| All the review questions for this chapter are based on the following scenario: Case Study: Velocipede Tours Velocipede Tours is a bicycle tour operator with three offices in the United States. The main office is in Manchester, Vermont, and the other two offices are in Hilton Head, South Carolina, and Maui, Hawaii. Velocipede Tours is deploying Windows 2000 on servers and workstations in all its offices, starting with the Vermont office. Velocipede Tours has recently merged with two other specialty tour operators. Wet World Excursions conducts diving tours in the Florida Keys from its Key Largo, Florida, location. Alpine Adventures organizes hiking and mountain climbing expeditions from its offices in San Francisco and Salzburg, Austria. Current LAN and Network Structure Velocipede Tours has a deployment plan in place to migrate from Windows NT 4.0 Server and Workstation to Windows 2000 Server and Professional. The deployment plan is complete, and the actual rollout is scheduled to begin shortly. Velocipede Tours was originally going to implement a single-domain Active Directory design. However, with the recent merger and the decision to maintain each company's identity, Velocipede will now create a separate domain for each. Alpine Adventures is currently running Windows NT 4.0 Server with Windows 98 at the desktop; Wet World has a Novell NetWare 3.12 network with three Windows 95 client computers. Ethernet and Fast Ethernet connections are used throughout the Velocipede and Alpine Adventures offices. Wet World uses thin coax Ethernet. Proposed LAN and Network Structure All companies are scheduled to be upgraded to Windows 2000 in 12 months. Wet World's thin Ethernet infrastructure will be replaced with twisted-pair as part of a complete hardware upgrade. Current WAN Connectivity The South Carolina and Hawaii offices are connected to the home office using a virtual private network (VPN) and 384Kbps SDLC circuits. These circuits are more than adequate for current and forecasted traffic. Alpine Adventures has 56Kbps Frame Relay connections to each office. Proposed WAN Connectivity The Wet World office in Key Largo and the Alpine Adventures office in San Francisco will upgrade to the same type of SDLC circuits as used by Velocipede. The Salzburg office will remain on Frame Relay because the cost of upgrading that link is prohibitive. Directory Design Commentary President, Velocipede : We are a small company, so our employees wear many hats. We need the flexibility to allow employees to change roles at a moment's notice. Now, with the merger, my colleagues at the other two companies will need to have the same access to company data that I do. Manager, IT : With a staff of three here in the Vermont office supporting 100 employees, we need to delegate as many administrative tasks as possible, especially in the Hawaii office. We also need to be able to control the desktop better so that we are not constantly troubleshooting self-inflicted user wounds. Because employees change jobs so frequently, we need to be able to automatically install new software as the employees move from one job responsibility to another. With the merger, we have even less time available. Office Manager, Maui : Currently, it takes more than a day to process security updates, password changes, and most other administrative tasks. We need to be able to do some of the administration locally because our employees are always changing responsibilities and we can't wait for Vermont to make the changes. President, Alpine Adventures : We will keep our company name and Internet presence. It would not make much sense for a company called Velocipede to offer mountain climbing adventures. People recognize our company by name , and we don't want to change that. We will retain much of our autonomy, anyway. Current Internet Positioning Velocipede Tours has a registered Internet domain name of velocipede.com . Velocipede has a Web site hosted in the Vermont office, and all employees have velocipede.com email addresses. Alpine Adventures' registered name is alpine-adv.com . It, likewise, has a Web site, which is currently hosted by an ISP. Proposed Internet Positioning Velocipede has just registered the domain name wetworlddives.com for the Wet World operation and is planning a Web site as well as email addresses for all employees. | Question 1 | Will the Velocipede forest consist of a contiguous or a disjoint namespace? | | A1: | The correct answer is b. Because the business requirements dictate retention of the Alpine Adventures domain name ( alpine-adv.com ), the forest will contain at least two domain trees. Answer a is incorrect because a contiguous namespace would require Alpine Adventures to become a child domain of the Velocipede root (for example, alpine-adv.velocipede.com ). Answer c is incorrect because the business requirements have been clearly stated in the scenario. Answer d is incorrect because only two types of DNS namespaces are available in Active Directory: contiguous and disjoint. | | Question 2 | Two tour planners in the Vermont office have been moved temporarily to the finance department and need to be granted access to a finance application. What steps are needed to allow the employees to use the application? [Select all that apply.] -
a. Move the employee user objects from the TourPlanner OU to the Finance OU. -
b. Delete the employee user objects from the TourPlanner OU and re-create them in the Finance OU. -
c. Add the employees to the FinanceUsers global group . -
