Objective 4.2 Questions

 < Day Day Up > 



1. 

Tailspin Toys is migrating from a Windows NT 4.0 network to a Windows Server 2003 network. Windows NT 4.0 backup domain controllers (BDCs) are gradually being replaced by Windows Server 2003 domain controllers on a site-by-site basis. There are three domains in the Tailspin Toys forest. These domains are named west.tailspintoys.com, east.tailspintoys.com, and central.tailspintoys.com. The west.tailspintoys.com domain is the forest root domain. There are no servers running Windows 2000 in the Tailspin Toys forest. Only users from one domain—west.tailspintoys.com— authenticate completely against computers running Windows Server 2003. The other domains still have some Windows NT 4.0 BDCs. Each domain is running at its highest possible functional level. You are configuring a group strategy for the Tailspin Toys forest. Which of the following statements are true?

  1. All domains in the forest can use domain local groups.

  2. All domains in the forest can use global groups.

  3. All domains in the forest can use universal groups.

  4. A global group in the central.tailspintoys.com domain can have a global group in the east.tailspintoys.com as a member.

  5. A universal group running in the west.tailspintoys.com domain can have members from the central.tailspintoys.com and east.tailspintoys.com domains.

 correct answers: a, b, and e a. correct of the listed domains, only west.tailspintoys.com domain will be running at the windows server 2003 functional level. the east.tailspintoys.com and central.tailspintoys.com domains are most likely running in either windows server 2003 interim or windows 2000 mixed mode, because both of these modes support windows nt 4.0 bdcs. domain local groups can be used in all domain functional levels. b. correct of the listed domains, only west.tailspintoys.com domain will be running at the windows server 2003 functional level. the east.tailspintoys.com and central.tailspintoys.com domains are most likely running in either windows server 2003 interim or windows 2000 mixed mode, because both of these modes support windows nt 4.0 bdcs. global groups can be used at all domain functional levels. c. incorrect of the listed domains, only west.tailspintoys.com domain will be running at the windows server 2003 functional level. the east.tailspintoys.com and central.tailspintoys.com domains are most likely running in either windows server 2003 interim or windows 2000 mixed mode, because both of these modes support windows nt 4.0 bdcs. universal groups can only be used at the windows 2000 native or windows server 2003 functional level, so only the west.tailspintoys.com domain can use such a group. d. incorrect of the listed domains, only west.tailspintoys.com domain will be running at the windows server 2003 functional level. the east.tailspintoys.com and central.tailspintoys.com domains are most likely running in either windows server 2003 interim or windows 2000 mixed mode, because both of these modes support windows nt 4.0 bdcs. global groups can only contain other global groups as members if the domain is running at the windows 2000 native or windows server 2003 functional level. e. correct of the listed domains, only west.tailspintoys.com domain will be running at the windows server 2003 functional level. the east.tailspintoys.com and central.tailspintoys.com domains are most likely running in either windows server 2003 interim or windows 2000 mixed mode, because both of these modes support windows nt 4.0 bdcs. global groups can only contain other global groups as members if the domain is running at the windows 2000 native or windows server 2003 functional level. even though the east.tailspintoys.com and central.tailspintoys.com domains are not running at the windows server 2003 functional level, user accounts from these domains can be added to a universal group in the west.tailspintoys.com domain.

2. 

A forest trust relationship exists between the science.internal and the arts.internal forests. The administrator of the philosophy.arts.internal domain wants to give certain users from the mathematics.science.internal and the physics.science.internal domains access to certain domain resources. This access will be mediated through membership of groups. Which of the following methods could the administrator of the philosophy.arts.internal domain use to configure this access while using the least possible number of groups?

  1. Create a global group in the philosophy.arts.internal domain. Then add the individual accounts that should be given access from the mathematics.science.internal and physics.science.internal domains to this global group. Finally, use this global group to apply the required permissions to the appropriate domain resources.

