Objective 4.1: Questions

 < Day Day Up > 



1. 

You are the administrator of the Active Directory forest for the science department at the local university. You want to create a forest trust relationship with the Active Directory forest for the arts department. All domain controllers in both forests are running Windows Server 2003. All domains in each forest are running at the Windows Server 2003 functional level. When you attempt to create the forest trust relationship, you are only given the option to create an external trust relationship. What do you need to do to create a forest trust relationship between the forests of the arts department and the science department?

  1. Forest trust relationships are only available in Windows 2000 forests.

  2. You need to install an enterprise root CA in each forest.

  3. The first forest needs an enterprise root CA. The second forest needs an enterprise subordinate CA that trusts the enterprise root CA from the first forest.

  4. You must raise the forest functional level of both forests to Windows Server 2003.

 correct answers: d a. incorrect forest trust relationships can only be created if both forests are running at the windows server 2003 functional level. although all of the domains in the example are running at the windows server 2003 functional level, and this would enable the forest to be running at this level, unless the level of the forest is explicitly raised, it will stay at the default windows 2000 functional level. b. incorrect forest trust relationships can exist irrespective of the presence of an enterprise root ca. forest trust relationships can only be created if both forests are running at the windows server 2003 functional level. although all of the domains in the example are running at the windows server 2003 functional level, and this would enable the forest to be running at this level, unless the level of the forest is explicitly raised, it will stay at the default windows 2000 functional level. c. incorrect forest trust relationships can exist irrespective of the presence of an enterprise root ca. forest trust relationships can only be created if both forests are running at the windows server 2003 functional level. although all of the domains in the example are running at the windows server 2003 functional level, and this would enable the forest to be running at this level, unless the level of the forest is explicitly raised, it will stay at the default windows 2000 functional level. d. correct forest trust relationships can only be created if both forests are running at the windows server 2003 functional level. although all of the domains in the example are running at the windows server 2003 functional level, and this would enable the forest to be running at this level, unless the level of the forest is explicitly raised, it will stay at the default windows 2000 functional level.

2. 

You are responsible for coordinating the forest trust relationships at the local university. There are seven departments, each of which has its own Windows Server 2003 Active Directory infrastructure. The Medicine, Science and Engineering forests are running at the Windows Server 2003 forest functional level. The Arts, Economics, Law, and Education forests are running at the Windows 2000 functional level. Forest trust relationships exist between Medicine and Science, and between Science and Engineering. External trust relationships exist between the root domains of the following forests: between Arts and Science, between Arts and Economics, between Law and Medicine, between Law and Education, and between Education and Engineering.

You have received a telephone call from the Administrator of the Science forest. She asks the following question: If she creates a domain local group in one of the child domains for the Science forest, from which of the other department forests will she be able to add universal groups? How should you answer her question?

  1. ArtsIncorrect

  2. MedicineCorrect

  3. EngineeringCorrect

  4. EconomicsIncorrect

  5. LawIncorrect

  6. EducationIncorrect

 correct answers: b and c a. incorrect forest trust relationships are nontransitive. in other words, just because forest a trusts forest b, and forest b trusts forest c, it does not automatically mean that forest a trusts forest c. the difference between a forest trust and an external trust is that an external trust is on a domain-to-domain basis. so a child domain of the science forest will not be able to use an external trust relationship configured between the root domain of the science forest and the root domain of another forest. b. correct forest trust relationships are nontransitive. in other words, just because forest a trusts forest b, and forest b trusts forest c, it does not automatically mean that forest a trusts forest c. the difference between a forest trust and an external trust is that an external trust occurs on a domain-to-domain basis. so a child domain of the science forest will not be able to use an external trust relationship configured between the root domain of the science forest and the root domain of another forest. c. correct forest trust relationships are nontransitive. in other words, just because forest a trusts forest b, and forest b trusts forest c, it does not automatically mean that forest a trusts forest c. the difference between a forest trust and an external trust is that an external trust occurs on a domain-to-domain basis. so a child domain of the science forest will not be able to use an external trust relationship configured between the root domain of the science forest and the root domain of another forest. d. incorrect forest trust relationships are nontransitive. in other words, just because forest a trusts forest b, and forest b trusts forest c, it does not automatically mean that forest a trusts forest c. the difference between a forest trust and an external trust is that an external trust occurs on a domain-to-domain basis. so a child domain of the science forest will not be able to use an external trust relationship configured between the root domain of the science forest and the root domain of another forest. e. incorrect forest trust relationships are nontransitive. in other words, just because forest a trusts forest b, and forest b trusts forest c, it does not automatically mean that forest a trusts forest c. the difference between a forest trust and an external trust is that an external trust occurs on a domain-to-domain basis. so a child domain of the science forest will not be able to use an external trust relationship configured between the root domain of the science forest and the root domain of another forest. f. incorrect forest trust relationships are nontransitive. in other words, just because forest a trusts forest b, and forest b trusts forest c, it does not automatically mean that forest a trusts forest c. the difference between a forest trust and an external trust is that an external trust occurs on a domain-to-domain basis. so a child domain of the science forest will not be able to use an external trust relationship configured between the root domain of the science forest and the root domain of another forest.

