| All questions for this chapter refer to the following case study. Case: DKP Int'l DKP Int'l DKP Int'l is a large produce company with locations in Canada, United States, and Europe. DKP Int'l consists of three different departments: Transportation, Cooling, and Sales. The headquarters is located in Salinas, California. The three divisions are spread out across the various locations. Current LAN/Network DKP Int'l currently has a Windows NT 4.0 infrastructure. It has a single user account domain. Each continent has its own resource domain. Most workstations are currently running Windows 95. Some workstations within the head office are running Windows XP Professional. 10 Mbps twisted-pair Ethernet is used at all office locations. Proposed LAN/Network DKP Int'l has decided to upgrade the existing infrastructure to Windows Server 2003. A DNS name has been registered. DKP.com will be used for the internal and external namespace. Current WAN Connectivity The company has four facilities in North America, connected by full T-1 links. The two European plants are connected to each other with a 256Kbps circuit, and the two Canadian facilities are linked with a 256Kbps Virtual Private Network (VPN). All these links are relatively underutilized. The headquarters office in Salinas is connected to both the European and Canadian locations via a 64Kbps link. This circuit is very heavily used, especially during Salinas's business hours. Proposed WAN Connectivity No changes are proposed at this time, although management has recognized that the 64Kbps circuit between Europe, North America, and Canada must be upgraded eventually. Directory Design Commentary CIO: Divisions within each of the different continents remain fairly autonomous. IT, however, is currently centralized in Salinas. Local administrators will be granted more authority in the future. Unique password policies are required for each continent. CEO: DKP Int'l has entered into a joint venture with ICI Produce, a grower of organic vegetables. The venture makes the organic vegetables available to buyers through DKP Int'l. DKP Int'l needs access to ICI Produce information. Current Internet DKP Int'l currently has no Internet presence. Future Internet Presence DKP Int'l plans to develop a Web site (www.dkp.com). Questions | Question 1 | When planning for the forest root domain, which of the following DNS names should you choose? A. us.DKP.com B. ICI.com C. dkp.com D. www.DKP.com
| | A1: | Answer C is correct. Because DKP Int'l intends to use the same DNS name for the internal and external namespace, answer C is correct. Answer A is incorrect because it places the forest root under the dkp.com. The domain name of us.dkp.com may not be the best representation of the company. Answer B is incorrect because it is the name of another company and is not at all appropriate as the forest root. Answer D is incorrect because this is the future name of the Web site. | | Question 2 | An Internet presence is being created for ICI Produce. An Internet name of ici.com is registered. How should the Active Directory design be modified for this new domain? A. Create a child domain of dkp.com called ici.dkp.com B. Create a child domain of dkp.com called dkp.ici.com C. Create a new domain tree with a root domain of ici.com D. Create a new forest with a root domain of ici.com
| | A2: | Answer C is correct. Because ici.com is a different DNS namespace from DKP Int'l, it's best to create a new domain tree rather than use the approach suggested by answer A. Answer B is incorrect because the child and parent domain names are reversed. Because DKP Int'l management requires full access to ICI Produce data, including Active Directory contents, answer D is also incorrect. | | Question 3 | You're planning the number of Active Directory domains. How many child domains should be created off the forest root domain? | | A3: | Answer C is correct. Because of the security requirements (separate password policies for each continent) and the WAN constraints, separate domains are required for each continent. Answer A is incorrect because of the same WAN speed and security restrictions. Finally, answer B is incorrect because ici.com is a different namespace from dkp.com. | | Question 4 | During the migration process, users might be required to access resources within a Windows NT 4.0 domain. If this is the case, what kind of trust can be configured? A. No trust relationships can exist between Windows Server 2003 and Windows NT 4.0 domains. B. A two-way transitive Kerberos trust can be created. C. A two-way nontransitive Kerberos trust can be created. D. A one-way nontransitive NTLM trust can be created.