  2. Create a universal group in the philosophy.arts.internal domain. Ask the administrators of the mathematics.science.internal and physics.science.internal domains to add the required user accounts to universal groups in each respective science.internal domain. Add the universal groups from the mathematics.science.internal and physics.science.internal domains to the universal group created in the philosophy.arts.internal domain. Apply the required permissions for the resource to this universal group.

  3. Create a global group in the mathematics.science.internal domain. Add the appropriate users from this domain to this group. Create a global group in the physics.science.internal domain. Add the appropriate users from this domain to this group. Create a domain local group in the philosophy.arts.internal domain. Add the global groups that you created to the domain local group in the philosophy.arts.internal domain. Apply the required permissions for the resource to this domain local group.

  4. Create a domain local group in the philosophy.arts.internal domain. Ask the administrators of the mathematics.science.internal and physics.science.internal domains to add the required user accounts from each respective science.internal domain to a universal group located in the mathematics.science.internal domain. Add the universal group from the mathematics.science.internal domain to the domain local group created in the philosophy.arts.internal domain. Apply the required permissions for the resource to this domain local group.

 correct answers: d a. incorrect global groups cannot have users from trusted domains as members. only users, computers, and global groups from the domain in which the global group is created can be added to a global group. b. incorrect universal groups from one forest cannot include universal groups from another forest as members. c. incorrect although this method would work, it does not use the least possible number of groups. a universal group could be created in the physics.science.internal or mathematics.science.internal domain, and the requisite users from the science.internal forest could be added to this universal group. this universal group could in turn be added to a domain local group in the philosophy.arts.internal domain. after this was done, the appropriate permissions could be applied. d. correct this method achieves the goals and uses the least possible number of groups.

3. 

You are the network administrator at a university. The university has a disparate set of departments, each of which has instituted its own Active Directory infrastructure. Three departments—law, science, and arts—have configured trust relationships between their domains. The Law forest is at Windows Server 2003 functional level. The Science forest is at Windows 2000 native functional level. The Arts forest is at Windows 2000 mixed functional level. External trusts exist between the root domain of the Law forest and the root domain of the Science forest, between the root domain of the Science forest and the root domain of the Arts forest, and between the root domain of the Arts forest and the root domain of the Law forest. You are configuring a domain local group in the root domain of the Law forest. Which of the following groups can you add to this group?

  1. A universal group from a child domain of the Law forest

  2. A global group from the root domain of the Arts forest

  3. A universal group from a child domain of the Science forest

  4. A domain local group from a child domain of the Arts forest

  5. A domain local group from a child domain of the Law forest

 correct answers: a and b a. correct universal groups from the same domain can be added to domain local groups. b. correct a global group from the root domain of a trusted domain can be added to a domain local group in the root domain of the law forest. c. incorrect because forest trusts have not been configured, universal groups from child domains in the science forest will not be visible to the root domain of the law forest. d. incorrect even if a forest trust were configured, under no circumstances can domain local groups from remote domains be added to domain local groups. e. incorrect under no circumstances can domain local groups from remote domains be added to domain local groups.

4. 

A. Datum Corporation has an Active Directory forest that contains three trees. The root of the first tree is adatum.com, the root of the second tree is proseware.com, and the root of the third tree is contoso.com. Each domain in the forest uses a combination of Windows Server 2003 and Windows 2000 Server domain controllers. There are no Windows NT 4.0 domain controllers present. If the domains and the forest are configured to the highest functional level possible while maintaining the Windows 2000 Server domain controllers, which of the following statements would be correct? (Select all that apply.)

  1. A domain local group created in the western.adatum.com domain can include a universal group from the southern.contoso.com domain in its membership.

  2. A universal group created in the northern.proseware.com domain can include domain local groups from the southern.proseware.com and western.proseware.com domains in its membership.

  3. A global group created in the southern.contoso.com domain can include global groups from the northern.proseware.com and eastern.adatum.com domains in its membership.

