Server 2003 Ads Chapter Reviews (Without Answers)

CET 2794 – Supporting Active Directory Services in Windows Server 2003 – Chapter Reviews

Chapter 1 - Overview of Active Directory

1. Which of the following files exists on all domain controllers?

a. sysprep.exe b. Ntds.dit c. setupcl.exe

d. Winnt.sif e. Ntbootdd.sys

2. You are the administrator of an Active Directory domain named cohowinery.com. There are five domain controllers in your domain. Two of the domain controllers run Windows 2000 Server and the other three run Windows NT Server 4.0. The three domain controllers that run Windows NT Server 4.0 do not meet the hardware requirements to run Windows Server 2003. Client computers run Windows 2000 Professional, as well as Windows NT Workstation 4.0.

You receive a memo from the corporate security team that says all of the domains in the forest will be raised to Windows Server 2003 functional level at the end of the month. Select only the essential change or changes that you must make in your current network configuration before your network will be able to comply with the security team’s requirements.

a. Upgrade the existing Windows NT Server 4.0 domain controllers to Windows 2000.

b. Remove or replace the existing Windows NT Server 4.0 domain controllers. Upgrade the existing Windows 2000 Server domain controllers to Windows Server 2003.

c. Upgrade the Windows NT Workstation 4.0 computers to Windows 2000 Professional.

d. Upgrade all client computers to Windows XP Professional.

3. You upgrade your Primary Domain Controller (PDC) from Windows NT Server 4.0 to Windows Server 2003. You have one Windows NT Server 4.0 Backup Domain Controller (BDC) on your network. You successfully configure an Active Directory domain named contoso.com. You select a domain functional level of Windows Server 2003 Interim during the upgrade process.

You receive two computers named Server01 and Server02 from another company. These computers run the Windows 2000 Server operating system. They were configured as member servers on the other company’s domain. There are no trust relationships configured between your company domain and the other company’s domain.

Your manager wants you to configure Server01 and Server02 as additional domain controllers in your existing Active Directory domain. The manager does not want you to modify the configuration or operating system on any one of the existing domain controllers. What should you do?

Choose three.

a. Upgrade Server01 and Server02 to Windows Server 2003.

b. Raise the forest functional level to Windows Server 2003.

c. Configure the Preferred DNS server option of Server01 and Server02 to point to a Domain Name System (DNS) server that maintains or has access to the service resource (SRV) DNS records for contoso.com.

d. Install Server01 and Server02 as additional domain controllers for the contoso.com domain.

e. Install Server01 and Server02 as new domain controllers for the ad.contoso.com domain. Configure Server01 and Server02 as DNS servers for the ad.contoso.com zone.

4. What is a logical object in Active Directory that is used to represent two or more IP subnets connected by a fast link?

a. Tree b. Domain c. Forest d. Site

5. What is Microsoft’s recommended maximum number for nested organizational units (OUs)?

a. 1 b. 5 c. 10 d. 50 e. 100


6. What functional level is required for cross-forest trusts?

a. Windows Server 2003 b. Windows Server 2003 interim

c. Windows 2000 native d. Windows 2000 mixed

7. What is the correct definition of a shortcut trust?

a. A manually created trust that allows child domains in separate trees to communicate more efficiently by eliminating the tree-walking of a trust path

b. A trust relationship that allows a child domain to trust another child domain because of their common relationship to a parent domain

c. A trust relationship that allows resource access from one forest to another

d. A trust relationship between domains in a forest

8. You are tasked with raising the forest functional levels for your organization to Windows 2003 interim. In order to raise the functional level, what must be true? (Choose all that apply.)

a. Must be a member of the Domain Admins Group.

b. Must be a member of the Enterprise Admins Group.

c. The functional level of a forest can be raised only on the server that holds the Primary Domain Controller (PDC) emulator role.

d. All domain controllers in the entire forest must be running an operating system supported by the targeted forest functional level.

e. The functional level of a forest can be raised only on a server that holds the Schema Operations master role.

f. All domains must be at the Windows 2000 native functional level or Windows 2003 functional level.

9. Your directory integration team has decided that your domain must provide support to a user password on the inetOrgPerson account. Currently, your domain functional level is Windows 2000 native. Which of the following must be true in order for you to support this new requirement? (Choose three.)

a. You must log on to the server that holds the Primary Domain Controller (PDC) emulator role.

b. You must be a member of the Domain Admins group.

c. You must upgrade all workstations in the target domain to Windows 2000 Professional.

d. You must raise the domain functional level to Windows Server 2003.

e. You must have more than two domain controllers in the domain.


Chapter 2 -

1. You are logged on as an administrator. You are a member of the Schema Admins, Enterprise Admins, and Domain Admins groups. You just finished installing a new domain controller on a computer named Server15. You need to modify the Active Directory schema using the Microsoft Management Console (MMC) Schema snap-in. However, you do not see this console in your administrative tools folder. What must you do to get access to the Schema snap-in? (Choose two.)

a. Use Regsvr32 to register the dynamic link library (DLL), Schmmgmt.dll.

b. Use ADSIEdit, right-click the name of your domain, and select Update Schema Now.

c. Refresh the Active Directory Users And Computers console.

d. Create a new MMC, and add the Schema snap-in.

e. Open Replmon, click the Schema partition, and press F5.

2. You are an administrator for contoso.com. Contoso.com has two child domains, west.contoso.com and east.contoso.com. The contoso.com domain is using the Windows 2000 native domain functional level. The west.costoso.com domain is in the Windows 2000 mixed domain functional level. The east.contoso.com domain is in the Windows Server 2003 interim domain functional level. You attempt to raise the functional level of the forest, but you receive an error message. What must you do before you can raise the forest functional level? (Choose two.)

a. Raise the domain functional level of west.contoso.com.

b. Raise the domain functional level of east.contoso.com.

c. Raise the domain functional level of contoso.com.

d. Create separate Active Directory sites for east.contoso.com and west.contoso.com.

e. Back up the system state data of a domain controller in the forest root.

