technologies, including integrated dial-up and VPN; therefore, answer A is incorrect. Terminal Services deliver applications to client's desktop and can also operate in remote administration mode; therefore, answer C is incorrect. SUS is Microsoft's Software Update Service; therefore, answer D is incorrect.

Answer B is correct. The Zone Properties General tab contains the view or change replication status. The SOA contains information on primary server, refresh and retry intervals, expire, and TTL settings; therefore, answer A is incorrect. The Name Server tab contains the FQDN of the name server, with options to add, edit, and remove name servers; therefore, answer C is incorrect. The Zone Transfers tab configures secondary servers to receive zone transfers to any server, only the servers listed in the Names tab, or specific servers; therefore, answer D is incorrect.

Answers A, C, and E are correct. The minimum requirements for installing SUS on a Windows 2000 Server are a Pentium III 700MHz or higher, 512MB of RAM, 6GB of free hard disk space, Internet Explorer 5.5 or higher, and Internet Information Server 3.0 or higher. 768MB of RAM exceeds the 512MB requirement; therefore, answer B is incorrect. 10GB of free hard disk space is more than the 6GB of free space recommended; therefore, answer D is incorrect. Answer F is incorrect because Windows 2000 only needs SP3 to install SUS.

Answer C is correct. The principal logon name is composed of the user logon name and the fully qualified domain name to which it belongs ( myuser@mycorp.com ). Answer A is incorrect because the user logon name alone is insufficient to fully designate the principal logon name, lacking a designation of the authenticating domain. Answer B is incorrect because it specifies a pre “Windows 2000 logon name using the NetBIOS version of the domain name (MYCORP). Answer D is incorrect because it defines an LDAP relative distinguished name.

Answers A and D are correct. There are two possible reasons: the Shadow Copies service is not activated on the Windows Server 2003 and Amy does not have the Shadow Copies for Shared Folders software installed on her computer. Windows XP Professional does not install Shadow Copies for Shared Folders by default. Amy would need to download the client version of Shadow Copies for Shared Folders from the Internet. Amy is selecting the correct folder. Amy cannot right-click the deleted file here; therefore, answers B and C are incorrect. Amy has permission to recover her PowerPoint file; therefore, answer E is incorrect.

Answer C is correct. John should select the medium level security setting, Secure and Non-secure, for the Unix DNS server and the Windows 2003 DNS servers to communicate and update resource records properly. Secure Dynamic Updates and Secure can be used only with Windows 2003 Active Directory “integrated DNS servers; therefore, answers A and D are incorrect. The Non-secure setting should be avoided because it lacks security; therefore, answer B is incorrect.

Answer C is correct. Wuau.adm is used to manage Windows Updates. Inetres.adm is used for Internet Explorer policies; therefore, answer A is incorrect. Conf.adm is used to manage Windows 95 and Windows 98 clients; therefore, answer B is incorrect. System.adm is used for managing Windows clients; therefore, answer D is incorrect.

Answers A, B, and C are correct. Jim can back up and then import a GPO's settings when interforest migration is not possible or not convenient , whereas the copy function can be used to migrate an existing GPO between well-connected trusted forests. Answer D is incorrect because the restore function is used to restore a previous GPO backup from its storage location, rather than for migration between forests. Answers E and F are incorrect because there are no export and transfer actions in the GPMC.

Answers A and D are correct. Both the user logon name and the LDAP relative distinguished name must be unique only within their container. Answer B is incorrect because the pre “Windows 2000 logon name must only be unique within the domain. Answer C is incorrect because the principal logon name must be unique within a forest. Answer E is incorrect because there is no unified logon name.

Answer C is correct. The unapproved update must be manually removed from the client computers. Answers A, B, and D are incorrect because there is no way to automatically uninstall a previously approved update from a client computer.

Answer D is correct. Amy must be a member of the local Administrators group to view the Administrators Web page. The Domain Admin group membership would give user Amy too much authority; therefore, answer A is incorrect. Amy does not need IIS installed because Windows XP Professional installs Internet Explorer 6.0 by default; therefore, answer B is incorrect. Additionally, IE does not need upgrading; therefore, answer C is incorrect.

