Chapter 11. Answers to Practice Exam 2

Answers A and B are correct. The ListAllGPOs script can be used to enumerate all GPOs within a domain, and the output can then be directed to the DumpGPOInfo script to display the settings for each. Answer C is incorrect because the QueryBackupLocation script is used only to list the versioned GPO backups stored within a particular backup location. Answer D is incorrect because the FindUnlinkedGPOs script returns only the subset of domain GPOs that are not linked to a particular container, which does not meet the stated requirements. FindDisabledGPOs.wsf is used to list any GPOs that are currently disabled; therefore, answer E is incorrect.

Answer B is correct. It appears that a local Administrator or Backup Operator has checked the Restrict Access check box on the new tape. Sara is a local Administrator; therefore, answer A is incorrect. Sara's local Administrator account gives her the proper permissions for access, so Backup Operator permissions are not necessary; therefore, answer C is incorrect. A defective tape would not cause the access denied message; therefore, answer D is incorrect.

Answers A, B, C, D, and E are correct. The Dsmod command-line utility can be used to modify the attribute values of computer and user accounts, contacts, groups, and servers, as well as other object types, such as organizational units.

Answer C is correct. The policies will be processed in the following order: local, site, domain, OU, child OU. If settings conflict, the settings for the policy that was processed last will take precedence and will be the resulting setting. The main exceptions to this rule are account policies and loopback processing; therefore, answers A, B, and D are incorrect

Answer A is correct. Susan should select the Experience tab and select the appropriate connection speed by clicking on the drop-down list box. The Local Resource tab is used to configure sound, keyboard, and local devices; therefore, answer B is incorrect. Right-clicking the Remote Desktop Connection program displays only the program's shortcut properties; therefore, answer C is incorrect. The General tab is used to configure logon and connection settings; therefore, answer D is incorrect.

Answer A is correct. John should configure the Forwarders tab on each DNS server with the ISP's primary and secondary DNS servers' IP addresses. When clients perform recursive queries, the ISP's DNS servers' IP addresses on the Forwarders tab are used to forward the recursive queries to the ISP's primary or secondary DNS server. Update Server Data Files writes zone changes in Active Directory; therefore, answer B is incorrect. Clear Cache flushes the name server cache and would result in users complaining even more; therefore, answer C is incorrect. The Interfaces tab is used to configure IP addresses for DNS requests ; therefore, answer D is incorrect.

Answer D is correct. Max needs to check the Restore Security option in the Advanced Restore option. Restore Junction Points restores junction points and their data on your hard drive; therefore, answer A is incorrect. There is no security option in the Tape Properties dialog box; therefore, answer B is incorrect. Preserve Existing Mount Points prevents restored data from overwriting mount points; therefore, answer C is incorrect.

Answer C is correct. You can simply right-click on the user's account within the Active Directory Users and Computers MMC snap-in and select Unlock to restore logon capability for the user's account. This is the simplest and fastest method for access recovery in this scenario. Answers A and B are incorrect because the scenario requires unlocking the account, rather than specifying a new password, which would require more keystrokes whether through the Active Directory Users and Computers MMC snap-in or the command-line Dsmod utility. Answer D is incorrect because copying and creating a new account would entail even more administrative effort.

Answers B and C are correct. Input and application processing occur on the host system. Keyboard and mouse input are directed from the client system to the host, making answer A incorrect. Application processing occurs using the resources and processing capabilities of the host system, which makes answer D incorrect. Printer processing, likewise, would occur on the host system making answer E incorrect.

Answer B is correct. Ralph should use the domain object containing a domain controller to create the account lockout security policy. Domain account policies cannot be created on Windows 2000 member servers; therefore, answer A is incorrect. Account policies created on the Site or OU objects would be overwritten by the default domain controller policy; therefore, answers C and D are incorrect.

Answer B is correct. On each DNS server, John should configure the advanced configuration options and enable BIND secondaries to ensure compatibility and communication with the Unix BIND DNS servers. Configuring the Forwarders tab with the Unix DNS servers' IP addresses would result in the Unix servers resolving Internet recursive queries and would not work; therefore, answer A is incorrect. Configuring the advanced configuration options and disabling recursion would result in users not being able to browse the Internet; therefore, answer C is incorrect. Configuring the Interfaces tab with the Unix DNS servers' IP addresses would result in the Windows 2003 DNS servers listening to the Unix server for resource updates and this cannot be done on Unix servers, due to incompatibilities; therefore, answer D is incorrect.