  4. A global group created in the eastern.adatum.com domain can include a universal group from the proseware.com domain in its membership.

  5. A universal group created in the western.proseware.com domain can include universal groups from the southern.adatum.com and northern.contoso.com domains in its membership.

 correct answers: a and e a. correct domain local groups can include universal groups from the same forest. b. incorrect domain local groups cannot be members of universal groups. c. incorrect global groups can only have global groups, users, and computers from the same domain as members. global and universal groups from other domains in a forest cannot be members of a global group. d. incorrect global groups can only have global groups, users, and computers from the same domain as members. global and universal groups from other domains in a forest cannot be members of a global group. e. correct universal groups can have other universal groups from within the forest as members.

5. 

Rooslan is the systems administrator for A. Datum Corporation. The company’s network infrastructure has a forest configured at the Windows Server 2003 functional level. The forest has two separate domain trees. The root domain of the first domain tree and the forest is adatum.com. The root domain of the second domain tree is proseware.com. The adatum.com tree contains five domains and the proseware.com tree contains three domains.

There are several users in the A. Datum Corporation organization who have exceptional systems administration skills. Unfortunately, the accounts of these users are located in different domains. The users and their domains are listed in the following table.

User

Domain

Rooslan

adatum.com

Oksana

western.adatum.com

Mick

eastern.adatum.com

Agim

western.proseware.com

Kasia

northern.proseware.com

Shan

southern.adatum.com

Rooslan is in the process of configuring a strategy for the implementation of groups.

He has the following goals:

Primary goal: Create a single group whose membership includes all of these users.

First secondary goal: Grant administrator permissions to these users on all member servers in all domains, except for the root domains adatum.com and proseware.com.

Second secondary goal: No other users, except for the ones in this list, should be able to become members of the sysadmins group.

Rooslan plans to do the following:

  • Add each of the users in the list to a universal group in the adatum.com domain named sysadmins.

  • Add the sysadmins group to the local administrator group on each member server in all domains, except for the adatum.com and proseware.com domains.

  • Which goals will Rooslan accomplish with this plan?

  1. Rooslan’s plan accomplishes the primary goal and both secondary goals.

  2. Rooslan’s plan accomplishes the primary goal and one secondary goal.

  3. Rooslan’s plan accomplishes only the primary goal.

  4. Rooslan’s plan does not accomplish the primary goal; however, it does accomplish both secondary goals.

  5. Rooslan’s plan accomplishes only one of the secondary goals. It does not accomplish the primary goal.

  6. Rooslan’s plan accomplishes none of his goals.

 correct answers: b a. incorrect universal groups are visible in all domains in a forest configured at the windows server 2003 functional level. universal groups can be added to computer local groups, such as the administrators groups on member servers. universal groups can have members from any domain in the forest. rooslan s first action accomplishes the primary goal. rooslan s second action accomplishes the first secondary goal. because rooslan institutes no restricted group policy, the second secondary goal is not accomplished. b. correct universal groups are visible in all domains in a forest configured at the windows server 2003 functional level. universal groups can be added to computer local groups, such as the administrators groups on member servers. universal groups can have members from any domain in the forest. rooslan s first action accomplishes the primary goal. rooslan s second action accomplishes the first secondary goal. because rooslan institutes no restricted group policy, the second secondary goal is not accomplished. c. incorrect universal groups are visible in all domains in a forest configured at the windows server 2003 functional level. universal groups can be added to computer local groups, such as the administrators groups on member servers. universal groups can have members from any domain in the forest. rooslan s first action accomplishes the primary goal. rooslan s second action accomplishes the first secondary goal. because rooslan institutes no restricted group policy, the second secondary goal is not accomplished. d. incorrect universal groups are visible in all domains in a forest configured at the windows server 2003 functional level. universal groups can be added to computer local groups, such as the administrators groups on member servers. universal groups can have members from any domain in the forest. rooslan s first action accomplishes the primary goal. rooslan s second action accomplishes the first secondary goal. because rooslan institutes no restricted group policy, the second secondary goal is not accomplished. e. incorrect universal groups are visible in all domains in a forest configured at the windows server 2003 functional level. universal groups can be added to computer local groups, such as the administrators groups on member servers. universal groups can have members from any domain in the forest. rooslan s first action accomplishes the primary goal. rooslan s second action accomplishes the first secondary goal. because rooslan institutes no restricted group policy, the second secondary goal is not accomplished. f. incorrect universal groups are visible in all domains in a forest configured at the windows server 2003 functional level. universal groups can be added to computer local groups, such as the administrators groups on member servers. universal groups can have members from any domain in the forest. rooslan s first action accomplishes the primary goal. rooslan s second action accomplishes the first secondary goal. because rooslan institutes no restricted group policy, the second secondary goal is not accomplished.