Answer C is correct. The Resultant Set of Policy is the resulting list of policy settings after evaluation of all relevant GPOs, often displayed with the source of the winning setting's source GPO. Answer A is incorrect because the Resultant Set of Policy does not display all possible settings, only the final resultant set. Answers B and D are incorrect because the Resultant Set of Policy involves the evaluation of all relevant GPOs for a target object or container, rather than those of a target GPO.

Answer C is correct. On the Zone Transfers tab of secondary DNS Server2, Susan should select Only to the Following Servers, and type the primary DNS Server2 IP address of 192.168.2.4. Primary Server1 and secondary DNS Server1 are on a different subset address of 192.168.1.x; therefore, answers A and B are incorrect. The IP address of secondary DNS Server2 is 192.168.2.4; therefore, answer D is incorrect.

Answer A is correct. Amy should right-click the overwritten PowerPoint file and choose Properties. She should then select the Previous Version tab and click the Restore button to replace the current PowerPoint file with the previously overwritten shadow copy file. Amy cannot recover her overwritten file by selecting her shared folder; therefore, answer C is incorrect. Viewing or copying her overwritten file does not replace the old file; therefore, answers B and D are incorrect.

Answer C is correct. The LocalService pseudo-account is used to run system services that generate system audit events, including the Alerter service. Answer A is incorrect because the IUSR_ < servername > account is used only by Microsoft's IIS service, by default. Answers B and D are incorrect because the LocalSystem and NetworkService pseudo-accounts provide access to only local logon rights (LocalSystem) or to additional network access (NetworkService) as required for the DNS client.

Answer B is correct. Max should use the Driver Rollback feature and roll back the SCSI driver to its original driver. Disabling the SCSI controller would result in loss of function; therefore, answer A is incorrect. Uninstalling or obtaining new SCSI driver updates would work, but would take too much time; therefore, answers C and D are incorrect.

Answer B is correct. The domain account password policy for creating passwords with a minimum of eight characters is applied. Domain account policies always take precedence over other account policies. Thus, the Sales and Marketing OU account polices are not applied, making answers C and D incorrect. You cannot apply all three account polices, only the domain account policy is applied; therefore, answer A is incorrect.

Answers B and E are correct. The Setup Security template is generated at installation, carrying all the default security settings for the system at that time, whereas the DC Security template specifies the default security template for domain controllers. Answer A is incorrect because there is no CompatDC template by default, only the Compatws.inf template, which relaxes some forms of security on workstations that need to run legacy or non “Windows Logo Program “certified software. Answers C and D are incorrect because the HisecDC and SecureDC templates are used to configure secure and highly secure settings for domain controllers and do not define the default configuration settings specified.

Answer D is correct. Tom should select stub zone for the child DNS server. Stub zones can simplify DNS administration by distributing their resource lists to authoritative DNS servers for the zone without adding, maintaining, or using secondary zones. Companies with multiple domains can use stub zones to simplify DNS administration. Adding another Active Directory “integrated server to a child zone would result in increased DNS traffic and administration; therefore, answer A is incorrect. Adding a secondary zone would increase administration; therefore, answer B is incorrect. You can only have one primary zone per subnet; therefore, answer C is incorrect.

Answer C is correct. Runas /user:ComputerName\administrator "mmc%windir%\system32\dsa.msc" connects to Active Directory Users and Computers with domain administrator credentials. Answer A is incorrect because it uses a command prompt with administrative credentials. Answer B is incorrect and is used to connect to Computer Management with administrative credentials. Answer D is incorrect because it connects to Active Directory Users and Computers in another forest.

Answer D is correct. Susan should use the Driver Rollback feature and roll back the NIC driver to its original driver. Uninstalling or obtaining new NIC driver updates would work, but would take too much time; therefore, answers A and C are incorrect. Disabling the NIC card would result in loss of function; therefore, answer B is incorrect.