Answer B is correct. Add the Everyone group to the Remote Desktop Users group to allow everyone access to Terminal Server sessions. Adding any other groups, such as Domain Users, Users, or Domain Administrators, would not allow access for everyone; therefore, answers A, C, and D are incorrect.

Answers A, B, C, and D are correct. Remote Desktop connections can be configured to redirect the audio and video output from the server to each client, as well as to make local resources such as drives, printers, and serial devices available within the virtual terminal session. Host drives , audio, and printers are not redirected, making answers E, F, and G incorrect.

Answers A, B, and C are correct. The default query options include users, contacts, and groups, as well as options for computers and printers. Answer D is incorrect because the Computers option includes both workstations and servers, which are not provided with a unique separate query category. Answer E is incorrect because the option for Exchange recipients is present only if Microsoft Exchange Server 2000 or later has been installed, and would not be present by default, as specified.

Answers A and C are correct. Christi needs to check Restore Junction Points for the mount points to be backed up. Christi also needs to check Preserve Existing Mount Points to prevent restored data from overwriting mount points. There is no mount point option in the Tape Properties dialog box; therefore, answer B is incorrect. The Restore Security option in the Advanced Restore option restores NTFS permissions; therefore, answer D is incorrect. The Preserve Existing Mount Points is unchecked by default, making answer E incorrect.

Answer C is correct. Amy should enable Object Access, success and failure, to determine who the intruder is. Object Access includes access to files and folders. Account Management audits changes in users' accounts; therefore, answer A is incorrect. Directory Service Access is used to audit Active Directory service; therefore, answer B is incorrect. Policy Change audits changes in Group Policies; therefore, answer D is incorrect.

Answers B and D are correct. Use either the Configure Your Server Wizard or the Add or Remove Programs applet in the Control Panel. Installing any of the Windows Server 2003 family of products, except Windows 2003 Web Server Edition, does not install IIS 6.0 by default. Administrators must explicitly select and install IIS 6.0 on all but the Web Server Edition; therefore, answers A and C are incorrect.

Answer B is correct. Mary should use Active Directory “integrated zones for increased security, fault tolerance, and easier management and deployment. Primary and secondary zones increase administration. Furthermore, primary, stub, and secondary zones all lack fault tolerance and do not have high security settings; therefore, answers A, C, and D are incorrect.

Answers A, B, and D are correct. A group can be located within a particular organizational unit and can itself be a member of one or more other groups. An organizational unit can also be located within another OU, which is called nesting of OUs. An organizational unit cannot be made a member of a group, making answer C incorrect.

Answer A is correct. Use the Add or Remove Programs applet in the Control Panel to install ASP.NET Web server extensions. In the Windows Components dialog box, check the Application Server check box and then click the Details button. Check the ASP.NET check box. Reinstalling IIS will not add ASP.NET Web server extensions; therefore, answer B is incorrect. There is no Web Extension folder in IIS and the Configure Your Server Wizard will not add ASP.NET Web server extensions; therefore, answers C and D are incorrect.

Answers A and B are correct. Users are using the ISP DNS server for registering their records at logon. To fix the netlogon problem, John needs to reconfigure each Windows 2003 DNS server to point to itself for DNS resolution instead of pointing to the ISP DNS server. John should then add the ISP DNS server to the Forwarders tab on each Windows 2003 DNS server. Creating a stub zone has nothing to do with logon problems; therefore, answer C is incorrect. Adding a caching-only server will not fix the logon problem; therefore, answer D is incorrect. Answer E is incorrect; asking the ISP to add AdepTek's DNS servers' IP addresses to its zone would not correct the problem.

Answer D is correct. The Terminal Server Session Directory is used to ensure that reconnected sessions are re-established to their original session within distributed server farms supporting Terminal Services Remote Desktop connections. Answer A is incorrect because the Remote Desktop for Administration service provides access for up to two administrative control logons and is not used within a Terminal Services server farm for multiple client access. Answers B and C are incorrect because the Terminal Server service manages only remote logons to virtual sessions, without attempting to rebalance or reconnect lost connections to their origin, whereas the Licensing service is used to ensure that a Terminal Server running in Application mode is properly licensed for each allowed connection.

Answer C is correct. Susan needs to purchase a new hard drive, from the same hard drive manufacturer, which is the same make, model, and size as the old one. For ASR to work properly, the hard drive's geometry must be identical. Just purchasing a hard drive of the same size or larger would not work; therefore, answers A and B are incorrect. Susan does not need to purchase a new SCSI hard drive controller card; therefore, answer D is incorrect.

Answer D is correct. Max needs to use the Highly Secure template ( hisecdc.inf ) to provide strong encryption using a secure channel. Setup security.inf contains the default security settings and cannot be used on domain controllers; therefore, answer A is incorrect. Securedc.inf is used for medium-level security; therefore, answer B is incorrect. domain controller security.inf contains security settings applied during the installation of Active Directory; therefore, answer C is incorrect.

Answer D is correct. The Remote Desktop Protocol (RDP) operates on port 3389. Answer A is incorrect because port 80 is used as the standard port used for the Hypertext Transfer Protocol (HTTP). Answer B is incorrect because port 389 is used as the standard port for Lightweight Directory Access Protocol (LDAP) connections, whereas port 3268 is used to connect to the Global Catalog within an Active Directory structure, making answer C incorrect as well.

Answer B is correct. Kelly needs to use the System Information utility and select Startup Programs. No startup programs are found using Event Viewer, Device Manager, or Last Known Good Configuration; therefore, answers A, C, and D are incorrect.

Answer C is correct. Terminal Services Server delivers applications to client desktops. The Routing and Remote Access Service would not deliver this functionality; therefore, answer A is incorrect. IIS is a Web site and application server, but would not meet the stated requirements; therefore, answer B is incorrect. SUS is Microsoft's Software Update Service, which can be used to deliver applications to client desktops through installation and doesn't operate in Remote Administration mode; therefore, answer D is incorrect.

Answers B and C are correct. A user account can be a member of multiple groups, but only a single OU. A user account can be a member of many groups, which makes answer A incorrect. A user account can be located only within a particular organizational unit, although that OU can itself be located within another, making answer D incorrect as well. A user account can be a member of many domains, not just a single domain; therefore, answer E is incorrect.

Answer B is correct. Susan next needs to save the imported template as a new database file. After that, Susan should choose Analyze Now from the menu to compare the imported security template policy settings with the local Windows Server 2003; therefore, answer A is incorrect. Susan should make the necessary changes, choose Configure Computer Now from the menu, and view any errors in the log file, which makes answers C and D incorrect.

Answer C and D are correct. For each additional domain controller that Mary adds to the domain, the preferred DNS IP address is the parent DNS IP address, or 192.168.1.6. The added domain controller DNS server's IP address of 192.168.1.12 is placed in the Alternate IP Address text box. Answer E is incorrect because although not specified in the question, IP address 192.168.1.1 is the gateway address.

Answer D is correct. Both global and universal groups can be used to assign permissions over resources located within any domain in a forest. Answer A is incorrect because a domain local group can be used only to assign permissions over resources located within the same domain as the domain local group. Likewise, a local group would give access only to local resources; therefore, answer B is incorrect. Answer C is incorrect because there is no trusted group scope. Trusts are established between domains, rather than as a group's scope.

Answer A is correct. Advanced Digest Authentication, similar to Digest Authentication in that it requires a user account and password, and has a medium level of security, stores user credentials in the Active Directory on the domain controller, as an MD5 message digest. Digest Authentication requires a user account and password and has a medium level of security because user credentials are sent across the network in a hashed message digest. .NET Passport Authentication provides a single unified logon, passwords are encrypted, and the level of security is high. Integrated Windows Authentication uses Kerberos as the authentication protocol and provides a high level of security.

Answer C is correct. Using the DNS console, Laura should delete the "." zone created during the Active Directory installation. Because Laura created a domain name ACDC.local, she needs to delete the "." zone listed under Forward Lookup Zones; otherwise , clients can have external name resolution problems on the Internet. Creating a reverse lookup zone would not help users gain Internet access; therefore, answer A is incorrect. Recursion is enabled by default and should not be disabled; therefore, answer B is incorrect. Laura should not delete the ISP's DNS server addresses because doing so would cause more Internet access problems; therefore, answer D is incorrect as well.

Answer A is correct. Max needs to use Event Viewer to investigate system events and discover the service that failed to start automatically. No startup services are found using the Event Viewer application log, Device Manager, or the Last Known Good configuration; therefore, answers B, C, and D are incorrect.

Answers A and B are correct. A default installation of Microsoft Windows Server 2003 includes the single-session Remote Desktop Connection ( mstsc.exe ) utility, as well as the Remote Desktop's MMC snap-in. The Remote Desktop Web Connection ActiveX component, which replaces the Windows 2000 Terminal Services Advanced Client (TSAC), must be installed as a subcomponent of IIS using the Add/Remove Programs utility, making answer C incorrect. Answers D and E are also incorrect because the Remote Control add-in capability must be downloaded from Microsoft's download site and installed to be present within the Active Directory Users and Computers MMC snap-in.

Answer C is correct. The question mark icon indicates that the security values in the analysis database are not defined and were not analyzed . The red X icon indicates that security values in the analysis database do not match the local computer system settings. The green check mark indicates that security values in analysis database match the local computer settings; therefore, answer B is incorrect. The exclamation point icon indicates that security values in analysis database are defined but do not exist in local computer system settings; therefore, answer D is incorrect.

Answer C is correct. IISvdir.vbs is used to create, delete, or display virtual directories. IISweb.vbs is used to start, stop, create, delete, and list Web sites; therefore, answer A is incorrect. IISftp.vbs is used to start, stop, create, delete, and list file sites; therefore, answer B is incorrect. Answer D is incorrect because IISftpdr.vbs is used to create, delete, and display virtual FTP directories under a root.

Answers A, B, D, and F are correct. Members of the Administrators, Backup Operators, Print Operators, and Server Operators groups have the ability to log on to domain controllers and so their membership must be carefully managed and monitored to minimize security risks. The Pre “Windows 2000 Compatible Access group is not granted the right to log on to domain controllers by default; therefore, answer C is incorrect. Remote Desktop users have the right to start a remote interactive session on the computer only if they have the Allow Logon Through Terminal Services right; therefore, answer E is incorrect.

Answer D is correct. Because InnoTeck uses InnoTeck.com for both the internal and external domain name, Sara needs to add a Host (A) record to the DNS server. Otherwise, users will not be able to browse InnoTeck.com Web site home page and related links. Adding a reverse lookup zone would not solve the problem; therefore, answer A is incorrect. The Start of Authority record (SOA) is added by default; therefore, answer B is incorrect. An MX Exchange Mail resource record is used for email; therefore, answer C is incorrect.

Answer C is correct. Sam needs to use Device Manager, right-click the NIC, choose Properties, click the Driver tab, and then click the Driver Details button. Event Viewer, the System Information utility, and the System applet would not help Sam; therefore, answers A, B, and D are incorrect.

Answers A and C are correct. The Configure Computer Now and the Save options accessed by right-clicking Security Configuration and Analysis in the left pane perform the same actions: They both write changes to your database file. Changes you make to the analysis database are made to the stored template in the database, not to the security template file itself; therefore, answer B is incorrect. You need to use the Security Templates snap-in component to make changes to your templates. Applying changes and saving changes are done with the Security Configuration and Analysis tool, not the Security Templates utility; therefore, both answers D and E are incorrect.

Answer E is correct. To enable a Remote Desktop connection for the local Administrator account, all you need do is to enable Remote Desktop access using the System Properties dialog box. The Remote Desktop for Administration service is installed by default, which makes answers A and B incorrect: No new services must be installed to meet the stated requirement. The Remote Assistance option is used to allow remote technical support of a user's session and is not necessary for remote server administration connections, which makes answer C incorrect. Answer D is also incorrect because the local Administrator account is a member of the Remote Desktop Users group by default.

Answers C and E are correct. The Enterprise Admins and Schema Admins groups are present only in the root domain of a forest. Answers A, B, and D are incorrect because the DnsAdmins group is present in any domain in which the DNS service has been installed, whereas both the Domain Admins and Group Policy Creator Owner groups are present in all domains by default.

Answer B is correct. David must be a member of the Local Administrators group to accomplish this task. Although David could accomplish this task by becoming a member of the Domain Administrators group, this would give David too much authority; therefore, answer A is incorrect. Using different authentication methods would not help David create a new Web site application; therefore, answers C and D are incorrect.

Answer B is correct. The Account policy, Object Access policy and Folder Redirection policy are all applied. The Domain Account policy is applied first, and then the GPO policies in the OUs are next applied. Because the OUs contain policies that are not Account polices, they will not be applied; therefore, answers A, C, and D are incorrect.

Answer B is correct. You cannot correct Terminal Services settings through Local Policy Management Console. Settings that relate to a client's Terminal Services settings can be configured within the Active Directory Users and Computers and the Terminal Server Configuration MMC snap-ins, as well as in the advanced options of the Remote Desktop Connection utility. Therefore, answers A, C, and D are incorrect.

Answer C is correct. Susan should open UDP and TCP port 53 on the firewalls. UDP and TCP ports 80, 25, and 443 are open by default and provide Internet access, FTP, and secure sockets, respectively; therefore, answers A, B, and D are incorrect.

Answer D is correct. Amy needs to reboot and select Last Known Good Configuration. Using Safe Mode, ASR, or restoring the System State would take too much time; therefore, answers A, B, and C are incorrect.

Answer C is correct. Select Application Server and click the Details button. Select Internet Information Server (IIS) and click Details. Select the World Wide Web Publishing Service and click Details. Select the Remote Administration check box. Therefore, answers A, B, and D are incorrect.

Answers A, C, and D are correct. The local Power Users group can fully administer local resources and accounts (except for members of the Administrators group). Power Users cannot back up or take ownership of files by default, which makes answers B and E incorrect.

Answer C is correct. Max needs to use the secedit command-line tool to analyze large numbers of computers. The Security Template tool is used to create and modify templates for smaller organizations; therefore, answer A is incorrect. The Security Configuration and Analysis tool is used to view and apply security template settings; therefore, answer B is incorrect. The Wuau.adm template is used for Software Update Services; therefore, answer D is incorrect.

Answer B is correct. To ensure that all connections occur using the Federal Information Processing Standard (FIPS) 140-1 validated encryption methods, you must select FIPS Compliant Encryption. Answer B is incorrect because client-compatible encryption adjusts to meet the maximum strength of encryption that the client system supports, making it possible to drop the encryption level at the client system. Answer C is incorrect because the High encryption setting requires clients to be able to connect at the highest encryption key strength present on the server, denying all lesser strength connections. Answer D is also incorrect because the Low encryption setting requires only a 56-bit encryption key.

Answer A is correct. Adding the MX record, John needs to replace the @ sign with a period. For each person in charge of managing a zone, add that person's email address (MX) record to your DNS server database and replace the @ sign with a period. Underscores and ~ (tildes) will not work; therefore, answers B and D are incorrect. John is an administrator and does have proper permissions; therefore, answer C is incorrect.

Answer B is correct. Everet needs to use the Recovery Console and copy the ntldr file from the Windows Server 2003 installation CD. Everet cannot use Last Known Good Configuration, Safe Mode, or Restore the System State until the ntldr file has been copied to the root directory; therefore, answers A, C, and D are incorrect.

Answers A, B, D, and F are correct. Account logons through Terminal Services connections inherit membership in the Authenticated Users group through the logon authentication process required for a Terminal Services connection, which also grants membership in the Terminal Server Users group; all logon accounts are included in the Everyone group. Because no additional specifications are provided, the logon accounts will be members of the Restricted (non “Power Users) group. The Interactive group includes only users directly logging on to the local system console, which makes answer C incorrect. The System account refers to the server's operating system rather than a user account, making answer E incorrect as well.

Answers A and B are correct. IIS 6.0 now includes WMI for managing query support and associations between objects. Managing scripts, permissions, and Web applications is performed using IIS Service Manager; therefore, answers C, D, and E are incorrect.

Answer A and B are correct. Amy should configure secondary zones or stub zones to reduce DNS traffic. Secondary servers reduce network traffic by using incremental updates. Primary zones are already configured and adding more of them will increase DNS traffic; therefore, answer C is incorrect. Adding reverse lookup zones will help reduce DNS traffic a little but is not the best solution; therefore, answer D is incorrect. Configuring caching-only DNS servers for each domain will speed up user requests for Web pages, but will do little to reduce network traffic; therefore, answer E is incorrect.

Answers A, and C are correct. When authorizing a Terminal Services Licensing server for operation, you can allow the licensing server to automatically connect to the Microsoft Clearinghouse over the Internet, use a separate computer's web browser, or obtain the licensing authorization through a toll-free (in most places) call. Neither fax-in nor mail-in authorization mechanisms are provided by default, which makes answers B and D incorrect.

Answers B and C are correct. Under Computer Configuration, Amy should expand the Administrative Templates folder, expand the Windows Components folder, and then select the Windows Update folder. In the right pane, Amy needs to double-click the Configure Automatic Updates and select the Enabled radio button to enable automatic updates. The third step is to double-click the Reschedule Automatic Updates scheduled installations and select the Enabled radio button; therefore, answers A, D, and E are incorrect.

Answer C is correct. John needs to use the Repair Option feature by booting from his Windows Server 2003 installation CD-ROM. John cannot use Last Known Good Configuration, Safe Mode, or the Recovery Console until repairs have been completed; therefore, answers A, B, and D are incorrect.