1. | Which domain type boasts simple design and ease of administration?
|
|
2. | What is the name of the utility that allows you to move computer and user accounts from one domain to another?
|
|
3. | If you require different account policies between remote offices, which of the following must you do?
|
|
4. | While migrating from an NT 4 domain to a Windows Server 2003 Active Directory domain, which type of trust will you create to start the migration?
|
|
5. | You are the administrator of a large multiple domain forest. Users from one domain use printers and databases from another domain on a regular basis. The two domains reside in different trees within the forest. You need to design a more efficient authentication process than what is provided through the default trust relationships. Which of the following will allow you to do this with the least administrative effort?
|
|
6. | What feature in Active Directory allows a user to retain the security identifier for an account that has been moved from one domain to another?
|
|
7. | Which of the following criteria must be met for SIDHistory to work after an object has been moved to another domain in the same forest? (Choose all that apply.)
|
|
8. | When adding a Windows 2003 domain controller to an existing Windows 2000 native mode domain, which of the following steps would you take before you bring the new Windows 2003 domain controller into the network? (Choose all that apply.)
|
|
9. | Which of the following single master operations roles are, by default, located only in the forest root? (Choose all that apply.)
|
|
10. | For security reasons, you would like to disable the SID History feature. How would you do this?
|
|
Answers
1. | B. Single domains are the easiest to administer and easiest to design and configure. |
2. | B. The Active Directory Migration Tool copies accounts from one domain to another, whether that domain is a Windows NT 4 “, Windows 2000 “, or Windows 2003 “based domain. If you want to populate the SIDHistory attribute when you are using this utility, the target domain has to be at least at the Windows 2000 functional level. |
3. | B. Each domain has a Default Domain policy that enforces the account policy restrictions. These restrictions cannot be overridden at any other level within the domain. If a group of users have password policies, account lockout restrictions, or Kerberos policy requirements that are different from the domain standard, a new domain will be required. |
4. | C. An external trust is a trust that is created between domains in different forests. An example would be a trust between an NT 4 domain and a Windows Server 2003 Active Directory domain. |
5. | D. Shortcut trusts are created between domains in a forest to provide a more efficient authentication process. Active Directory automatically measures the shortest trust path to the other domain. |
6. | A. SIDHistory is an attribute in a Windows 2003 domain that allows a resource to retain the security identifier from one domain after being moved to another. |
7. | A, B, D. SIDHistory only works if the following requirements are met: the domain must be at least Windows 2000 Native Mode; the account must be migrated with the ADMT utility; and the ADMT utility must be the version for Windows 2003. |
8. | A, D. Before you can bring a Windows 2003 Active Directory domain controller into an existing Windows 2000 network, you must extend the schema. This is done by running the commands ADPREP /forestprep and ADPREP /domainprep. |
9. | B, C. Of the five single master operations roles, the Schema Master and Domain Naming Master are forest level roles and you can only have one per forest. The other three roles ”Relative Identifier (RID) Master, Infrastructure Master, and Primary Domain Controller Emulator ”are limited to one per domain. In a multiple domain model, you may have more than one RID Master, Infrastructure Master, or PDC Emulator, but you will only have one Schema Master and one Domain Naming Master. |
10. | C. The SIDHistory attribute is seen as a possible security problem. A rogue administrator could modify the SIDHistory attribute on an account to reflect another account s SID, thus gaining access to objects and resources that they would normally not have access to. In order to stop this SID spoofing, SID filtering can be enabled on the trust relationship, eliminating the use of the SIDHistory attribute on objects from other domains. With SID filtering in place, the account s actual SID would be the only security descriptor that could be used across the trust relationship in the target domain. |