Answer B is correct. When configuring the security settings for a public kiosk's automatic logon account, the setting to prevent users from changing the password is the most obvious setting required. Answer A is incorrect because the requirement to change the password might result in a later inability to log on to the kiosk by this account without a manual reset of the password to its proper version. Answer C is incorrect because even the passwords of public, unprivileged accounts should be reset on a regular basis to avoid providing a target for brute-force unauthorized access attempts. Answer D is incorrect because a disabled account cannot be used for logon purposes and would prevent the kiosk from proper automatic logon.

Answer D is correct. SUS is Microsoft's Software Update Service and should be used for rollouts of applications to client computers. Group Policies are used to manage users and computer in domains; therefore, answer A is incorrect. IIS is a Web site and application server; therefore, answer B is incorrect. Terminal Services delivers applications to clients' desktops and can also operate in remote administration mode; therefore, answer C is incorrect.

Answer A is correct. John needs to use Event Viewer, Security log on the Windows Server 2003 domain controller to view the results of the logon success and failures. The Security Template tool is used to create and modify templates; therefore, answer B is incorrect. The Security Configuration and Analysis tool applies the Security Template settings; therefore, answer C is incorrect. The Active Directory Users and Computers module is used to manage users and computers, not security settings; therefore, answer D is incorrect.

Answer C is correct. The Local Security Policy MMC snap-in is the only item from those listed that is installed by default on a standalone or member server. Answers A and B are incorrect because the Domain Controllers Security Policy and Domain Security Policy MMC snap-ins are present only for servers participating in domain membership and having had the AdminPak.msi run to install these items, which is performed during a dcpromo event automatically. Answers D and E are incorrect because the Security Templates and Security Configuration and Analysis MMC snap-ins are available only through a custom-created Microsoft Management Console to which you have added them.

Answer D is correct. Tom should right-click the child domain and choose New Delegation. Using the New Delegation Wizard, Tom then adds the power user. The Local Administrators, DNS Admins, and Domain Admin groups would each give the power user too much authority; therefore, answers A, B, and C are incorrect.

Answer E is correct. The -loscr parameter is used to specify the path to the account's logon script. Answers A and D are incorrect because the -fn and -ln parameters are used to specify the values of the first name and last name attributes of the account. Answers B and C are incorrect because the -hmdir parameter is used to specify the path of the home drive for the user account, whereas the -hmdrv parameter is used to specify the drive letter to be assigned to the user's home directory.

Answer D is correct. .NET Passport Authentication provides a single, unified logon, passwords are encrypted, and the level of security is high. Advanced Digest Authentication requires a user account and password and has a medium level of security; therefore, answer A is incorrect. Digest Authentication requires a user account and password and has a medium level of security because user credentials are sent across the network in a hashed message digest; therefore, answer B is incorrect. Integrated Windows Authentication uses Kerberos as the authentication protocol and provides a high level of security, but is not a unified logon, making answer C incorrect.

Answer B is correct. A Glue A resource record is a delegation record used for finding authoritative DNS servers for the delegated zone. The Glue resource record provides the IP address of the DNS server that is authoritative for the domain. SOA (Start-Of-Authority) and NS (Name Server) are resource records. A delegation record used for finding secondary DNS servers for the delegated zone is incorrect. Secondary servers maintain read-only copies of records. Nonauthoritative DNS servers do not maintain a database.

Answers A and B are correct. Both the Group Policy Management Console and the Security Configuration and Analysis MMC snap-in can be used to evaluate the effective permissions that would result from the addition of a new GPO. The Security Templates MMC snap-in is used to configure and apply security policy templates, and does not have the capability for evaluative modeling, making answer C incorrect. Answer D is also incorrect because the Group Policy Object Editor is used to configure the individual policy settings and does not carry the capability to perform an evaluation of the Resultant Set of Policy. Answer E is incorrect because the Ldifde command-line utility is used to modify the Active Directory schema.

Answer D is correct. Enabling logon successes in large companies causes the Event Viewer security log to fill quickly. Logon failures, on the other hand, should result in only a few security events and is the preferred event to audit; therefore, answer A is incorrect. The security log is empty by default until auditing is enabled; therefore, answer B is incorrect.