3. You are the network administrator for the cohowinery.com domain. You need to add a new user principal name (UPN) suffix to your existing domain. You are currently logged on using an account that is a member of Domain Users only. What must you do in order to add this new UPN suffix? (Choose two.)

a. Log on using an account that is a member of the Schema Admins group.

b. Log on using an account that is a member of the Domain Admins group.

c. Log on using an account that is a member of the Enterprise Admins group.

d. Use the Active Directory Domains And Trusts console.

e. Use the Active Directory Sites And Services console.

f. Use the Active Directory Users And Computers console.

4. You are running a testing lab for your company. In your lab, you have an Active Directory domain named contoso.com. Two computers, named TestDC1 and TestDC2, are configured as domain controllers for this domain. TestDC1 was the first domain controller installed on the domain. You raise the forest functional level to Microsoft Windows Server 2003 in order to test compatibility with a custom schema-modifying application. The test doesn’t work as expected. Your manager then asks you to test the application when the forest is in Windows 2000 native functional level. Which of the following should you do in order to prepare TestDC1 and TestDC2? (Choose two.)

a. Configure TestDC1 as a member server of the existing domain.

b. Configure TestDC2 as a member server of the existing domain.


c. Remove Active Directory from TestDC1.

d. Remove Active Directory from TestDC2.

e. Move the Schema operations master role from TestDC1 to TestDC2.

f. Move the Domain Naming operations master role from TestDC1 to TestDC2.

5. You are the domain administrator for cpandl.com. The domain controllers for this domain, named DC1 and DC2, are running Microsoft Windows Server 2003 Standard Edition. The Domain Name System (DNS) servers for your domain, named DNS1 and DNS2, are running Windows Server 2003 Enterprise Edition. DC1 and DC2 are configured to use DNS1 and DNS2 as their Preferred and Alternate DNS servers. DNS1 and DNS2 are configured to allow Zone Transfers To Any Server. You need to verify that the service location (SRV) resource records were added appropriately to your DNS server. Which of the following steps should you take? (Choose two.)

a. Run Nslookup on DC2.

b. Upgrade DC1 and DC2 to Windows Server 2003 Enterprise Edition.

c. Disable Zone Transfers on DNS1 and DNS2.

d. Issue the command ls –t SRV cpandl.com.

e. Issue the command ls –t SRV domain.

6. When installing a replica domain controller for an existing domain, which of the following tasks must you complete? (Choose three.)

a. Specify the location of the Sysvol and Log folders.

b. Specify the name of the first domain controller installed in the domain.

c. Specify the domain name.

d. Specify the Directory Services Restore Mode password.

e. Define the forest root domain name.

7. You are the network administrator for the Active Directory domain named contoso.com. There are five domain controllers on your domain. All domain controllers use Microsoft Windows Server 2003. Four of these domain controllers are online. The domain controller that holds the Schema operations master role is kept offline. You typically manage the domain using an account that has membership only in the Domain Admins group. However, you have access to accounts with membership in all administrative groups. Your manager asks you to install Microsoft Exchange 2000. What must you do before you can install Exchange 2000? (Choose two.)

a. Log on using a user account that is a member of the Server Operators group.

b. Log on using a user account that is a member of the Schema Admins group.

c. Ensure the domain controller holding the Schema operations master is online.

d. Use netdiag /fix to ensure the domain is ready.

e. Use ADPREP on your forest.

8. You are a network administrator for an Active Directory domain named fabrikam.com. Three domain controllers named DC1, DC2, and DC3 are part of your network. These domain controllers run Microsoft Windows Server 2003 Standard Edition and host the Active Directory-integrated Domain Name System (DNS). There are 500 Microsoft Windows XP Professional client computers on your network. There are also 40 Windows NT Workstation 4.0 client computers, as well as 50 Microsoft Windows 95 computers on the network. All of the client computers have the latest service packs installed.


Previously, your network had a domain named FABRIKAM, which was hosted by computers that ran Microsoft Windows NT Server 4.0. There were also two Windows Internet Name Service (WINS) servers that provided name resolution services on the network. After upgrading to Windows Server 2003, your help desk received a few calls from users unable to connect to resources. You log on without a problem from a Windows XP Professional client computer to your domain. Which of the following actions must you perform to ensure that all network users are able to access resources? (Choose two.)

a. Upgrade the Windows 95 client computers.

b. Upgrade the Windows NT Workstation 4.0 client computers.

c. Ensure that all client computers list one of the domain controllers as their preferred or primary DNS server.

d. Configure Forwarding in the DNS console from DC2 and DC3 to DC1.

e. Remove all references to Root Hints from all domain controllers.

9. You are the network administrator for Coho Vineyard. Your network is not connected to the Internet, but all computers use the Transmission Control Protocol/Internet Protocol (TCP/IP). The Windows Internet Name Service (WINS) is the only name resolution service in use on your network. There are three domain controllers on your network. These domain controllers are named DC1, DC2, and DC3. These domain controllers run Microsoft Windows NT Server 4.0. Most of your client computers run Microsoft Windows NT Workstation 4.0 or Microsoft Windows XP Professional. Your network also includes three Windows NT Server 4.0 Remote Access Service (RAS) servers. There are no plans to upgrade the RAS servers or the Backup Domain Controller (BDC) servers at this time.