d. Link the FinanceSoftware GPO to the TourPlanner global group. | | A2: | The correct answers are a and c. By moving the employees to the Finance OU, finance software that is distributed through Group Policy will be automatically installed on the users' desktops. Adding the employees to the FinanceUsers global group will allow access to the finance files. Answer b is incorrect because deleting a user object destroys all current security settings, as is the case with Windows NT. When a new user is created, even though the username is the same, a new SID is generated and group memberships must be rebuilt. Answer d is incorrect because GPOs are linked to sites, domains, and OUs, not security groups. | | Question 3 | After reading a technical journal article on Windows 2000, the IT manager has decided to implement universal groups to help manage user access to resources in all three offices. However, when she attempted to create a universal group, the option was grayed out and she could not perform the operation. Why? -
a. The manager was not logged on as an Enterprise Admin, and only Enterprise Admins can create universal groups. -
b. The Global Catalog Server was down. -
c. The domain in which she wanted to create the universal group was still in mixed mode. -
d. A trust relationship existed between the domain in which the universal group was to be created and a Windows NT 4.0 domain. | | A3: | The correct answer is c. Universal groups cannot be created while a domain is in mixed mode. When operating in mixed mode, the PDC Emulator Operations Master must act like a Windows NT PDC, and universal groups are not available under NT. Answer a is incorrect because you do not need to be an Enterprise Admin to create a universal group. Answer b is incorrect because a universal group can be created if the Global Catalog is unavailable. However, validating universal group membership is not possible when checking access rights when the Global Catalog Server is offline. Finally, d is incorrect because universal groups can be created in native mode Windows 2000 domains regardless of trust relationships with NT domains or mixed-mode Windows 2000 domains. | | Question 4 | The CEO of Velocipede Tours has mandated that the Run command should not appear on the Start menu for any clerical employees. How can the IT manager ensure that this policy is always enforced? [Select all that apply.] -
a. Create a GPO that removes the Run command, and link it to the domain. Then, check the No Override option. -
b. Create a GPO that removes the Run command, and link it to all the top-level OUs in the domain. Then, check the No Override option. -
c. Create a GPO that removes the Run command, and link it to any OU that contains clerical employees. Use security group filtering and allow the Apply Group Policy permission only to members of the Clerks global group. -
d. Create a GPO that removes the Run command, and link it to OUs created especially for clerical employees. -
e. Create a GPO that removes the Run command, and link it to every site. | | A4: | The correct answers are c and d. You can either link the GPO to an OU or domain and use security group filtering to limit the application of the policy to the clerical employees or set up special OUs for the clerks and link the GPO to those OUs. Answers a, b, and e are incorrect because they remove the Run command from all employee desktops. | | Question 5 | A portion ofthe proposed Velocipede OU structure is shown in Figure 7.6. Four GPOs have been created to configure the desktop and distribute software to the employees. The GPOs have the following functions: -
Maui Desktop ” Configures desktop and offline folders -
Finance Applications ” Installs standard finance applications -
Clerk Restrictions ” Provides a more restrictive environment for clerical employees -
Manager Desktop ” Adds applications and creates a less restrictive desktop Figure 7.6. Drag the GPO to the OU(s) to which it should be linked.  Drag the GPO name to the OU to which the GPO should be linked. A GPO can be used more than once. | | A5: | The correct answer is shown in Figure 7.7. Figure 7.7. The correct answer for question 5.  | | Question 6 | The presidents of all three merged companies have agreed that the top-level executives in each company should have full access to all companies' financial information and business plans. The IT manager has been asked to implement this. How can the IT manager grant access to the requested data? [Select all that apply.] -
a. Create a global group in the velocipede.com domain and make the Executives global groups from all the other companies' domains members of this new global group. Make the new global group a member of all necessary domain local groups to give the executives access to the merged corporate resources. -
b. Create a universal group and make the Executives global groups from all the other companies' domains members of this new global group. Make the new universal group a member of all necessary domain local groups to give the executives access to the merged corporate resources. -
c. Make the Executives global groups from all three companies members of all necessary domain local groups to give the executives access to the merged corporate resources. -
