Review Questions

Previous page
Table of content
Next page

1.  

Which domain type boasts simple design and ease of administration?

  1. Master User Domain

  2. Single domain

  3. Forest domain

  4. Multiple domain

b. single domains are the easiest to administer and easiest to design and configure.

2.  

What is the name of the utility that allows you to move computer and user accounts from one domain to another?

  1. Active Directory Merge Utility

  2. Active Directory Migration Tool

  3. Active Directory Domains and Trusts

  4. Active Directory Users and Computers

b. the active directory migration tool copies accounts from one domain to another, whether that domain is a windows nt 4 , windows 2000 , or windows 2003 based domain. if you want to populate the sidhistory attribute when you are using this utility, the target domain has to be at least at the windows 2000 functional level.

3.  

If you require different account policies between remote offices, which of the following must you do?

  1. Use a single forest/single domain model, place the remote branch in a resource OU, and define account policies on that OU.

  2. Use a single forest/multiple domain model and define account policies on each domain.

  3. Use a single forest/multiple domain model, configure OUs in each domain, and match their names exactly. Configure account settings on the main OU and those settings will replicate to the other OU in the other domain.

  4. Use a multiple forest/multiple domain model and define account policies on each forest.

b. each domain has a default domain policy that enforces the account policy restrictions. these restrictions cannot be overridden at any other level within the domain. if a group of users have password policies, account lockout restrictions, or kerberos policy requirements that are different from the domain standard, a new domain will be required.

4.  

While migrating from an NT 4 domain to a Windows Server 2003 Active Directory domain, which type of trust will you create to start the migration?

  1. Forest trust

  2. Shortcut trust

  3. External trust

  4. Internal trust

c. an external trust is a trust that is created between domains in different forests. an example would be a trust between an nt 4 domain and a windows server 2003 active directory domain.

5.  

You are the administrator of a large multiple domain forest. Users from one domain use printers and databases from another domain on a regular basis. The two domains reside in different trees within the forest. You need to design a more efficient authentication process than what is provided through the default trust relationships. Which of the following will allow you to do this with the least administrative effort?

  1. Move all user accounts to the root of the forest.

  2. Create matching accounts in the other domains that the user will need access to.

  3. Create two-way domain trusts between the two domains.

  4. Create a shortcut trust between the two domains.

d. shortcut trusts are created between domains in a forest to provide a more efficient authentication process. active directory automatically measures the shortest trust path to the other domain.

6.  

What feature in Active Directory allows a user to retain the security identifier for an account that has been moved from one domain to another?

  1. SIDHistory

  2. SID filtering

  3. SID lookup

  4. SID attribute

a. sidhistory is an attribute in a windows 2003 domain that allows a resource to retain the security identifier from one domain after being moved to another.

7.  

Which of the following criteria must be met for SIDHistory to work after an object has been moved to another domain in the same forest? (Choose all that apply.)

  1. The domain must be in Windows 2000 Native Mode.

  2. You must use the ADMT tool or a compatible third-party application.

  3. The account must have the SIDHistory attribute enabled before the migration, which is accomplished from the ADMT tool.

  4. The ADMT utility must be the version for Windows 2003.

a, b, d. sidhistory only works if the following requirements are met: the domain must be at least windows 2000 native mode; the account must be migrated with the admt utility; and the admt utility must be the version for windows 2003.

8.  

When adding a Windows 2003 domain controller to an existing Windows 2000 native mode domain, which of the following steps would you take before you bring the new Windows 2003 domain controller into the network? (Choose all that apply.)

  1. Run ADPrep /forestprep

  2. Run ADPrep /prepDNS

  3. Run DomainPrep /prepDNS

  4. Run ADPrep /domainprep

a, d. before you can bring a windows 2003 active directory domain controller into an existing windows 2000 network, you must extend the schema. this is done by running the commands adprep /forestprep and adprep /domainprep.

9.  

Which of the following single master operations roles are, by default, located only in the forest root? (Choose all that apply.)