DC1 is a Windows NT Server 4.0 Primary Domain Controller (PDC). You upgrade DC1 to run Microsoft Windows Server 2003 Standard Edition. Active Directory installation starts automatically. Which of the following options must you choose during Active Directory installation to support your current network environment? (Choose three.)

a. Choose the Windows Server 2003 interim forest functional level.

b. Choose the Windows 2000 forest functional level.

c. Select pre–Windows 2000 compatible permissions.

d. Select Windows Server 2003 permissions.

e. Install and configure Domain Name System (DNS) automatically.

f. Configure the Preferred DNS Server settings of DC1 to point to a WINS server.

10. You are the network administrator of alpineskihouse.com. All of your domain controllers run Microsoft Windows Server 2003 Enterprise Edition. Recently, many of your users were imported from a Windows NT Server 4.0 domain named ADATUM. These users had e-mail addresses with a domain name suffix of adatum.com. You want to enable these users to log on using their e-mail addresses. What should you do? (Choose two.)

a. Add an additional user principal name (UPN) suffix of adatum.com in Active Directory Domains And Trusts.

b. Use ADSIEdit to modify the sIDHistory attribute on each user account.

c. Add an entry for adatum mapped to the Internet Protocol (IP) address of the domain controller to the host file of each new user’s computer.

d. Change the imported user’s UPN suffixes to adatum.com.

e. Create a new Active Directory site named adatum in Active Directory Sites And Services.

11. You are the network administrator for Coho Vineyard and Winery. You’ve just finished installing an Active Directory domain named cohovineyardandwinery.com. Both the winery and vineyard are in the same physical location and on the same local area network (LAN). You expect to have a maximum of 150 client computers on your domain. Your manager tells you there is a problem with the name you’ve created. The board of directors has informed him that the domain name is too long. They want you to use the name cohowinery.com. Your manager wants to be able to use the cohovineyard.com domain name and suffix for his e-mail address and logon. What solution can you provide to incorporate the use of both cohovineyard.com and cohowinery.com to meet these requests? (Choose three.)


a. Create a forest root domain named cohovineyard.com.

b. Rename the forest root domain to cohowinery.com.

c. Create a second domain tree named cohovineyard.com.

d. Configure an additional user principal name (UPN) suffix of cohovineyard.com.

e. Configure your manager’s UPN suffix for cohovineyard.com.

12. Select all requirements for installing Windows Server 2003 Active Directory. (Choose two.)

a. 200 MB minimum free space b. NTFS partition

c. Windows Server 2003 Web Edition d. 250 MB minimum free space

e. FAT32 partition

13. Which of the following are valid ways to launch the Active Directory Installation Wizard? (Choose two.)

a. Use the Microsoft Management Console (MMC) Components Services snap-in.

b. Use the MMC Computer Management snap-in.

c. From the Manage Your Server Web page.

d. Use Add Or Remove Programs in Control Panel.

e. Use Dcpromo.exe.

14. You are the network administrator for a large company. You have three domain controllers named ServerA, ServerB, and ServerC. You have one Domain Name System (DNS) server named ServerD. These servers provide logon authentication and resource access for 5000 users. There is a brief power outage. When power is restored, you receive several calls from users who are unable to log on to the domain. You need to allow these users to log on. Which of the following would be valid steps to troubleshoot this problem? (Choose three.)

a. Stop the NetLogon service on all servers.

b. Ensure all servers are online.

c. Ensure that an SRV resource record exists on ServerD for all domain controllers.

d. Delete all Host (A) records on ServerD.

e. Ensure that the NetLogon service has started on ServerA, ServerB, and ServerC.

15. You are the administrator of a small network. You recently installed a new Windows 2003 DNS server. A network user calls to tell you that he is receiving an error report from a computer with Internet Protocol (IP) address 10.0.0.200. You are not familiar with that IP address. You issue a ping –a 10.0.0.200 to attempt to resolve the host name. The ping does not return a host name in the reply. Later, you locate this computer and determine the appropriate host name. You wantto ensure that when you use the ping –a command to resolve the host name in the future, the host name is returned. How could you accomplish this task? (Choose two.)

a. Add a forward lookup zone. b. Add a reverse lookup zone.

c. Scavenge Stale Resource Records.

d. Configure a Pointer (PTR) record for the 10.0.0.200 address that maps the proper host name.

16. You are the network administrator for contoso.com, which is an Active Directory domain. All domain controllers in the domain run Windows Server 2003 Standard Edition. There is also a Kerberos realm and a Windows Server NT 4.0 domain on your network. The Kerberos realm is named fabrikam.com and is hosted by UNIX servers. The Windows NT Server 4.0 domain is named ADATUM. Members of the fabrikam.com realm need to access resources on contoso.com. Users on ADATUM also need access to resources on contoso.com. What should you do in order to provide access to these domain resources, without giving access to resources that are not required? (Choose two.)

a. Configure a trust relationship so that ADATUM trusts contoso.com.

b. Configure a trust relationship so that fabrikam.com trusts contoso.com.


c. Configure a trust relationship so that contoso.com trusts ADATUM.

d. Configure a trust relationship so that contoso.com trusts fabrikam.com.

17. You are tasked with organizing your company’s Information Technology (IT) resources. Currently, your network environment has one member server for each workgroup and it has three workgroups. Each server has a single volume using the FAT32 file system. During the restructuring, you want to take advantage of the following features: improved hard disk security, domain fault tolerance, centralized administration, single point of access to global resources, and simplified resource location. What should you do? (Choose two.)

a. Convert the member server’s single volume to the NTFS file system.

b. Install Active Directory on one member server and create a new domain.

c. Reconfigure all the current member servers into one workgroup.

d. Install Active Directory on two of the member servers, creating a domain with two domain controllers.

e. Add an extra member server to each workgroup and promote each workgroup to a new domain.