| | A4: | Answer D is correct. Old-style NTLM trusts can be established between Windows Server 2003 domains and Windows NT domains. These trusts are nontransitive. If a two-way trust is required, two one-way trusts can be set up, just as was done under NT. Therefore, answer A is incorrect. Answers B and C are also incorrect because Windows NT does not support Kerberos authentication or trust relationships. | | Question 5 | What kind of trust relationship exists automatically between dkp.com and ici.com? | | A5: | Answer B is correct. A two-way Kerberos trust is automatically created between root domains of a disjointed namespace in the same forest, which means that answer A must be incorrect. No one-way trusts are automatically created in Windows Server 2003, so answer C is incorrect. Answer D is also incorrect because shortcut trusts are manually created between domains that do not have a direct trust relationship between them. Shortcut trusts speed Kerberos credential validation by shortening the validation path through the forest. | | Question 6 | What is the first domain created in an organization's Active Directory called? A. The root domain B. The forest C. The forest root D. The schema
| | A6: | Answer C is correct. Answer A is incorrect because although the forest root is also a root domain, the forest root domain has special importance in Active Directory, which other root domains will not have. Answer B is incorrect even though the creation of the forest root occurs at the same time as the creation of the forest. The schema is the logical definition of Active Directory. Therefore, answer D is incorrect also. | | Question 7 | Which of the following are shared between all domains within a single forest? (Select all correct answers.) | | A7: | Answers A, D, and E are correct. The schema, global catalog, and configuration are replicated between domains. Therefore, answers C and D are incorrect. | | Question 8 | DKP's Active Directory design has a root domain of dkp.com, with child domains of na.dkp.com, eur.dkp.com, and ca.dkp.com. By default, can users in ca.dkp.com access resources in na.dkp.com? A. No. A shortcut trust must be created between ca.dkp.com and eur.dkp.com. B. No. Trusts in Active Directory are not transitive. C. Yes. Two-way Kerberos trusts are automatically created between parent and child domains as well as between root domains in a forest. D. Yes. Trusts are created automatically between every domain in a forest.
| | A8: | Answer C is correct. Two-way transitive Kerberos trusts are created automatically whenever a new domain is added to a forest. The trust goes from child domain to parent domain or between root domains in a disjointed namespace. Although you can create a cross-link trust between two domains to speed Kerberos validation, answer A is incorrect because this trust is not necessary. Answer B is incorrect because the default trusts established between domains are indeed transitive. Finally, answer D is incorrect because trusts are not created between every domain, but rather from parent to child and between root domains in the forest. | | Question 9 | A new office has been opened in Auckland, New Zealand, and the IT director wants to know whether a new domain should be created for the Australian continent. Business plans call for an expansion of operations to include 2000 employees at three locations within two years. What factors should the IT director consider in making her decision? (Choose two correct answers.) A. Security requirements specific to Australia B. Number of employees C. Local administration of resources D. The size of Active Directory E. Replication traffic and wide area link availability
| | A9: | Answers A and E are correct. Security policies are set at the domain level, so if there are requirements specific to the Australian operation, a separate domain should be considered. Also, if wide area links are slow, congested, or unreliable, a new domain will allow use of the SMTP protocol for Active Directory replication over the slow link. Answers B and D are not correct. The tested limits of Active Directory are more than 50 million objects, so it isn't necessary to create additional domains to handle 2,000 additional employees. Finally, answer C is not correct because administration can be delegated at the organizational unit level, thus eliminating the need to create a domain to achieve administrative granularity. | | Question 10 | An application being used by ICI Produce requires some modifications to the Active Directory schema. Who can perform this operation? (Choose all correct answers.) A. A member of the Domain Admins global group in the domain where the application is installed. B. A member of the Enterprise Admins global group. C. A member of the Schema Admins global group. D. Attributes cannot be added to the global catalog without permission from Microsoft.
| | A10: | Answers B and C are correct. Members of the Schema Admins group can modify the schema. Answer B is also correct because the initial Administrator account created in the forest root domain is a member of both the Enterprise Admins and Schema Admins groups. The Active Directory Schema MMC snap-in is used to mark an attribute as one that should be replicated to the global catalog. Answer A is incorrect on two counts: Schema modifications affect the entire forest, not a single domain, and domain administrators do not have the rights to modify the schema. Finally, answer D is incorrect because the Active Directory design allows an organization complete flexibility in modifying the schema. |
|