3. 

There are five accounts that are members of the Domain Admins group in your domain. Because these accounts are sensitive, you want to restrict delegated authentication for these accounts. Which of the following methods could you use to do this?

  1. On the General tab of the properties of the Domain Admins group, ensure that the Account Is Sensitive And Cannot Be Delegated check box is checked.

  2. Configure the membership of the Domain Admins group by using the restricted groups node of the default domain Group Policy object (GPO).

  3. In the Account Policies node of the default domain GPO, add the Domain Admins group to the Restrict Delegated Authentication policy.

  4. Use Active Directory Users And Computers to select the user accounts for all five members of the Domain Admins group. Edit the properties of these accounts. On the Account tab in the Account Options section, ensure that the Account Is Sensitive And Cannot Be Delegated check box is selected.

 correct answers: d a. incorrect this option must be set on an account-by-account basis. this is done by editing the account properties, clicking the accounts tab, and, in the account options section, selecting the account is sensitive and cannot be delegated check box. b. incorrect this option must be set on an account-by-account basis. this is done by editing the account properties, clicking the accounts tab, and, in the account options section, selecting the account is sensitive and cannot be delegated check box. this cannot be done by using restricted groups. c. incorrect this option must be set on an account-by-account basis. there is no restrict delegated authentication policy. to restrict delegated authentication, edit the account properties, click the accounts tab, and, in the account options section, select the account is sensitive and cannot be delegated check box. d. correct this option must be set on an account-by-account basis. this is done by editing the account properties, clicking the accounts tab, and, in the account options section, selecting the account is sensitive and cannot be delegated check box.

4. 

Parsons is the administrator for an Internet Web site that is run by an accounting company. There are particular areas of the Web site that Parsons wants to secure from unauthorized access. Because much of the information stored on the site is confidential, a strong form of authentication is required. The root domain of the accounting company's forest is adatum.com. The Web server is located on the perimeter network in a special child domain named pn.adatum.com. Each user that is to be given access to the confidential area of the site will have a special account created for him within a special child domain called clients.adatum.com. Parsons has the following requirements for the Web site's authentication strategy:

  • Authentication must occur without reference to any third party.

  • Authentication between client and server must not transmit credentials over the Internet without encryption.

  • Authentication must be able to occur through proxy servers and firewalls.

  • Authentication must be as secure as possible, given the constraints of the other conditions.

Parsons has made sure that anonymous access has been disabled. Which of the following authentication methods should Parsons use for the accounting company's Web site?

  1. .NET Passport authentication

  2. Basic authentication

  3. Integrated Windows authentication

  4. Digest authentication for Windows domain servers

 correct answers: d a. incorrect .net passport authentication occurs with reference to a third party, and hence does not meet parson s requirements. b. incorrect basic authentication transmits authentication credentials across the network in plaintext format, and hence does not meet parson s requirements. c. incorrect although integrated windows authentication does provide the most secure authentication solution (aside from using digital certificates), it cannot be used over most proxy servers or firewalls. d. correct digest authentication for windows domain servers transmits credentials by means of an encrypted md5 hash. it works for trusted domains. given that pn.adatum.com and clients.adatum.com are members of the same forest, there will be a trust relationship between them. digest authentication for windows domain servers also works over proxies and firewalls.