d. Create a global group in the velocipede.com domain, and make the executive user accounts from all companies members of this new global group. Make the new global group a member of all necessary domain local groups to give the executives access to the merged corporate resources. | | A6: | The correct answers are b and c. Answer b uses universal groups to accomplish the same task as answer c. The advantage to using universal groups is that assigning access to all the executives is easier by specifying one universal group rather than one global group from each domain. Answer a is incorrect because global groups have a domain scope. You cannot nest a global group from one domain in a global group in another domain. Answer d is incorrect because global groups can contain only user accounts from the same domain. | | Question 7 |  | How many domains are required in the Alpine Adventures domain tree? [Select the best answer.] | -
a. One domain. -
b. Three domains ”a root domain and one geographical child domain for each location. -
c. Alpine Adventures will be a single domain off the Velocipede domain tree. -
d. Two domains ”a root domain and a domain for the employees of the San Francisco and Salzburg offices. | | A7: | The correct answer is b. The slow WAN links to the Salzburg office prevent successful Sysvol replication as well as Active Directory replication via RPC. Answer a is incorrect because the domain naming context cannot be successfully replicated. Answer c is incorrect because the business requirements call for a distinct corporate identity and Internet domain name. Answer d is incorrect, again, because of replication issues. A two-domain solution would work successfully if the San Francisco office was in the root domain and the Salzburg office was a child off the parent. | | Question 8 | The IT manager is concerned that, with the constant shifting of job responsibilities at Velocipede, users will not have the applications they need to do their work and they might have applications for temporary job assignments that they no longer need. He wants to ensure that applications are added to the users' desktops as needed and removed when no longer necessary. Which of the following steps can he take to meet these objectives? [Select all that apply.] -
a. Create GPOs to publish the business applications to the users' computers. -
b. Create GPOs to assign the business applications to the users' computers. -
c. Create GPOs to assign the business applications to the users. -
d. Create GPOs to publish the business applications to the users. -
e. When creating software packages for publishing or assignment, he should configure the package to uninstall the software when the GPO no longer applies. | | A8: | Answers c and e are correct. The manager should assign the business applications to users. Then, the applications will be automatically installed when the users are given temporary job duties in a different area of the company, and their user accounts will be moved to a different OU. When the user is moved back to the original OU, the software from the temporary assignment will be removed automatically at the next logon. Answers a and b are incorrect because the software should be assigned to users, not computers. Also, software cannot be published to a computer. Answer d is incorrect because published software is typically installed from the Add/Remove Programs Control Panel applet, although it could also be installed by document invocation, if that option was selected when the software package was created. | | Question 9 | While familiarizing herself with the Windows 2000 Administration Tools, the IT manager accidentally converted the velocipede.com domain from mixed mode to native mode at one of the Windows 2000 domain controllers. There are still two Windows NT 4.0 BDCs in the domain. How can the manager convert the domain back to mixed mode? -
a. From the Active Directory Domains and Trusts MMC snap-in, select the properties page for the domain, select the Advanced tab, and click the Convert to Mixed Mode button. -
b. Run the dcpromo utility to convert the affected domain controller to a member server. Then, run dcpromo again to make it a domain controller again. -
c. She cannot convert it back to mixed mode. The BDCs will have to be upgraded to Windows 2000 as soon as possible. -
d. Using the Registry Editor, change the value of HKLM\Software\Windows\Domain\Mode from 1 back to . | | A9: | Answer c is correct. Once converted to native mode, a domain cannot be switched back to mixed mode. Answer a is incorrect because no such option exists. Answer b is incorrect because conversion to native mode affects the entire domain, not a specific domain controller. Answer d is incorrect because no such Registry value exists. | | Question 10 | For the Velocipede Active Directory forest, drag the appropriate Active Directory object from the second list under the container in the first list where the object should be found. Not all objects may be used, and some might be used more than once. Active Directory containers: velocipede.com domain alpine-adv.com domain Maui Finance OU Manchester Office OU Active Directory objects: Schema Admins group Manchester Finance OU salzburg.alpine-adv.com domain Domain Admins group Maui Fin Manager OU AlpineAdv Standard Desktop GPO MauiFin printer Enterprise Admins group Finance Applications GPO Hilton Head Office OU | | A10: | The correct answer is as follows : velocipede.com domain: Schema Admins group Domain Admins group Enterprise Admins group Hilton Head Office OU alpine-adv.com domain: Domain Admins group AlpineAdv Standard Desktop GPO Maui Finance OU : Maui Fin Manager OU MauiFin printer Finance Applications GPO Manchester Office OU : Manchester Finance OU Remember that parent domains are not containers for child domains, so the salzburg.alpine-adv.com domain cannot be placed in the alpine-adv.com domain. |  |