Answers

1. 

Correct Answers: A, B, and E

  1. Correct Of the listed domains, only west.tailspintoys.com domain will be running at the Windows Server 2003 functional level. The east.tailspintoys.com and central.tailspintoys.com domains are most likely running in either Windows Server 2003 interim or Windows 2000 mixed mode, because both of these modes support Windows NT 4.0 BDCs. Domain local groups can be used in all domain functional levels.

  2. Correct Of the listed domains, only west.tailspintoys.com domain will be running at the Windows Server 2003 functional level. The east.tailspintoys.com and central.tailspintoys.com domains are most likely running in either Windows Server 2003 interim or Windows 2000 mixed mode, because both of these modes support Windows NT 4.0 BDCs. Global groups can be used at all domain functional levels.

  3. Incorrect Of the listed domains, only west.tailspintoys.com domain will be running at the Windows Server 2003 functional level. The east.tailspintoys.com and central.tailspintoys.com domains are most likely running in either Windows Server 2003 interim or Windows 2000 mixed mode, because both of these modes support Windows NT 4.0 BDCs. Universal groups can only be used at the Windows 2000 native or Windows Server 2003 functional level, so only the west.tailspintoys.com domain can use such a group.

  4. Incorrect Of the listed domains, only west.tailspintoys.com domain will be running at the Windows Server 2003 functional level. The east.tailspintoys.com and central.tailspintoys.com domains are most likely running in either Windows Server 2003 interim or Windows 2000 mixed mode, because both of these modes support Windows NT 4.0 BDCs. Global groups can only contain other global groups as members if the domain is running at the Windows 2000 native or Windows Server 2003 functional level.

  5. Correct Of the listed domains, only west.tailspintoys.com domain will be running at the Windows Server 2003 functional level. The east.tailspintoys.com and central.tailspintoys.com domains are most likely running in either Windows Server 2003 interim or Windows 2000 mixed mode, because both of these modes support Windows NT 4.0 BDCs. Global groups can only contain other global groups as members if the domain is running at the Windows 2000 native or Windows Server 2003 functional level. Even though the east.tailspintoys.com and central.tailspintoys.com domains are not running at the Windows Server 2003 functional level, user accounts from these domains can be added to a universal group in the west.tailspintoys.com domain.

2. 

Correct Answers: D

  1. Incorrect Global groups cannot have users from trusted domains as members. Only users, computers, and global groups from the domain in which the global group is created can be added to a global group.

  2. Incorrect Universal groups from one forest cannot include universal groups from another forest as members.

  3. Incorrect Although this method would work, it does not use the least possible number of groups. A universal group could be created in the physics.science.internal or mathematics.science.internal domain, and the requisite users from the science.internal forest could be added to this universal group. This universal group could in turn be added to a domain local group in the philosophy.arts.internal domain. After this was done, the appropriate permissions could be applied.

  4. Correct This method achieves the goals and uses the least possible number of groups.

3. 