5. 

You are planning the rollout of Windows Server 2003 to an environment with a mixed set of clients. The company for which you will be installing Windows Server 2003 has a mixture of computers running Windows NT 4.0 Workstation, notebook computers running Windows Millennium Edition, and computers running Windows 2000 Professional. Which of the following authentication protocols will be used by the computers running Windows NT 4.0 Workstation when they authenticate against a domain controller running Windows Server 2003?

  1. NTLM/NTLMv2

  2. SSL/TLS

  3. Digest authentication

  4. .NET Passport authentication

  5. Kerberos v5 authentication

 correct answers: a a. correct computers running windows nt 4.0 workstation do not support the default kerberos v5 authentication that would be used between a computer running windows 2000 professional or windows xp professional and a domain controller running windows server 2003. b. incorrect this authentication protocol is used to authenticate against a web server running internet information services. it is not used to authenticate domain logons. c. incorrect this authentication protocol is used to authenticate against a web server running internet information services. it is not used to authenticate domain logons. d. incorrect this authentication protocol is used to authenticate against a web server running internet information services. it is not used to authenticate domain logons. e. incorrect computers running windows nt 4.0 workstation do not support the default kerberos v5 authentication that would be used between a computer running windows 2000 professional or windows xp professional and a domain controller running windows server 2003.

Answers

1. 

Correct Answers: D

  1. Incorrect Forest trust relationships can only be created if both forests are running at the Windows Server 2003 functional level. Although all of the domains in the example are running at the Windows Server 2003 functional level, and this would enable the forest to be running at this level, unless the level of the forest is explicitly raised, it will stay at the default Windows 2000 functional level.

  2. Incorrect Forest trust relationships can exist irrespective of the presence of an enterprise root CA. Forest trust relationships can only be created if both forests are running at the Windows Server 2003 functional level. Although all of the domains in the example are running at the Windows Server 2003 functional level, and this would enable the forest to be running at this level, unless the level of the forest is explicitly raised, it will stay at the default Windows 2000 functional level.

  3. Incorrect Forest trust relationships can exist irrespective of the presence of an enterprise root CA. Forest trust relationships can only be created if both forests are running at the Windows Server 2003 functional level. Although all of the domains in the example are running at the Windows Server 2003 functional level, and this would enable the forest to be running at this level, unless the level of the forest is explicitly raised, it will stay at the default Windows 2000 functional level.

  4. Correct Forest trust relationships can only be created if both forests are running at the Windows Server 2003 functional level. Although all of the domains in the example are running at the Windows Server 2003 functional level, and this would enable the forest to be running at this level, unless the level of the forest is explicitly raised, it will stay at the default Windows 2000 functional level.

2. 

Correct Answers: B and C

  1. Incorrect Forest trust relationships are nontransitive. In other words, just because Forest A trusts Forest B, and Forest B trusts Forest C, it does not automatically mean that Forest A trusts Forest C. The difference between a forest trust and an external trust is that an external trust is on a domain-to-domain basis. So a child domain of the Science forest will not be able to use an external trust relationship configured between the root domain of the Science forest and the root domain of another forest.

  2. Correct Forest trust relationships are nontransitive. In other words, just because Forest A trusts Forest B, and Forest B trusts Forest C, it does not automatically mean that Forest A trusts Forest C. The difference between a forest trust and an external trust is that an external trust occurs on a domain-to-domain basis. So a child domain of the Science forest will not be able to use an external trust relationship configured between the root domain of the Science forest and the root domain of another forest.

  3. Correct Forest trust relationships are nontransitive. In other words, just because Forest A trusts Forest B, and Forest B trusts Forest C, it does not automatically mean that Forest A trusts Forest C. The difference between a forest trust and an external trust is that an external trust occurs on a domain-to-domain basis. So a child domain of the Science forest will not be able to use an external trust relationship configured between the root domain of the Science forest and the root domain of another forest.