  1. Global Catalog

  2. Schema Master

  3. Domain Naming Master

  4. Infrastructure Master

  5. Primary Domain Controller (PDC) Emulator

b, c. of the five single master operations roles, the schema master and domain naming master are forest level roles and you can only have one per forest. the other three roles-relative identifier (rid) master, infrastructure master, and primary domain controller emulator-are limited to one per domain. in a multiple domain model, you may have more than one rid master, infrastructure master, or pdc emulator, but you will only have one schema master and one domain naming master.

10.  

For security reasons, you would like to disable the SID History feature. How would you do this?

  1. Disable the trust between the domains.

  2. Remove the SIDFiltering attribute from the forest root domain.

  3. Enable SIDFiltering on the trust between the domains.

  4. Configure Group Policy to disable SIDHistory and apply it to the OU where the users reside.

c. the sidhistory attribute is seen as a possible security problem. a rogue administrator could modify the sidhistory attribute on an account to reflect another account s sid, thus gaining access to objects and resources that they would normally not have access to. in order to stop this sid spoofing, sid filtering can be enabled on the trust relationship, eliminating the use of the sidhistory attribute on objects from other domains. with sid filtering in place, the account s actual sid would be the only security descriptor that could be used across the trust relationship in the target domain.

Answers

1.  

B. Single domains are the easiest to administer and easiest to design and configure.

2.  

B. The Active Directory Migration Tool copies accounts from one domain to another, whether that domain is a Windows NT 4 “, Windows 2000 “, or Windows 2003 “based domain. If you want to populate the SIDHistory attribute when you are using this utility, the target domain has to be at least at the Windows 2000 functional level.

3.  

B. Each domain has a Default Domain policy that enforces the account policy restrictions. These restrictions cannot be overridden at any other level within the domain. If a group of users have password policies, account lockout restrictions, or Kerberos policy requirements that are different from the domain standard, a new domain will be required.

4.  

C. An external trust is a trust that is created between domains in different forests. An example would be a trust between an NT 4 domain and a Windows Server 2003 Active Directory domain.

5.  

D. Shortcut trusts are created between domains in a forest to provide a more efficient authentication process. Active Directory automatically measures the shortest trust path to the other domain.

6.  

A. SIDHistory is an attribute in a Windows 2003 domain that allows a resource to retain the security identifier from one domain after being moved to another.

7.  

A, B, D. SIDHistory only works if the following requirements are met: the domain must be at least Windows 2000 Native Mode; the account must be migrated with the ADMT utility; and the ADMT utility must be the version for Windows 2003.

8.  

A, D. Before you can bring a Windows 2003 Active Directory domain controller into an existing Windows 2000 network, you must extend the schema. This is done by running the commands ADPREP /forestprep and ADPREP /domainprep.

9.  

B, C. Of the five single master operations roles, the Schema Master and Domain Naming Master are forest level roles and you can only have one per forest. The other three roles ”Relative Identifier (RID) Master, Infrastructure Master, and Primary Domain Controller Emulator ”are limited to one per domain. In a multiple domain model, you may have more than one RID Master, Infrastructure Master, or PDC Emulator, but you will only have one Schema Master and one Domain Naming Master.

10.  

C. The SIDHistory attribute is seen as a possible security problem. A rogue administrator could modify the SIDHistory attribute on an account to reflect another account s SID, thus gaining access to objects and resources that they would normally not have access to. In order to stop this SID spoofing, SID filtering can be enabled on the trust relationship, eliminating the use of the SIDHistory attribute on objects from other domains. With SID filtering in place, the account s actual SID would be the only security descriptor that could be used across the trust relationship in the target domain.



Previous page
Table of content
Next page
MCSE
MCSE: Windows Server 2003 Active Directory and Network Infrastructure Design Study Guide (70-297)
ISBN: 0782143210
EAN: 2147483647
Year: 2004
Pages: 159
Authors: Brad Price, Sybex
BUY ON AMAZON
Developing Tablet PC Applications (Charles River Media Programming)
Cisco IOS Cookbook (Cookbooks (OReilly))
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
.NET-A Complete Development Cycle
GDI+ Programming with C#
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy