Chapter 10. Practice Exam 1
1. Duncan is a network administrator who is responsible for migrating a Windows NT domain to Windows Server 2003. The PDC has the following specifications:
• Dual processors
• Pentium III 900MHz
• 128MB RAM
• A RAID-5 hard drive configuration with four 18.2GB hard drives
After the new installation of Windows Server 2003 is promoted, Duncan notices that the system is performing extremely sluggishly. What might the problem be?
• A. The server needs a RAM upgrade.
• B. Replication of the new AD data is causing a temporary performance slowdown.
• C. Duncan should change the hard drive configuration to move the system partition to its own separate mirrored partition.
• D. Duncan should promote a BDC to take some of the AD load off this domain controller.
2. You are a network administrator who is installing your first Windows Server 2003 server in your organization. Your installation of Active Directory halts because the SYSVOL folder cannot seem to be placed where you’ve specified. What is the most likely cause of the problem?
• A. You’ve requested it go on a partition that doesn’t have enough space.
• B. You’ve formatted the partition with NTFS.
• C. The drive letter you’ve specified doesn’t exist.
• D. The partition you are specifying is FAT or FAT32.
3. To allow for backward compatibility with Windows NT 4 domain controllers, at what functional level should your domains be running?
• A. Windows 2000 native mode
• B. Windows 2000 mixed mode
• C. Windows 2003 functional level
• D. Windows NT compatibility mode
4. Melissa is the network manager responsible for a Windows Server 2003 forest that contains three domain trees with a total of eight domains. She is wanting to raise the forest functional level from Windows 2000 mixed mode to Windows 2003 to take advantage of new functionality, and in the process she verifies that each of the parent domains in each tree has been raised to Windows 2003. However, when she goes to raise the forest functional level she is unable to. What might Melissa have missed? [Check all correct answers]
• A. Some domains are not at the Windows 2003 functional level.
• B. She has to raise the functional level to Windows 2000 native mode first and then she can raise it to the Windows 2003 functional level.
• C. She has a trust relationship in place with a Windows NT 4 domain that must be removed prior to raising the forest functional level.
• D. She has to log in with an account that is a member of the Enterprise Admins group.
5. Kathy works for a worldwide organization based in the United States. Currently the organization has 50,000 employees in five locations (Singapore, France, England, Canada, and the United States). The domain is a single domain tree with three configured domains in individual sites: one for Singapore, one for France and England, and one for Canada and the United States. The connection to the Singapore site is very unreliable. What can Kathy do to configure replication better between the Singapore site and the U.S./Canada site?
• A. Configure a bridgehead server between the two sites.
• B. Change the configuration to allow Singapore into the U.S./Canada site.
• C. Configure IP over RPC replication to use a schedule between the two sites.
• D. Configure SMTP replication between the two sites.
6. Jon is a network administrator who is trying to demote a Windows Server 2003 domain controller, but it isn’t responding. This particular DC holds no FSMO roles, and Jon is sure he no longer needs it (he’s planning to format it and reinstall for a different purpose). He needs to do the reformat as quickly as he can. What would be his best option here?
• A. Jon should run dcpromo /forceremoval.
• B. Jon should reboot the server and reformat it.
• C. Jon should wait until all replication completes and try demoting the DC again.
• D. Jon should turn off the server and leave it off for a few days in order for it to be purged from AD.
7. You are the network administrator for Tailspin Toys. The network consists of a single AD domain named tailspintoys.com. All client computers run Microsoft Windows XP Professional. Tailspin’s main office is located in Boston, and there is a branch office in New York. You create a Group Policy object (GPO) that redirects the Start menu for users in the New York office to a shared folder on a file server.
Users in New York report that many of the programs they normally use are missing from their Start menus, although the programs were available on the Start menu the previous day. You log on to one of the client computers, and all of the programs in question appear on the Start menu. You verify that users can access the shared folder on the server. You need to find out why the Start menu changed for these users. What are two possible ways to achieve this goal? [Choose the two best answers]
• A. On one of the affected client computers, run the secedit command.
• B. On one of the affected client computers, run the gpupdate command.
• C. In the Group Policy Management Console (GPMC), select one of the affected user accounts and run Resultant Set of Policy (RSoP) in logging mode.
• D. On one of the affected client computers, run the gpresult command.
• E. In the GPMC, select the file server that hosts the shared folder and a user account that is in the Domain Admins global group and run Resultant Set of Policy (RSoP) in planning mode.
8. Tom is the owner of a cardboard container corporation that manufactures boxes for shipping computer products. The company has a registered namespace of contoso. com, which it utilizes for its AD domain. Tom has just purchased an office supply company that currently has no registered namespace and no AD domain. In the planning discussions, it has been determined that the combination of both companies will require each to maintain a separate security configuration under a contiguous namespace. Which of the following design types should be implemented?
• A. Single domain
• B. Domain tree
• C. Empty root domain tree
• D. Forest
9. You manage the Active Directory forest for a branch of your parent company, W&W, Inc. Users are frustrated because when they connect to resources with their DNS domain name, they have to type their name plus @sanfran.california.na.wwinc.com. As the administrator, what can you do to alleviate their problem?
• A. Reinstall the domain and create it with a shorter name.
• B. Tell the users to log in with just @wwinc.com because your domain is a child domain in that tree and transitive trusts will allow it.
• C. Create a shortcut trust with the parent domain so users can log in with the shorter wwinc.com name.
• D. Create an alternative UPN suffix and assign it to the user accounts in the domain.
10. There is an OU called DocProc for the document-processing department in your company, which happens to be an investment banking firm. There are two security groups in the DocProc OU—one is DocProc for the users, and the other is Managers for the management staff. You have a GPO that enforces a specific wallpaper and removes the Display option changes. Managers are complaining that they do not like having this policy enforced on them. What should you do?
• A. Remove the Managers group from the OU.
• B. Select the Block Policy Inheritance option from the OU.
• C. Change the permissions on the policy to Deny Read and Apply Group Policy for the Managers security group.
• D. Remove the policy from the OU and apply it directly to the DocProc security group.
11. Charles is a junior system administrator who has been delegated the task of connecting the new Windows Server 2003 Active Directory forest, litwareinc.com, to the existing Windows NT 4 domain, VOA. The senior administrator, Ken, has requested that when Charles configures the trust, users in VOA should have access to resources in litwareinc.com, but users in litwareinc.com cannot have access to resources in VOA. Administrators of litwareinc.com though should have access to resources in VOA. What would be the best method for Charles to use to configure this?
• A. Charles should configure a one-way realm trust where litwareinc.com trusts VOA.
• B. Charles should configure a one-way forest trust where litwareinc.com trusts VOA, and come up with an alternative for administrator access.
• C. Charles should configure a two-way external trust between litwareinc.com and VOA and then use security groups to limit access from litwareinc.com to VOA to only administrators.
• D. Charles should configure a one-way external trust where litwareinc.com trusts VOA, and come up with an alternative for administrator access.
12. Kim is the network administrator for a global training corporation. She has created a large number of universal groups with several hundred users in each group. She has noticed that a great deal of network traffic has resulted. What is the recommended way of handling universal groups that Kim should apply?
• A. The universal groups are established properly in the scenario; the traffic is being generated from other sources.
• B. Kim should place the users into local groups and then place the local groups into universal groups.
• C. Kim should place the users into global groups and then place the global groups into universal groups.
• D. Kim should place the users into universal groups and then place the universal groups into domain local groups.
13. Ian is a network manager for a complex Active Directory forest that consists of 6 domain trees and a total of 28 individual domains, which represents the infrastructure of the Willis Guitar Company, Inc. A partial diagram of the domain structure follows.
Trees:
ww-inc.com, mm-corp.us, virtual-realm.com, willwillis.us,
wwguitars.com, and wwamps.com
Users in development.texas.na.ww-inc.com often need to collaborate with their Asian counterparts in development.japan.asia.wwguitars.com, and users in both domains complain about how long it takes for shared folders to open even though there is excellent connectivity between physical locations. Is there anything Ian can do to help the situation?
• A. Ian can create a shortcut trust between development.texas.na. ww-inc.com and development.japan.asia.wwguitars.com.
• B. Ian can purchase additional bandwidth to reduce the delay in opening shared resources.
• C. Ian can move the users from the two domains into a common domain.
• D. Ian can create a forest trust between the ww-inc.com and wwguitars.com domain trees.
14. You are the network administrator of a single domain tree called contoso.net with several child domains (ny.contoso.net, utah.contoso.net, and delaware.contoso.net). In the NY domain there is an OU named Marketing.
Inside that OU is a user named Joe User. You have implemented a number of Group Policies within the domain. They are as follows:
• Site Group Policy: Wallpaper is set to Red. Task Manager is disabled.
• Domain Group Policy: Display Properties tab is disabled. (No Override is set to On.)
• OU1 Policy: Wallpaper is set to Blue. The Display Properties tab is enabled. (Block Inheritance is set to On.)
• OU2 Policy: Wallpaper is set to Green.
The OU policies are set in the order of OU1 being on top and OU2 on the bottom of the application order list. What is the resultant set of policies?
• A. Joe logs on and his wallpaper is green. Task Manager is not disabled. Display Properties is disabled.
• B. Joe logs on and his wallpaper is red. Task Manager is disabled.
• C. Joe logs on and his wallpaper is blue. Task Manager is not disabled. Display Properties is disabled.
• D. Joe logs on and his wallpaper is red. Task Manager is disabled. Display Properties is enabled.
15. The first domain controller within your domain contains all five FSMO roles. There are several domain controllers within the domain. The first domain controller fails. What do you need to do to allow the FSMO roles to continue?
• A. FSMO roles automatically transfer when the domain controller holding those roles goes down.
• B. You need to seize the roles by using the Ntdsutil tool.
• C. You can transfer the roles by using the AD Domains and Trusts tool.
• D. FSMO roles will not be able to continue.
16. Matt is a UNIX administrator who works side by side with Nick, who is a Windows administrator of a Windows Server 2003 forest and one domain. The CIO of the company, Rebekah, has asked Matt and Nick to reduce the total cost of ownership of the separate systems by improving user efficiency in accessing resources from one system to the other and to reduce the current duplication of resources that exists in the UNIX and Windows networks. What should Matt and Nick do? [Choose the three best answers]
• A. Create a realm trust between the Windows Server 2003 forest and the UNIX network.
• B. Create a realm trust between the Windows Server 2003 domain and the UNIX network.
• C. Create an external trust between the Windows Server 2003 forest and the UNIX network.