  4. Incorrect Forest trust relationships are nontransitive. In other words, just because Forest A trusts Forest B, and Forest B trusts Forest C, it does not automatically mean that Forest A trusts Forest C. The difference between a forest trust and an external trust is that an external trust occurs on a domain-to-domain basis. So a child domain of the Science forest will not be able to use an external trust relationship configured between the root domain of the Science forest and the root domain of another forest.

  5. Incorrect Forest trust relationships are nontransitive. In other words, just because Forest A trusts Forest B, and Forest B trusts Forest C, it does not automatically mean that Forest A trusts Forest C. The difference between a forest trust and an external trust is that an external trust occurs on a domain-to-domain basis. So a child domain of the Science forest will not be able to use an external trust relationship configured between the root domain of the Science forest and the root domain of another forest.

  6. Incorrect Forest trust relationships are nontransitive. In other words, just because Forest A trusts Forest B, and Forest B trusts Forest C, it does not automatically mean that Forest A trusts Forest C. The difference between a forest trust and an external trust is that an external trust occurs on a domain-to-domain basis. So a child domain of the Science forest will not be able to use an external trust relationship configured between the root domain of the Science forest and the root domain of another forest.

3. 

Correct Answers: D

  1. Incorrect This option must be set on an account-by-account basis. This is done by editing the account properties, clicking the Accounts tab, and, in the Account Options section, selecting the Account Is Sensitive And Cannot Be Delegated check box.

  2. Incorrect This option must be set on an account-by-account basis. This is done by editing the account properties, clicking the Accounts tab, and, in the Account Options section, selecting the Account Is Sensitive And Cannot Be Delegated check box. This cannot be done by using restricted groups.

  3. Incorrect This option must be set on an account-by-account basis. There is no Restrict Delegated Authentication policy. To restrict delegated authentication, edit the account properties, click the Accounts tab, and, in the Account Options section, select the Account Is Sensitive And Cannot Be Delegated check box.

  4. Correct This option must be set on an account-by-account basis. This is done by editing the account properties, clicking the Accounts tab, and, in the Account Options section, selecting the Account Is Sensitive And Cannot Be Delegated check box.

4. 

Correct Answers: D

  1. Incorrect .NET Passport authentication occurs with reference to a third party, and hence does not meet Parson's requirements.

  2. Incorrect Basic authentication transmits authentication credentials across the network in plaintext format, and hence does not meet Parson's requirements.

  3. Incorrect Although Integrated Windows authentication does provide the most secure authentication solution (aside from using digital certificates), it cannot be used over most proxy servers or firewalls.

  4. Correct Digest authentication for Windows domain servers transmits credentials by means of an encrypted MD5 hash. It works for trusted domains. Given that pn.adatum.com and clients.adatum.com are members of the same forest, there will be a trust relationship between them. Digest authentication for Windows domain servers also works over proxies and firewalls.

5. 

Correct Answers: A

  1. Correct Computers running Windows NT 4.0 Workstation do not support the default Kerberos v5 authentication that would be used between a computer running Windows 2000 Professional or Windows XP Professional and a domain controller running Windows Server 2003.

  2. Incorrect This authentication protocol is used to authenticate against a Web server running Internet Information Services. It is not used to authenticate domain logons.

  3. Incorrect This authentication protocol is used to authenticate against a Web server running Internet Information Services. It is not used to authenticate domain logons.

  4. Incorrect This authentication protocol is used to authenticate against a Web server running Internet Information Services. It is not used to authenticate domain logons.

  5. Incorrect Computers running Windows NT 4.0 Workstation do not support the default Kerberos v5 authentication that would be used between a computer running Windows 2000 Professional or Windows XP Professional and a domain controller running Windows Server 2003.



 < Day Day Up > 



MCSA(s)MCSE Self-Paced Training Kit Exam 70-299 (c) Implementing and Administering Security in a M[.  .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-299): Implementing and Administering Security in a MicrosoftВ® Windows Server(TM) 2003 Network (Pro-Certification)
ISBN: 073562061X
EAN: 2147483647
Year: 2004
Pages: 217

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net