Answer B is correct. John needs to perform a System State backup. Regedit edits the Registry; therefore, answer A is incorrect. Regedt32 also is used to edit the Registry, including security permissions; therefore, answer C is incorrect. NT32backup does not exist; therefore, answer D is incorrect.

Answer A and D are correct. Max should enable conditional forwarding for one DNS server in each site to a master server in each of the other two sites. A conditional forwarder configures the DNS server to forward the query it receives to a DNS server listed in the header of the query. Conditional forwarding provides the ability to control routing of your DNS traffic on a network. Adding a caching-only server to each site could reduce DNS traffic across routers. A stub zone keeps the DNS server hosting the parent zone aware of all authoritative servers for the child zone; therefore, answer B is incorrect. Secondary servers are used for fault tolerance and contain a read-only copy of the database. Adding another primary or secondary server would not reduce inter-site DNS network traffic; therefore, answers C and E are incorrect.

Answer D is correct. The %SystemRoot% variable specifies the directory for the operating system installation. Answer A is incorrect because the %HomeDrive% variable stores the drive letter assigned to the user's home directory. Answer B is incorrect because the %HomePath% variable is used to store the full UNC path to the user's home directory. Answer C is incorrect because there is not a %SystemDrive% environmental variable by default.

Answer C is correct. Sara must perform a nonauthoritative restore on the domain controller. All data restored nonauthoritatively appears in Active Directory as old data and is never replicated to other domain controllers. It is not necessary to perform an authoritative restore; therefore, answer A is incorrect. Restoring just the System State or the last differential backup would not work; therefore, answers B and D are incorrect.

Answers A, B, C, D are correct. The runas command is not limited to just administrator accounts. Use this command when you are logged on as a member on another group or need permissions other than what is currently assigned to the account with which you are currently logged in. Answers E, F, and G are incorrect. Anonymous is used for access over the Internet; SELF and the Everyone group are built-in accounts and not selectable.

Answer B is correct. Sara needs to audit account management events that include creating, modifying, deleting, and changing user accounts and passwords. Account logon events audit user logon and logoff success and failures; therefore, answer A is incorrect. Object access is used to audit user or group access to files and folders; therefore, answer C is incorrect. Policy change audits access to modified policies; therefore, answer D is incorrect.

Answer B is correct. The gpupdate.exe command-line utility can be used to force a reboot or logoff to ensure that new policy settings are applied, replacing the /refreshpolicy option of the secedit.exe utility within the Windows Server 2000 environment, which also makes answer A incorrect. There is no gpapply.exe utility provided, making answer C incorrect, as well. Answer D is incorrect because the gpresult.exe utility is used to review the Resultant Set of Policy (RSoP) rather than to force the immediate application of a new GPO's settings.

Answers A, B, and C are correct. The -d parameter specifies the account's home domain, the -s parameter specifies the target server for this operation, and the -u parameter specifies the target user account. Answer D is incorrect because the /? switch is used to query the command's help file for its available parameters. Answers E and F are incorrect because the -x and -z parameters are not for removing user accounts.

Answer C is correct. Start, All Programs, Accessories, Communications, Remote Desktop Connection is the only way to access the program; therefore, answers A, B, and D are incorrect.

Answer D is correct. Susan should configure the DNS server option Set Aging/Scavenging for all zones to adjust the refresh intervals. Configure Scavenge Stale Resource Records is used to manually remove old outdated resource records; therefore, answer A is incorrect. Configure Update Server Data Files writes all zone file changes in Active Directory; therefore, answer B is incorrect. NSLookup is used for troubleshooting DNS problems; therefore, answer C is incorrect.

Answer C is correct. By selecting the /boot option, you're specifying that the system should reboot if computer settings have been changed. Because you did not include the /force option, the settings will not be applied until the next logon, making Answers A and B incorrect because none of the stated requirements will be met. Without the /logoff option specified for a target user, the user of the computer will not be logged off automatically, making answers D and E incorrect.

Answers A and C are correct. Sara must be a member of either the Local Administrators or Backup Operators group. Power Users, Account Operators, and System Operators do not have permission to perform restores ; therefore, answers B, D, and E are incorrect.