• D. Upgrade the Active Directory domain to Windows Server 2003 R2.
• E. Implement Identity management for UNIX.
• F. Migrate the UNIX network to Windows Server 2003 Active Directory.
17. You have installed and configured a new domain controller for an existing Windows Server 2003 domain in a forest that consists of five sites. After a few days, you notice that replication isn’t behaving the way it should. After troubleshooting you find out that for some reason the domain controller was installed into the wrong site. What can you do to fix the problem?
• A. Move the DC to the correct site.
• B. Demote the DC and rerun Dcpromo.
• C. Modify the TCP/IP configuration so the DC goes to the correct site.
• D. Remove the site that the DC currently belongs to in order to reallocate the DCs to other sites.
18. Brandon has designed and implemented a single Windows Server 2003 domain for his company. The company’s headquarters is in Fort Lauderdale, Florida. Smaller branch locations include San Francisco, California, and London, England. Each location has its own DCs and separate subnet configurations, which are connected through ISDN lines that barely support existing traffic. Brandon notices an extreme amount of replication traffic. He checks the Active Directory Sites and Services tool. What will he notice when he checks this tool?
• A. He will see that the replication topology is incorrectly set, and he will have to run the Knowledge Consistency Checker.
• B. He will see that the sites configured are missing bridgehead servers.
• C. He will be able to determine the performance of his ISDN traffic and see which traffic is generating the most harm.
• D. He will see that all DCs will be contained within the same default site, and he will need to break them up according to subnet.
19. You have three site locations for your domain tailspintoys.com. The sites are Taiwan, Brazil, and South Africa. Replication is configured between the three sites. There is a site link between South Africa and Brazil that is close to T1 connectivity. A slower 56Kbps link connects South Africa and Taiwan. Taiwan and Brazil are connected at T1 speeds. Site link bridges are not manually defined, just the default configuration through AD. How can you configure these sites to ensure replication between the three in the best possible way, while still providing a backup plan? [Choose all correct answers]
• A. Configure the site link for the South Africa–Brazil connection to be 100.
• B. Configure the site link for the South Africa–Brazil connection to be 10.
• C. Configure the site link for the South Africa–Taiwan connection to be 100.
• D. Configure the site link for the South Africa–Taiwan connection to be 10.
20. W&W, Inc., is an organization that has a Windows Server 2003 Active Directory infrastructure consisting of four domains in a single forest. The domains are named after the cities in which the offices are located: Dallas, Omaha, StLouis, and Boston. The V.P. of Finance, Warren, has recently transferred from the Boston office to the St. Louis office, and as a result his user account was moved from the Boston domain to the StLouis domain. A few days later, Warren calls the domain administrator in the Dallas office about getting access to a shared finance folder on a Dallas file server. When Jim, the domain admin, attempts to add Warren’s account to the shared permissions list, he can’t find the account in the StLouis domain. After checking, he finds it in its original Boston domain. Jim calls up Brian, the domain admin in St. Louis, and asks him to check on Warren’s user account. Brian reports that Warren’s user account is part of the StLouis domain, as it should be. Jim calls up Suresh, the domain admin in Boston, who tells him that he also shows Warren’s user account as belonging to the StLouis domain and not the Boston domain. Tim in Omaha reports the same thing to Jim.
Jim obviously has a problem, but what is the likely cause?
• A. The Infrastructure Master in the Dallas domain is down.
• B. The Global Catalog server in Dallas is down.
• C. The trust relationship connecting Dallas to the rest of the forest is broken.
• D. Replication is not taking place as scheduled.
21. You are the network administrator for Litwareinc.com. The network consists of a single Active Directory domain named Litwareinc.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. All servers that are not domain controllers have computer accounts in an organizational unit (OU) named MemberServers. Client computers have computer accounts in 15 OUs organized by department. All users have user accounts in an OU named CorpUsers. Litwareinc wants all users to have Microsoft Word available on their client computers. Litwareinc does not want to install Word on the domain controller or other servers. You need to configure the network to install the application as required, without affecting any existing policies or settings. What should you do?
• A. Create a Group Policy object (GPO) configured with Word listed in the software installation section of the computer settings. Link this GPO to the domain. Configure the Domain Controllers OU and the MemberServers OU to block policy inheritance.
• B. Create a Group Policy object (GPO) configured with Word listed in the software installation section of the computer settings. Link this GPO to the domain. Configure permissions on the GPO so that all servers and domain controller accounts are denied the permissions to read and apply the GPO.
• C. Create a Group Policy object (GPO) configured with Word listed in the software installation section of the user settings. Link this GPO to the domain. Configure the Domain Controllers OU and the MemberServers OU to block policy inheritance.
• D. Create a Group Policy object (GPO) configured with Word listed in the software installation section of the user settings. Link this GPO to the domain. Configure permissions on the GPO so that all server and domain controller accounts are denied the permissions to read and apply the GPO.
22. Scott changed his network password a few days ago on his Windows NT 4 workstation. His workstation belongs to a Windows Server 2003 Active Directory mixed-mode domain consisting of a couple Windows Server 2003 domain controllers and three Windows NT 4 BDCs that have yet to be upgraded. However, ever since he made the change and logged off, he has had to reboot several times to get logged in. He is irritated that sometimes he gets an error that his password is rejected, but then sometimes it takes just fine and logs him in. Scott calls you up and asks you to help fix the problem. What are the most likely causes for Scott’s login problems? [Choose the two best answers]
• A. The PDC Emulator is down.
• B. Scott needs to make sure his CAPS LOCK key isn’t on or that he is entering his password wrong.
• C. Something went wrong with the password change and he should manually change it on a domain controller to something different.
• D. Replication of the password change did not reach all domain controllers.
23. Don is the senior systems administrator for W&W, Inc., which has recently acquired a competitor that was struggling to stay afloat in the tough economy. The decision has been made to merge the companies rather than have the acquired company continue to operate under its own brand. As a result, Don is bulk-adding roughly 5000 user accounts to the wwinc.com domain, which already has approximately 3500 accounts. When he runs the import it stops after 4023 accounts have been created, with an error that the object can’t be created. While troubleshooting the problem, Don gets a request to go ahead and create a few essential user accounts manually because they are needed ASAP. When Don opens up Active Directory Users and Computer and tries to create the accounts, the process fails. What problem might he be having in his domain?
• A. The RID Master in the domain is down.
• B. The PDC Emulator in the domain is down.
• C. Don has reached the physical limit on the amount of user objects a domain will support.
• D. The CSV file Don is trying to import from is corrupt and should be re-created.
24. Which of the following Operations Masters are forestwide roles? [Choose the two best answers]
• A. Schema Master
• B. RID Master
• C. PDC Emulator
• D. Domain Naming Master
• E. Infrastructure Master
25. Ben is the systems administrator for a midsized company that has a main office plus seven small satellite offices. Three of the satellite offices are connected by 56Kbps WAN connections, mainly just to support email traffic and telnet access to the database server at the main office. The Windows Server 2003 infrastructure is a single Active Directory domain with each office being its own site. As a result of the slow bandwidth and small number of users at three of the offices, those offices have a server, but they are not Global Catalog servers. Ben wants to make logons more reliable and quicker for these three offices, yet he doesn’t want to burden the 56K lines with the ongoing replication traffic that would occur if he made the local servers GC servers. What can he do to alleviate the problem? [Choose the two best answers]
• A. Raise the domain functional level to Windows 2003.
• B. Place the global groups containing users at each site into appropriate universal groups.
• C. Increase the bandwidth to the sites to more fully support the infrastructure’s requirements.
• D. Enable universal group caching.
26. Which of the following can be used to describe the data involved with an intersite replication scenario? [Choose the two best answers]
• A. Data is sent uncompressed.
• B. Data is sent compressed.
• C. Data is sent through a schedule.
• D. Data is sent by default replication parameters.
27. You are the network administrator for Contoso.com. The network consists of a single Active Directory forest consisting of 12 domains. Fifteen of the domains contain Windows Server 2003 domain controllers. The functional level of all the domains is Windows 2000 native. The network contains a Microsoft Exchange 2003 Server organization. You need to create groups that can be used only to send email messages to user accounts throughout Contoso. You want to achieve this goal by using the minimum amount of replication traffic and minimizing the size of the Active Directory database. You need to create a plan for creating email groups for Contoso. What should you do?
• A. Create global distribution groups in each domain. Make the appropriate users from each domain members of the global distribution group in the same domain. Create universal distribution groups. Make the global distribution groups in each domain members of the universal distribution groups.
• B. Create global security groups in each domain. Make the appropriate users from each domain members of the security group in the same domain. Create universal security groups. Make the global security groups in each domain members of the universal security groups.
• C. Create universal distribution groups. Make the appropriate users from each domain members of a universal distribution group.
• D. Create universal security groups. Make the appropriate users from each domain members of a universal security group.
28. You are a network administrator for a company that uses smart card technology extensively for user logon. The company has recently closed one of its branch offices, and at the same time is offering a new kiosk service to its clients. Because of the office closing, you decide to utilize those computers for the new kiosk setup, which will include the smart card readers that have been in use for some time at the branch office. To enhance security, you remove the workstations from the domain and put them in their own workgroup. When you test the computers after they’ve been hooked up at the kiosk, you find that they are unable to log on to the network, using your user account or others, even though you are able to hook up your own laptop and log on with your smart card. What might be happening?
• A. You need to open up the corporate firewall to allow the kiosk computers’ traffic to pass.
• B. You need to grant “logon locally” permissions to the user accounts.
• C. You need to configure the user accounts the kiosk computers will use to log in with smart cards.
• D. You need to rejoin the workstations to the domain.
29. You are in the process of rolling out a smartcard deployment to replace password logons. You are using a Windows Server 2003 member server in your domain as the enrollment station, and you have configured the initial group of cards. However, some users are reporting problems logging in with their cards, although for other users the cards work. After troubleshooting you determine that the logon problems are limited only to Windows 2000 Professional users, and Windows XP Professional users are not having problems logging in. You check that the card readers are installed, and you are not seeing any errors. What might the problem be?
• A. Windows 2000 Professional can’t use smartcards created on Windows Server 2003.
• B. Smartcard authentication requires Windows XP or Windows Server 2003.
• C. Not all the users are properly configured to use smartcards in Active Directory Users and Computers.
• D. The Windows 2000 Professional systems likely need the device driver for the smartcard reader updated.
30. Nick is the network administrator for a Windows Server 2003 network. He has delegated the control of the Developers OU to the Developer Admins security group, but after he completes the wizard he realizes he gave permission only to reset passwords and not to create and delete user accounts. What two methods could Nick use to fix the problem?
• A. Nick could edit the properties of the Developer Admins security group and change the permissions.
• B. Nick could remove the Developer Admins security group and re-create it. Then he needs to run the Delegation of Control Wizard to set the permissions backup.
• C. Nick could run the Delegation of Control Wizard a second time to grant the desired permissions.
• D. Nick could open the properties of the OU and go to the Security tab.
31. You are the network administrator for TailspinToys.com. The company has a main office and seven remote offices, each having fewer than 20 users. The network consists of a single Active Directory domain named TailspinToys.com configured as a single site, with all servers running Windows Server 2003 R2. Domain controllers are located only in the main office, and all remote offices are connected to the main office by 6MB WAN connections. All users are required to change their password every 10 days. They are further restricted from reusing a password until after they have used five different passwords. You discover that users in the remote offices can log on by using recently expired passwords and access local resources during a WAN connection failure that lasts for 24 hours or longer. You need to ensure that users can log on to the domain only by using a current password. What should you do?
• A. In Active Directory Users and Computers, require all users to change their passwords the next time they log on to the domain.
• B. Enable universal group membership caching in the site.
• C. Instruct all users to log on by using their principal names (UPNs).
• D. Configure the Default Domain Policy Group Policy Object (GPO) to prevent logon attempts that use cached credentials.
32. You are a network administrator. Your network consists of a single Windows Server 2003 Active Directory domain. The company has users who work in the main office and users who work remotely through VPN connections to a server running Routing and Remote Access. The company’s written security policy requires that administrators in the main office log on by using smart cards. Company policy also requires that remote users use smart cards to access network resources. No other users are required to use smart cards. You issue laptop computers that contain smart card readers to administrators and remote users. You issue smart cards to administrators and remote users. Administrators and remote users report that they can log on without using a smart card. You need to ensure that only administrators are required to use smart cards when working in the main office. You must also ensure that remote users are required to use smart cards when accessing network resources. Which two actions should you take? [Choose the two best answers]
• A. In the computer configuration settings of the Default Domain Policy Group Policy Object (GPO), enable the Interactive logon: Require smart card setting.
• B. On the server running Routing and Remote Access, select the Extensible Authentication Protocol (EAP) check box and require smart card authentication.
• C. Create an OU and place all of the administrator accounts in it. Create a GPO and link it to the admin OU and enable the Interactive logon: Require smart card setting.
• D. In the properties of each administrator account, select the Smart Card Required for Interactive Logon check box.
• E. In the computer configuration settings of the Default Domain Controllers Policy Group Policy Object (GPO), enable the Interactive logon: Require smart card setting.
• F. In the properties of each user account that requires remote access, select the Smart Card Required for Interactive Logon check box.
33. You are a network administrator. Your network consists of a single Active Directory domain containing Windows Server 2003 computers and Windows XP Professional client computers. The domain contains two organizational units (OUs) named Sales and Marketing. Both OUs have multiple Group Policy Objects (GPOs) linked to them.
The Sales OU needs to be moved under the Marketing OU. You need to find out which objects in the Sales OU are adversely affected by GPOs linked to the Marketing OU. You need to achieve this goal without disruption to users. What should you do?
• A. Use the Group Policy Results Wizard for the Marketing OU. Review the policy results for the users in the OU.
• B. Use the Group Policy Modeling Wizard for the Marketing OU. Choose the Sales OU to simulate policy settings.
• C. Use the Group Policy Results Wizard for the Sales OU. Review the policy results for the users in the OU.
• D. Use the Group Policy Modeling Wizard for the Sales OU. Choose the Marketing OU to simulate policy settings.
34. Denis is a systems administrator. He is having problems with Group Policy where a GPO that is supposed to change a user’s wallpaper setting is not being applied to several computers. He calls a friend to ask her if she has any advice. The friend explains to Denis that GPOs are stored in two distinct places on a domain controller and that Denis must look in both locations to troubleshoot the issue. What are the names of these two locations, and where are they stored? [Choose the two best answers]
• A. Group Policy Template. This is stored in Active Directory.
• B. Group Policy Container. This is stored on the SYSVOL share.
• C. Group Policy Template. This is stored on the SYSVOL share.
• D. Group Policy Container. This is stored in Active Directory.
35. Zevi has deleted 500 objects from Active Directory. These objects were associated with a project that is now complete. When Zevi monitors the size of Active Directory, he is disappointed to see that the overall size of NTDS.DIT has not changed. He continues to monitor it for several days, but he never sees the size reduce. Why is this?
• A. Space consumed in Active Directory cannot be reclaimed. This is for auditing purposes and to ensure that objects can be undeleted.
• B. The time it takes for the size to be reclaimed is based on the tombstone settings. Because the default tombstone is 90 days, Zevi will have to wait at least that long before seeing a change.
• C. Deletions never cause the size of the file to reduce; they merely create empty space within the NTDS.DIT file.
• D. Space can be reclaimed only after full replication has taken place. Only when all copies of the database know about the deletion will space be reclaimed.
36. You are a network administrator for a network consisting of a single Active Directory domain. All computers are members of the domain. All servers run Windows Server 2003. All client computers run Windows XP Professional. The network contains desktop client computers and portable client computers. The portable computers include both laptop computers and tablet computers. Client computer accounts are located in various organizational units (OUs) organized by department and division, along with desktop computer accounts. Company policy requires that no portable computer is to be left unattended and logged on to the network, unless protected by a password. Users are not allowed to override this requirement. This requirement does not apply to desktop computers because those computers are located in secured offices. You need to configure your network so that portable computers comply with the company policy. What should you do?
• A. Create a Group Policy Object (GPO) that specifies a logon script. Link this GPO to the domain. Configure the logon script to read the Oeminfo.info file for manufacturer and model information, and set the screensaver properties if the manufacturer and model number indicates one of the portable computers.
• B. Create a Group Policy Object (GPO) that specified a logon script. Link this GPO to the domain. Configure the logon script to make a WMI query for manufacturer information and update the user’s profile information in Active Directory if the user is using a portable computer.
• C. Create a Group Policy Object (GPO) that specifies a password-protected screensaver. Link this GPO to the domain. Use a WMI filter to query for the hardware chassis type information to ensure that the GPO applies only to the portable computers.
• D. Create a Group Policy Object (GPO) that specified a password-protected screensaver. Link this GPO to the domain. Use a WMI filter to query for the specific edition of Windows XP Professional installed on the computer to ensure that the GPO applies only to the portable computers.
37. A new user created on a Windows Server 2003 domain controller must be replicated to all domain controllers in the domain. It takes time for this process to take place. What is the term used to describe this period of time?
• A. Overlap period
• B. Latency
• C. Change notification
• D. Journal updates
38. Here are four actions commonly performed by Ron, administrator of a Windows Server 2003–based network:
• Adding a user
• Creating a new domain
• Adding a new object type in Active Directory
• Adding a group
Which of the following statements are correct?
• A. Two of these changes will cause enterprisewide replication, and two will cause domainwide replication.
• B. One of these changes will cause enterprisewide replication, and three will cause domainwide replication.
• C. Three of these changes will cause enterprisewide replication, and one will cause domainwide replication.
• D. None of these changes will cause enterprisewide replication, and all will cause domainwide replication.
39. You are the network administrator for a network consisting of a single Active Directory domain. The functional level of the domain is Windows 2000 mixed. The domain includes an OU named Marketing. Computer accounts for client computers in the marketing department are located in the Marketing OU. Each client computer runs Windows NT Workstation 4.0, Windows 2000 Professional, or Windows XP Professional. You need to automatically deploy a new software package to all Windows 2000 Professional client computers in the Marketing OU. You create a Group Policy Object (GPO) and link it to the Marketing OU. What else should you do?
• A. Configure the GPO to assign the software package under the Computer Configuration section, under Software Settings. Modify the discretionary access control list (DACL) of the GPO to assign the Authenticated Users group the Allow—Read and the Deny—Apply Group Policy permissions.
• B. Configure the GPO to assign the software package under the Computer Configuration section, under Software Settings. Configure a WMI filter to include Windows 2000 Professional.
• C. Configure the GPO to assign the software package under the Computer Configuration section, under Software Settings. Disable Computer Configuration settings on the GPO.
• D. Configure the GPO to publish the software package under the User Configuration section, under Software Settings. Modify the discretionary access control list (DACL) of the GPO to assign only the Windows 2000 Professional computer accounts the Allow—Read and the Allow—Apply Group Policy permissions.
40. Younes is a system administrator for a large company. One of his users, Eric, has to have an application targeted to him. Eric is the manager of finance, and he belongs to a finance security group and OU. After he has tested the application, he will want it targeted to his employees. Younes wants to minimize the amount of work he must do now as well as when the testing has finished. Where is the most logical place to target this GPO?
• A. Site
• B. Domain
• C. OU
• D. Finance security group
41. Active Directory data is stored in a file on all domain controllers. What is the name of this file?
• A. NTDS.DIT
• B. ADDS.ADT
• C. NTDS.ADS
• D. ADDS.DIT
42. Which of the following are the names given to the partitions of data stored within Active Directory? [Choose all correct answers]
• A. Domain
• B. Configuration
• C. Schema
• D. Application
43. Justin Rodino is troubleshooting a Group Policy problem. He has applied settings that target computers in an OU, but one client has not received them yet. He goes to the workstation and wants to apply the settings immediately. He cannot afford to restart the computer. What is the best way to achieve this?
• A. Justin should use the Secedit command-line utility.
• B. Group Policy can be applied only at startup. Therefore, he must restart the computer.
• C. Group Policy does not require a restart; the user simply needs to log on and off.
• D. Justin should use the Refreshgpo command-line tool.
44. Paul Butler is preparing some questions for a consultant who is going to visit him to discuss his company’s Active Directory configuration. One of the concerns Paul has is with account lockouts. Paul has calculated that if he changes a password at a remote site, it will take 15 minutes before that change is replicated to all domain controllers in his organization. Paul is worried that a user might get locked out of the domain while he or she is waiting for replication to take place. When he presents this scenario to the consultant, the consultant tells Paul that he does not need to worry about this because Windows Server 2003 takes care of it automatically. What does the consultant mean?
• A. The consultant knows that account lockout would not occur. If a user enters a bad password, he or she will simply be logged on with cached credentials.
• B. The consultant is wrong. The user would have to wait, but 15 minutes is an accessible window.
• C. The consultant is correct. If a user enters a password that is different from the one stored at a single domain controller, the domain controller polls all other domain controllers to see whether there has been an update for this account.
• D. The consultant is right. In this case, the domain controller that is trying to authenticate the user would poll the PDC Emulator to see whether the password had been changed. Password changes are replicated to the PDC Emulator on an urgent basis.
45. You are the network administrator for a network consisting of a single Active Directory domain. There is an OU named DataProc. The DataProc OU contains user accounts for users in the data processing department. You create a Group Policy Object (GPO) and link it to the DataProc OU. You configure the GPO to publish Microsoft Visio. Some of the users in the department report that the application is not available from the Start menu, and other users report that Visio was installed successfully after they double-clicked a Visio document. You need to ensure that all users in the DataProc OU can run Visio. What should you do?
• A. Instruct users who report a problem to run the gpupdate command on their computers.
• B. Instruct users who report a problem to install the application by using Add or Remove Programs in Control Panel.
• C. Run the Group Policy Modeling Wizard on the domain controllers on the network.
• D. Run the gpresult command on each client computer and domain controller on the network.
46. Jaime is a system administrator. He is having a problem extending the schema to add a new object type. When he does this, he gets an “access denied” message. He is worried about this because he is a domain administrator. He calls a colleague to discuss it, and his colleague says that Jaime does not have sufficient permissions—he needs to be added to a new security group. Jaime says that because he is a domain administrator, this should be all he needs. He is worried Active Directory is corrupt. Who is correct?
• A. The colleague is correct. To edit the schema, Jaime would have to be a domain administrator in every domain in the enterprise.
• B. Jaime is correct. To edit the schema in a single domain, he simply needs to be a domain administrator. Jaime should run Ntdsutil.
• C. Jaime is correct. However, the database is not corrupt. Jaime simply needs to boot his server into Active Directory Maintenance Mode.
• D. The colleague is correct. Jaime must be made a member of the Schema Admins group to edit the schema.
47. Ester is a system administrator for a law firm. One of the primary functions on her network is time synchronization, because the company uses this in its documents. Ester is therefore concerned when she starts to see time-synchronization errors in the logs on her servers. Where is one of the main places Ester should look for this error?
• A. Ester should check the PDC Emulator. This machine is tasked with time-synchronization duties.
• B. Ester should search for the server running the Time Service. This synchronizes all other servers.
• C. Ester should simply check the motherboard of the servers that are experiencing problems. It is not unusual for a server to lose time, and it should be replaced on the next maintenance cycle.
• D. Ester should restart the servers experiencing the problem. This causes the servers to resynchronize their time.
48. Jorg is putting the finishing touches on his Windows Server 2003 Active Directory design. He has come up with a plan for three domains all within the same forest. He has a naming scheme and a DNS design. He has the plan examined by a consultant who has done a lot of work for the company in the past. The only change this consultant made was to remind Jorg to add two-way trusts between each of the three domains. Jorg realizes that the consultant probably has never used Windows Server 2003 with Active Directory before. How did he come to this realization?
• A. The consultant used the wrong terminology. Windows Server 2003 has shortcut trusts, not two-way trusts.
• B. The consultant is correct. Two-way trusts will speed up the logon process.
• C. Jorg realized this because there is no need to create old-style two-way trusts—trusts within a forest are created automatically in Windows Server 2003, and they’re transitive.
• D. Jorg realized this because to install a domain, you must explicitly set up a two-way trust. Therefore, there is no reason to create them after the fact.
49. Ron wants to make sure that searches for objects across domains are faster. His environment has two buildings, each having its own domain in the same tree. To make searches faster, Ron intends to move a domain controller from his own building into the remote one, and vice versa. Will this make searches across domains faster?
• A. No. To search for an object, the remote domain controller will still have to query servers in its home domain.
• B. No. Searches across domains are made at a Global Catalog server. Merely being a domain controller will not help.
• C. Yes. Because the server will be local to the people doing the search, it will reply faster.
• D. Yes. Because the server will be in the remote domain, it could query local servers for any data it needs.
50. You are the administrator of a network consisting of a single domain. The company’s main office is located in New York and remote offices are located in Europe. The offices are connected by dedicated T1 lines. To minimize logon authentication traffic across the slow links, you create an Active Directory site for each company office and configure site links between the sites. Users in remote offices report that it takes a long time to log on to the domain. You monitor the network and discover that all authentication traffic is still being sent to the domain controllers in New York. You need to improve network performance. What should you do?
• A. Schedule replication to occur more frequently between the sites.
• B. Schedule replication to occur less frequently between the sites.
• C. Create a subnet for each physical location, associate the subnets with the New York site, and move the domain controller objects to the New York site.
• D. Create a subnet for each physical location, associate each subnet with its site, and move each domain controller object to its site.
51. Peter is a system administrator. He has been given the task of fine-tuning Group Policy in his organization. He decides that one of the things he will do is to disable certain policies. If he wanted to disable unused portions of a GPO to improve processing times, which portions could he disable? [Choose the two best answers]
• A. Specific settings within a GPO
• B. The Windows Settings subcontainer
• C. The Computer Configuration container
• D. The User Configuration container
• E. The Software Settings subcontainer
• F. The Administrative Templates subcontainer
52. Which of the following types of scripts are applied to computer accounts? [Choose the two best answers]
• A. Startup
• B. Logon
• C. Logoff
• D. Shutdown
53. Which Windows Server 2003 service has replaced the older Windows NT Directory Replication service?
• A. Netlogon
• B. Active Directory Replication
• C. SYSVOL
• D. FRS
54. You are the network administrator for A. Datum Corporation. The company has a subsidiary named Fabrikam. The A. Datum Corporation network consists of a single Active Directory forest. The forest contains one domain named adatum.com. The functional level of the domain is Windows Server 2003. The Fabrikam network consists of a single Windows NT 4.0 domain named FABRIKAM. A file server named Server1 is a member of the adatum.com domain. All users in both domains need to save files on Server1 every day. You need to allow users in the Fabrikam domain to access files on Server1. You need to ensure that the domain administrators of the Fabrikam domain cannot grant users in the adatum.com domain permissions on servers in the Fabrikam domain. What should you do?
• A. Upgrade the Fabrikam domain to Windows Server 2003 and make this domain the root domain of a second tree in the existing forest.
• B. Upgrade the Fabrikam domain to Windows Server 2003 and make this domain the root domain of a new forest. Create a two-way forest trust relationship.
• C. Create a one-way external trust relationship in which the adatum.com domain trusts the Fabrikam domain.
• D. Create a one-way external trust relationship in which the Fabrikam domain trusts the adatum.com domain.
55. Christof is writing contingency plans for recovery of his domain controllers. One of the things he is most concerned about is having the servers run out of space, thereby preventing Active Directory from being able to make writes to the database. However, Christof’s colleague, Colin, tells Christof that he need not worry about this, because Active Directory has a reserve of 20MB on each domain controller to account for this very eventuality. In fact, the names of these files are NTDS.RES and MTDS.RE2. Christof doubts whether Colin is correct. Who is right?
• A. Colin is right. These files are placeholders that exist simply to consume disk space. This space is used when the server hard disk runs out of space.
• B. Colin is almost right. There are indeed files that act as placeholders to consume disk space. However, they are called res1.log and res2.log.
• C. Christof is right. There are no placeholders. Monitoring is the only way to make sure disk space does not run out.
• D. Christof is right. Active Directory automatically shuts down the server if it runs out of hard disk space. This ensures that database corruption does not occur.
56. As a system administrator of a Windows Server 2003 domain environment, which is not performing as expected, you want to create a more detailed listing of events so that you can see what is happening in detail. How can you best modify the level of logging for the Microsoft Event Viewer?
• A. Right-click the Event Viewer and select Full Logging.
• B. Modify the Registry and set the level of logging to 0.
• C. Modify the Registry and set the level of logging to 3.
• D. Create a Group Policy Object to write all events to the Event log.
57. Several tools exist for monitoring Active Directory replication. Which of the following tools can you use to troubleshoot replication problems with AD? [Choose the three best answers]
• A. Event Viewer
• B. The command-line utility Repadmin
• C. The command-line utility Replmon
• D. The Graphical User Interface tool Replmon
• E. The Graphical User Interface tool Repadmin
58. Ruby is the system administrator for a holistic dog food company based in Portland, Oregon. During a standard review of the Active Directory files on her server, she notices that the hard drive containing the NTDS.DIT file is running out of space. However, plenty of space is available on the RAID-5 array attached to her server. She decides to move the file to the RAID-5 array. How should she best perform this operation?
• A. Restart the server in Directory Services Restore Mode and use the Ntdsutil utility to move the file.
• B. Shut down the server, restart it in Directory Services Restore Mode, and use Windows Explorer to move the file.
• C. While the server is running, use Windows Explorer to move the file.
• D. With the servers running, open a command prompt and use Ntdsutil to move the file.
59. While performing some standard maintenance on the server, Roger accidentally deleted an OU containing 500 user accounts, 200 printers, and several groups. Now, Roger realizes his mistake and wants to restore all the deleted items in the most efficient way possible. Fortunately for Roger, he does have the backup of the Active Directory structure from the previous evening. Roger restores from the backup; however, within an hour the OU is once again deleted. How can Roger restore the deleted OU without having it automatically delete during the next replication cycle?
• A. Roger needs to perform a nonauthoritative restore of Active Directory while in Directory Services Restore Mode.
• B. Roger needs to perform an authoritative restore of Active Directory while in Directory Services Restore Mode.
• C. Roger needs to perform a nonauthoritative restore of Active Directory while Active Directory is running.
• D. Roger needs to perform an authoritative restore of Active Directory while Active Directory is running.
60. Randy is the system administrator for a small organization that recently purchased another small organization. When these two companies became one network, Randy created an external trust from the Active Directory domain of the first organization to a UNIX-based domain of the second organization. Because both of the organizations are small, needing only a few changes, Randy sets up the backup schedule to back up the Active Directory every 30 days. However, 22 days after the last backup, the Active Directory database becomes corrupted and Randy decides to restore it. The restoration is successful, and all the objects are re-created as expected. Shortly thereafter, a failure occurs on the external trust between the Active Directory and the UNIX-based domains. What should Randy do to ensure that the external trust functions as expected?
• B. Use the built-in backup tool to restore the system data.
• C. The external trust between a Windows AD domain and a UNIX-based domain can be created only on a temporary basis.
• D. The trust needs to be reestablished because the passwords are negotiated every seven days, and the backup exceeds this time frame.