Correct Answers: A and B

  1. Correct Universal groups from the same domain can be added to domain local groups.

  2. Correct A global group from the root domain of a trusted domain can be added to a domain local group in the root domain of the Law forest.

  3. Incorrect Because forest trusts have not been configured, universal groups from child domains in the Science forest will not be visible to the root domain of the Law forest.

  4. Incorrect Even if a forest trust were configured, under no circumstances can domain local groups from remote domains be added to domain local groups.

  5. Incorrect Under no circumstances can domain local groups from remote domains be added to domain local groups.

4. 

Correct Answers: A and E

  1. Correct Domain local groups can include universal groups from the same forest.

  2. Incorrect Domain local groups cannot be members of universal groups.

  3. Incorrect Global groups can only have global groups, users, and computers from the same domain as members. Global and universal groups from other domains in a forest cannot be members of a global group.

  4. Incorrect Global groups can only have global groups, users, and computers from the same domain as members. Global and universal groups from other domains in a forest cannot be members of a global group.

  5. Correct Universal groups can have other universal groups from within the forest as members.

5. 

Correct Answers: B

  1. Incorrect Universal groups are visible in all domains in a forest configured at the Windows Server 2003 functional level. Universal groups can be added to computer local groups, such as the administrators groups on member servers. Universal groups can have members from any domain in the forest. Rooslan’s first action accomplishes the primary goal. Rooslan’s second action accomplishes the first secondary goal. Because Rooslan institutes no restricted Group Policy, the second secondary goal is not accomplished.

  2. Correct Universal groups are visible in all domains in a forest configured at the Windows Server 2003 functional level. Universal groups can be added to computer local groups, such as the administrators groups on member servers. Universal groups can have members from any domain in the forest. Rooslan’s first action accomplishes the primary goal. Rooslan’s second action accomplishes the first secondary goal. Because Rooslan institutes no restricted Group Policy, the second secondary goal is not accomplished.

  3. Incorrect Universal groups are visible in all domains in a forest configured at the Windows Server 2003 functional level. Universal groups can be added to computer local groups, such as the administrators groups on member servers. Universal groups can have members from any domain in the forest. Rooslan’s first action accomplishes the primary goal. Rooslan’s second action accomplishes the first secondary goal. Because Rooslan institutes no restricted Group Policy, the second secondary goal is not accomplished.

  4. Incorrect Universal groups are visible in all domains in a forest configured at the Windows Server 2003 functional level. Universal groups can be added to computer local groups, such as the administrators groups on member servers. Universal groups can have members from any domain in the forest. Rooslan’s first action accomplishes the primary goal. Rooslan’s second action accomplishes the first secondary goal. Because Rooslan institutes no restricted Group Policy, the second secondary goal is not accomplished.

  5. Incorrect Universal groups are visible in all domains in a forest configured at the Windows Server 2003 functional level. Universal groups can be added to computer local groups, such as the administrators groups on member servers. Universal groups can have members from any domain in the forest. Rooslan’s first action accomplishes the primary goal. Rooslan’s second action accomplishes the first secondary goal. Because Rooslan institutes no restricted Group Policy, the second secondary goal is not accomplished.

  6. Incorrect Universal groups are visible in all domains in a forest configured at the Windows Server 2003 functional level. Universal groups can be added to computer local groups, such as the administrators groups on member servers. Universal groups can have members from any domain in the forest. Rooslan’s first action accomplishes the primary goal. Rooslan’s second action accomplishes the first secondary goal. Because Rooslan institutes no restricted Group Policy, the second secondary goal is not accomplished.



 < Day Day Up > 



MCSA(s)MCSE Self-Paced Training Kit Exam 70-299 (c) Implementing and Administering Security in a M[.  .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-299): Implementing and Administering Security in a MicrosoftВ® Windows Server(TM) 2003 Network (Pro-Certification)
ISBN: 073562061X
EAN: 2147483647
Year: 2004
Pages: 217

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net