Chapter 3 - Working with Active Directory Sites


1. You are the network administrator of Coho Vineyard. There are three domain controllers in your domain. The Domain Name System (DNS) structure for your domain is maintained on two computers running Microsoft Windows Server 2003 that are configured as member servers. You discover several replication error messages in the Event Viewer. Some of the messages indicate that the bridgehead server in Site01 is having trouble making a connection to the bridgehead server in Site02. You’d like to check your replication topology. Furthermore, you need to verify that your domain controllers in each site are able to properly register their records with the DNS server. Which of the following utilities can help you to perform these tasks? (Choose three.)

a. Replmon b. Windiff c. Repadmin d. Adsiedit e. Dcdiag

2. You manage a network with a single Active Directory domain and five Active Directory sites. The business opens two new locations. The computers that will function as domain controllers at those sites are already in place. However, these computers are configured as member servers running Windows Server 2003 Standard Edition. You plan to create separate site structures for these locations. When these computers are installed, you want to be sure that they are automatically added to the appropriate site. What tasks must you complete before the computers are installed as domain controllers? (Choose two.)

a. Create sites for the new location.

b. Remove all of the existing connection objects in the Default-First-Site-Name.

c. Create new subnets for the new location.

d. Create new site links for the new sites.

e. Remove the member server’s computer accounts from the domain prior to installation of Active Directory.

3. You are viewing the replication topology for your domain, wideworldimporters.com, as shown in the following figure.

All of the domain controllers run Windows Server 2003 and are in the same site. The replication intervals have not been modified. If everything on your network is working properly, what delay would you expect from the time when the user account is deleted on ServerA to the time ServerE receives the change?

a. Less than five minutes b. More than five minutes, but no more than 10 minutes

c. More than 10 minutes, but no more than 15 minutes

d. More than 16 minutes, but less than 20 minutes

4. You manage an Active Directory domain for Humongous Insurance. The network of this company is shown in the following figure. Nothing beyond the default site structure has been created. There are 50 users at each facility. The wide area network (WAN) link between Router1 and Router4 is high-speed. All other WAN links are considered slow. The local area network (LAN) connections at each location are all high-speed.


You’ve been assigned to reduce replication traffic over the slow WAN links. You create two sites named Remote1 and Remote2. You rename the Default-First-Site-Name to HQ. How should you place the servers within these sites? (Choose three.)

a. ServerC in Remote1 b. ServerC and ServerD in Remote1

c. ServerD in Remote2 d. ServerC and ServerD in Remote2

e. ServerA, ServerB, and ServerE in HQ f. ServerA, ServerB, and ServerC in HQ

5. You are a network administrator for Coho Winery and Coho Vineyard. Cohowinery.com and cohovineyard.com are domains in the same forest. The network is divided into two sites as shown in the following figure.

Each domain has five domain controllers. Currently, these domains are configured to use remote procedure call (RPC) over Internet Protocol (IP) replication. However, you are installing firewalls between these domains and want to use Simple Mail Transfer Protocol (SMTP) for replication. Which of the following are appropriate configuration tasks for enabling SMTP replication, given this scenario? (Choose two.)

a. Obtain a certificate.

b. Install Internet Information Server (IIS) SMTP service.

c. Place a domain controller from Coho Vineyard into Site2.

d. Place a domain controller from Coho Winery into Site1.


e. Configure a new site link under the SMTP node in Active Directory Sites And Services.

6. You manage the A Datum Corporation network, which has a single Active Directory domain named adatum.com. The company has three regional offices: west, central, and east. Each office has a corresponding site. These sites are named WestSite, CentralSite, and EastSite, respectively. There are also three site links that connect each location: WestCentral, CentralEast, and WestEast, respectively. Each site link is named after the regional offices to which they connect. Each site link is scheduled to replicate between the hours of –05:00 and –07:00 Greenwich Mean Time (GMT). The rest of the site link properties are set to their default values.

While monitoring replication, you notice that the WestEast site link is used just as frequently as the other two links. However, this site link represents a dial-up connection that is far more expensive and less efficient than the connections represented by the other site links. You need to ensure that WestEast is used only when there is a problem with the other two site links. Which two solutions could you implement to solve this problem? (Choose two.)

a. Remove the WestEast site link. b. Increase the cost of the WestEast site link.

c. Configure WestEast for SMTP replication only. d. Set the IP site link to Ignore Schedules.

e. Decrease the cost of the WestCentral and CentralEast site links.

7. You are a network administrator for Blue Yonder Airlines, which has just expanded to three new locations. Each location has its own Internet Protocol (IP) subnet, router, domain controller, and global catalog server. All sites utilize Microsoft Windows XP Professional or Microsoft Windows 2000 Professional client computers. All domain controllers run the Windows Server 2003 Standard Edition operating system. Domain controllers also run the DNS Server service and have Active Directory–integrated DNS zones for the domain. You want to create sites for each new location. You also want to ensure that users of that local site can be authenticated within their local site. You want to be able to control when new directory information is passed to each site. What must you do? (Choose three.)

a. Create sites and subnets for each new location.

b. Configure client DNS server settings to contact the local domain controller as their preferred DNS server.

c. Remove Active Directory–integrated DNS and install a primary-secondary DNS relationship.

d. Move the computer accounts for the appropriate domain controllers into each site. Add a domain controller to the site that doesn’t have one.

e. Create organizational units (OUs) for each site and move appropriate domain controller computer accounts into those OUs.

8. You are a network administrator for the Baldwin Museum of Science. The company has an Active Directory domain named baldwinmuseumofscience.com. The Baldwin Museum of Science has three locations in the northwestern United States. You’ve been assigned to create sites for each location: Seattle, Washington; Portland, Oregon; and Mt. Shasta City, California. Each location has a router and a different Internet Protocol (IP) subnet. The Seattle site has four domain controllers. Each of the other sites has two domain controllers. Seattle is connected to Portland by a T-1 leased line. Portland is connected to Mt. Shasta City by a 512-Kbps frame-relay connection.

You want to ensure that each location is able to replicate data to the other. You create new sites and new subnets for each location: Seattle, Portland, and Mt. Shasta City. You also create a site link that connects Seattle and Portland. What else must you do to configure a functional site structure? (Choose two.)

a. Create a site link that connects the Default-First-Site-Name and Seattle.

b. Create a site link that connects Portland and Mt. Shasta City.

c. Configure IP to ignore schedules.

d. Move the computer objects in Active Directory Sites And Services to the appropriate sites.

e. Run the command Repadmin /showconn baldwinmuseumofscience.com.


9. You manage the School of Fine Art network, which has a single Active Directory domain. Every domain controller runs Windows Server 2003. You are tasked to configure a site structure for your network. All local area network (LAN) segments are high-speed with plenty of available bandwidth. All WAN segments have limited bandwidth. The network infrastructure is as shown in the following figure.

DC1, DC2, DC3, and DC4 are domain controllers for your domain. You create two sites, SiteA and SiteB. Now you must place the domain controllers in the appropriate site. How should you place the domain controllers? (Choose three.)

a. DC1 in SiteA b. DC2 in SiteA c. DC2 in SiteB

d. DC3 in SiteA e. DC3 in SiteB

10. You manage the Wingtip Toys network, which has a single Active Directory domain. Every domain controller runs Windows Server 2003. You are tasked to configure a site structure for your network. All local area network (LAN) segments are high-speed with plenty of available bandwidth. All wide area network (WAN) segments have limited bandwidth. The network infrastructure is as shown in the following figure.

ServerA, ServerB, and ServerC are domain controllers for your domain. You create two sites named MainSite and BranchSite. Now you must place the domain controllers in the appropriate site. How should you place the domain controllers? (Choose three.)

a. ServerA in MainSite b. ServerB in MainSite c. ServerB in BranchSit

d. ServerC in MainSite e. ServerC in BranchSite


11. You are the network administrator for Wingtip Toys. Your enterprise network contains two domains: wingtiptoys.com and tailspintoys.com. Both are part of the same forest. You are managing servers in Site1, which are configured as shown in the following figure.

DC1, DC2, and DC3 are domain controllers for wingtiptoys.com. DC1 is a global catalog server. DC4 is a domain controller for tailspintoys.com. Which domain controllers do you expect to have the Domain naming context (NC) for tailspintoys.com.

a. DC1 b. DC2 c. DC3 d. DC4

12. You are the network administrator of the City Power & Light network. The network is configured as shown in the following figure. Router1 provides a high-speed local area network (LAN) connection. The connection between Router3 and Router4 is considered slow.

You rename the Default-First-Site-Name to MainSite. You create another site and name it BranchSite. You create subnet objects for each subnet of your network infrastructure inside Active Directory Users And Computers. How should you associate the subnets with the sites? (Choose three.)

a. 10.1.1.0/24 with MainSite b. 10.1.2.0/24 with MainSite

c. 10.1.2.0/24 with BranchSite d. 10.1.3.0/24 with MainSite

e. 10.1.3.0/24 with BranchSite

13. What does Active Directory use to track changes to objects and determine which attribute value is the most recent? (Choose two.)

a. Timestamps b. SIDs c. USNs d. FQDNs

14. How does Active Directory optimize intrasite replication? (Choose three.)

a. The knowledge consistency checker (KCC) creates a dual counter-rotating ring for the replication path.

b. As the site grows, additional connection objects are created to ensure that no more than one hop or route exists between domain controllers.

c. As the site grows, additional connection objects are created to ensure that no more than three hops or routes exist between domain controllers.

d. When a change is marked as urgent, replication is triggered to occur in one minute, bypassing the five-minute default.

e. When a change is marked as urgent, replication is triggered immediately, bypassing the five-minute default.


15. You are the system administrator for a sales company in the United Kingdom (UK) that has three regional offices: north, Midlands, and south. Inside each office there is a domain controller for the domain contoso.com. The domain has three sites, with one for each regional office, named North, Mid, and South, respectively. There is a site link from site North to site Mid named NM, a site link from South to Mid named SM, and a site link from North to South named NS. Site link cost, frequency, and schedule are at their default values.

You have been tasked with configuring the cost and frequency to control replication to meet the following criteria:

Create a configuration whereby the site links named NM and SM are used as the preferred site links for replication. Replication should not occur more than once every four hours.Which of the following tasks must you complete? (Choose two.)

a. Set the frequency to 240 on all site links. b. Set the frequency to 120 on all site links.

c. Set the cost to 240 on all site links. d. Set the cost to 50 on site links NM and SM.

e. Set the cost to 50 on site links NS and SM.

16. You work as a network administrator for Contoso, Ltd., which has two offices named Headquarters (HQ) and Branch. HQ is linked to the Branch office with a slow WAN link. The network is configured with one domain named contoso.com in the forest. Nothing beyond the default site structure has been created. Your manager hires a consultant to create two sites between HQ and the Branch office.

The consultant completes the following tasks:

Configures two Windows Server 2003 computers, named DC4 and DC5, as domain controllers. Sends DC4 and DC5 from HQ to the Branch office. Renames the Default-First-Site-Name site to HQ. Creates a site named Branch. Creates a site link named HQ-Branch.The consultant is unable to complete the task. Your manager assigns you to ensure that Active Directory replication does not occur between the hours of 12:00 P.M. and 5:00 P.M. What tasks must you perform before you can make the configuration change your manager has requested? (Choose two.)

a. Move all the domain controllers in the regional office to the site named Branch.

b. Add Kerberos records to the DNS server for all domain controllers in the Branch site.

c. Add service location (SRV) resource records to the DNS server for all domain controllers in the HQ site.

d. Add subnets to the subnet container for both sites and associate them with the appropriate site.

e. Add a new domain to the forest and move the Branch site onto the new domain.


Chapter 4 - Global Catalog and Flexible Single Master Operations (fSmo) Roles


1. You are the network administrator of Proseware, Inc., which has a single Active Directory domain named proseware.com. The domain mode is set to Windows 2000 native functional level. There are three domain controllers on the network. The domain controllers all run Microsoft Windows Server 2003, Enterprise Edition and are named ServerX, ServerY, and ServerZ. ServerX holds all of the operations master roles for the domain. ServerY is configured as the global catalog server. The network uses Active Directory–integrated Domain Name System (DNS) and all domain controllers are DNS servers. There are 900 client computers on your network. All client computers run Microsoft Windows XP Professional.

You are configuring a new site for a new branch office. Three hundred client computers are added to this location. A 512-Kbps wide area network (WAN) link connects the branch office to the original company network. You move ServerZ to the branch office location physically, as well as in Active Directory Sites and Services.

The branch office manager asks if you can increase the speed of user logons. What can you do to improve the speed of user logons, without negatively affecting logon speed at the company’s original location?

a. Move ServerX to the branch site. b. Move ServerY to the branch site.

c. Transfer the PDC emulator role to ServerZ.

d. Enable universal group membership caching on the site associated with the branch office.

2. You are a network administrator for Northwind Traders. The network is divided into three Active Directory domains and three sites as shown in the following figure.

This application queries attributes that you added to the Active Directory schema. The application contacts domain controllers on port 3268 to locate these custom attributes. You notice that the application is reporting errors that the custom attributes you added are missing. You’ve verified that the attributes are in the schema. What else should you do?

a. Configure universal group membership caching on the East and West sites.

b. Configure a global catalog server in each Active Directory site.

c. Configure the attributes you added to the schema to replicate in the global catalog.

d. Separate the global catalog and infrastructure master roles in each domain.

3. You are a network administrator for the Wingtip Toys network. The network has five domain controllers. Three domain controllers are at the headquarters location. There are two branch sites, SiteA and SiteB. Each branch site has one domain controller. All domain controllers run Microsoft Windows Server 2003, Enterprise Edition. You are the administrator of SiteB. Each site is connected to the main site by a 512-Kbps wide area network (WAN) link.

You are attempting to create a new user account and receive an error message. The error message is as shown in the following figure.


You contact an administrator at the main site and determine that the global catalog server is operational. Which of the following might be causing the problem?

a. The infrastructure master is offline. b. The domain naming master is offline.

c. The schema master is offline. d. The link between SiteA and the main site is down.

e. The link between SiteB and the main site is down.

4. You are the network administrator of tailspintoys.com. Tailspintoys.com is an Active Directory domain. There are three domain controllers on the network. All domain controllers run Microsoft Windows Server 2003, Standard Edition. The network configuration is as shown in the following figure. You are preparing to add a child domain to this network. You raise the domain functional level to Windows 2000 native so that universal groups can be created. What else should you do in order to ensure that the domain will function properly when users start sharing resources between domains and administrators start creating groups with users from multiple domains?

a. Move the PDC emulator role to DC1. b. Move the PDC emulator role to DC3.

c. Remove the global catalog server designation from DC1.

d. Remove the global catalog server designation from DC2.

e. Remove the global catalog server designation from DC3.

5. You are the network administrator of the Contoso Pharmaceuticals network. The network configuration is as shown in the following figure.


Contoso.com is the name of the company’s Active Directory domain. There are four domain controllers on the network. DC1 was the first domain controller installed in the contoso.com domain. DC2 was configured as a replica domain controller to the parent domain. DC3 and DC4 were recently installed to create the two child domains. You have not moved any of the operations master roles yet. All domain controllers run Microsoft Windows Server 2003, Standard Edition.

Where would you find a Primary Domain Controller (PDC) emulator operations master role?

a. DC1 only b. DC2 only c. DC1, DC2, and DC3

d. DC1, DC3, and DC4 e. DC3 and DC4 only

6. You are a network administrator at A. Datum Corporation. The A. Datum Corporation network is as shown in the following figure.

All of the domain controllers on the network run Microsoft Windows Server 2003. All of the client computers on the network are members of the domain and run Microsoft Windows XP Professional. A user working on a client computer named ClientA says that her system time is off by two minutes. You then notice that several other client computers on the same network segment have the same problem. Which computer should you configure in order to resolve this issue?

a. ClientA b. S1 c. S2 d. S3

7. What are the main functions of the global catalog?

a. Facilitation of searches for objects in the forest, resolution of User Principal Names (UPN) and provision of universal group membership information.

b. Routing for the Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) protocol, resolution of a fully qualified domain name (FQDN), and provision of universal group membership information.

c. Resolution of an FQDN, resolution of UPN, and facilitation of searches for objects in the forest.

d. Resolution of UPN, routing for the IPX/SPX protocol, and provision of universal group membership information.

8. Which of the following is a Flexible Single Master Operations (FSMO) role that is specific to a domain?


a. RID master b. Domain naming master c. Schema master d. Global catalog

9. Which Flexible Single Master Operations (FSMO) role is forest-wide?

a. RID master b. Domain naming master c. Global catalog

d. PDC emulator e. Infrastructure master

10. You work as a local administrator for Wingtip Toys. Tailspin Toys is the main supplier of merchandise sold by Wingtip Toys. Wingtip Toys hosts a domain named wingtiptoys.com. Tailspin Toys hosts a domain named tailspintoys.com. These domains are in separate forests.

Tailspin Toys employees often work at the Wingtip Toys location and often request access to e-mail and other resources. Your manager wants to allow users from Tailspin Toys to be able to log on to their network from Wingtip Toys offices. There are five computers set up in a conference room at Wingtip Toys for use by Tailspin Toys employees. What are the requirements for the Tailspin Toys employees to be able to log on to their network resources when visiting Wingtip Toys?

a. Create a universal group on the Tailspin Toys domain and enable universal group membership caching. Then add all users on the domain to the universal group.

b. Establish a cross-forest trust between the domains. Ensure there is a global catalog on the tailspintoys.com domain. Employees at the Tailspin Toys location log on using User Principal Name (UPN) credentials when at the Wingtip Toys offices.

c. Create an organizational unit (OU) named Tailspin on the Wingtip Toys domain controller. Create user accounts on the Wingtip Toys domain controller for the users of the sister company. Then move the user accounts into the Tailspin OU and provide the users with the user credentials.

d. Create a site, and establish a site link and subnet for the site. Install a domain controller into the site for tailspintoys.com. Add user accounts to the domain controller for the entire list of employees at Tailspin Toys. Provide Tailspin Toys employees with the new logon credentials.

11. You work as a consultant for Tailspin Toys. There are three domain controllers in your domain. The name of the domain is tailspintoys.com. All domain controllers are running Microsoft Windows 2003 Server in Windows 2000 native functional level. The relative identifier (RID) master has failed and is unrecoverable. Before you seize the RID master using another domain controller, what should you do?

a. Use Repadmin to check for the latest updates. b. Format the hard disk of the failed RID master.

c. Disconnect the other domain controllers from the domain.

d. Use Ntdsutil to perform an authoritative restore on one of the other domain controllers.

12. Blue Yonder Airlines network is configured as shown in the following figure.

What Flexible Single Master Operations (FSMO) roles are on DC1 that are not on DC2?

a. Domain naming master and PDC emulator b. Schema master and PDC emulator

c. RID master and PDC emulator d. Infrastructure master and RID master

e. Domain naming master and schema master


13. You work as a consultant for Coho Winery. All domain controllers are running Microsoft Windows 2003 Server in Windows 2000 native functional level. There are three domain controllers for the domain cohowinery.com. ServerA holds the Flexible Single Master Operations (FSMO) roles for the domain and ServerB holds the FSMO roles for the forest. The domain is using Active Directory–integrated Domain Name System (DNS). The DNS server service is installed on ServerC. The IT administrator is running a script on ServerB to add 1000 user accounts. The script has been used successfully in the past. When he runs the script, it fails. In the Directory Services event log, he finds Event 16651: The request for a new account-identifier pool has failed. He calls you and reports the error message. He tells you that ServerA has experienced a hard disk failure and is not recoverable. What can you do to allow him to run the script?

a. Replace ServerA with a new domain controller. b. Transfer the forest-wide FSMO roles to ServerC.

c. Use ServerC to seize the domain-wide FSMO roles. d. Use ServerB to seize the PDC emulator.

14. You work for Contoso, Ltd., as a network administrator. The network is configured as shown in the following figure.

All domain controllers are running Microsoft Windows 2003 Server. The domain functional level is set to Windows 2000 native for all domains. There is a global catalog server at the Headquarters site and the Branch1 site. The site link between Branch2 and the other sites is unreliable. When Branch2 links are down, the users from Branch2 are unable to log on to the network. All client computers are running Microsoft Windows 2000 Professional. The manager from Branch2 wants you to improve logon performance. Which of the following is a valid solution to resolve the logon issues at Branch2?

a. Create a universal group and move all users from Branch2 into the universal group.

b. Install a WINS server on DC5.

c. Transfer the schema master role to DC6.

d. Enable universal group membership caching for the Branch2 site.

15. You work for Coho Winery as a network administrator. The network is configured as shown in the following figure.


All domain controllers are running Microsoft Windows 2003 Server. The domain functional level is set to Windows 2000 mixed for all domains. The forest-wide Flexible Single Master Operations (FSMO) roles are currently on DC1. DC2 and DC3 are configured as global catalog servers. You raise the domain functional level to Windows 2000 native for all domains. The manager at Branch2 calls and tells you that users are unable to log on when the wide area network (WAN) link is down. The Branch2 manager wants his employees to be able to log on even when their WAN link is down. How would you resolve this problem?

a. Add a global catalog to DC1. b. Add a global catalog to DC5.

c. Transfer the domain naming master role over to DC5. d. Transfer the schema master role over to DC5.

16. You work for Contoso, Ltd., as a network administrator. The network is configured as shown in the following figure.

Your manager asks you to review the placement of the operations master roles on your network. He also wants you to consider appropriate placement of global catalog servers. Which of the following configurations are appropriate for your network?

a. Configure ServerB and ServerD as global catalog servers. Remove the global catalog from ServerA. Transfer the contoso.com infrastructure master role to ServerC.

b. Configure ServerE as a global catalog server. Remove the global catalog from ServerA. Transfer the child domain, the contoso.com relative identifier (RID) master, and infrastructure master to ServerE.

c. Configure ServerD as a global catalog server. Transfer the domain naming master role to ServerD.

d. Configure ServerB and ServerD as global catalog servers. Transfer the domain naming master role to ServerC.


Chapter 5 - ACTIVE DIRECTORY ADMINISTRATION

1. You are the network administrator of Alpine Ski House. This company has a single Active Directory domain named alplineskihouse.com. All domain controllers run Windows Server 2003, Standard Edition. All servers use the NTFS file system. The domain functional level is Windows 2000 native. The default Administrator account for this domain is disabled.

Several Microsoft Windows 98 computers are part of a workgroup named SKIPATROL. The rest of the client computers run Microsoft Windows XP Professional and are members of the domain. The network users who use the computers in the SKIPATROL workgroup do not have user accounts on the domain.

You have a share named Public on one of your Windows Server 2003 computers that everyone, regardless of domain membership, needs to access. You’ve configured the share so that the Everyone group has Read access.

You need the users who are members of the workgroup to be able to view documents on the Public share. What should you do?

a. Set the NTFS ACL on the Public folder to allow the Everyone group Read and Execute permissions.

b. Set the NTFS ACL on the Public folder to allow the Authenticated Users group Read and Execute permissions to the folder. Set the Share permission on the Public folder to allow the Authenticated Users group Read permissions.

c. Set the NTFS ACL on the Public folder to allow the Anonymous Logon group Read and Execute permissions. Set the Share permission on the Public folder to allow the Anonymous Logon group Read permissions.

d. Install the directory services client on the Windows 98 computers.

e. Change the name of the workgroup from SKIPATROL to ALPINESKIHOUSE.

2. You are the network administrator of the Baldwin Museum of Science. The company network has a single Active Directory domain named baldwinmuseumofscience.com. All domain controllers run Windows Server 2003, Standard Edition. The domain functional level is Windows 2000 native.

Relevant group memberships are configured as shown in the following table.

Group MemberDomain Admins KevinEnterprise Admins Liz

ImtiazSchema Admins Karan

TengizServer Operators Jim

ShaneLab Aides

Domain Users TimRussell

Lab Aides DebraKendall

No modifications to the default user rights have been made to the Domain Controllers organizational unit (OU). Which users would not be able to log on interactively at the domain controllers?

a. Liz and Imtiaz b. Tim and Russel c. Karan and Tengiz d. Debra and Kendall

3. You are the network administrator of Litware, Inc. The company network has a single Active Directory domain named litwareinc.com. All domain controllers run Windows Server 2003, Standard Edition. The domain functional level is Windows Server 2003. The default Administrator account for the domain is disabled.


Group MemberDomain Admins Rob


ChaseNetManagers

Enterprise Admins SeanGreg

Schema Admins MatthewBaris

Account Operators JeffSootha

Domain Users RobChaseSeanGregMatthewBarisSoothaNeilJeffJason

NetManagers Neil

You hire several new employees. One of the new employees, Jason Carlson, is hired to be a domain administrator. You assign Jeff to create several new user accounts. Jeff creates all of the new user accounts, but is unable to make Jason a member of Domain Admins. What can you do to correct this issue?

a. Remove Jeff from the Domain Users group.

b. Make the NetManagers group a member of Account Operators.

c. Assign Sootha to make Jason a member of Domain Admins.

d. Assign Neil to make Jason a member of Domain Admins.

e. Assign Baris to make Jason a member of Domain Admins.

4. You are the network administrator of Litware, Inc. The company network has a single Active Directory domain named litwareinc.com. All domain controllers run Windows Server 2003, Standard Edition. The domain functional level is Windows Server 2003. The default Administrator account for the domain is disabled.

There are a total of 150 client computers on your network. There are 15 computers that are used as public kiosks. There are 12 computers in a lab that run the Microsoft Windows 2000 Professional operating system. The rest of the client computers run Windows XP Professional, including 12 of the computers configured as public kiosks.


Group MemberDomain Admins AdministratorsEnterprise Admins AdministratorsLab Assistants Network Configuration OperatorsKiosk Admins Performance Log Users

Local Administrators group of each kiosk computer

Server Operators N/AAccount Operators N/A


You hire an assistant named Yao-Qiang to help you configure client computer settings such as Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP). Which group memberships could you assign to Yao-Qiang to allow him to help you accomplish this task?

a. Domain Users b. Server Operators c. Account Operators d. Lab Assistants

5. What is it called when you make a group a member of another group?

a. Group scope b. Group nesting c. Group type d. Special identity groups

6. Which utility cannot be used to set or modify a user’s password?

a. net user b. LDIFDE c. Dsadd d. CSVDE

7. You work for Contoso, Ltd., as a systems administrator. The company has one domain named contoso.com. A Marketing department was added to your organizational structure recently and your manager asks you to create a new organizational unit (OU) in the contoso.com domain. What is the correct command to create a Marketing OU?

a. dsadd ou ou=marketing,dc=contoso,dc=com –desc Marketing OU

b. dsa.msc /ou=marketing,dc=contoso,dc=com –desc Marketing OU

c. net ou marketing /add d. net ou marketing

8. You must create a batch file that creates a user account named Shelly in the Marketing organizational unit (OU) in the Adventure-works.com domain. Which command should you add to the batch file to create the required user account?

a. dsadd ou ou=Marketing,dc=Adventure-works,dc=com -desc Marketing OU

b. net user cn=Shelly,ou=Marketing,dc=Adventure-works,dc=com -samid Shelly

c. dsa.msc, /user cn=Shelly,ou=Marketing,dc=Adventure-works,dc=com

d. dsadd user cn=Shelly,ou=Marketing,dc=Adventure-works,dc=com -samid Shelly

9. Your manager gives you a file that can be used to add 20 user accounts to your Active Directory domain. The file is in the following format:

Dn: cn=Terry Adams,ou=sales,dc=cohowinery,dc=com

ObjectClass: user

SAMAccountName: TAdams

UserPrincipalName: [email protected]

TelephoneNumber: 602-555-1234

How can you execute this file?

a. csvde -i -f newusers.csv b. ldifde -i -f newusers.ldf

c. cscript c:\newusers.vbs d. cscript c:\newusers.js

10. A system administrator gives you a file that can be used to add 10 user accounts to the contoso.com domain. The file is in the following format:

dn,sAMAccountName,userPrincipalName,telephoneNumber,userAccountControl,objectclass

“CN=Terry Adams,OU=Sales,DC=contoso,DC=com”,TAdams,[email protected],586-555-1234,512,user


How would you run the script?

a. csvde -i -f newusers.csv b. ldifde -i -f newusers.ldf

c. cscript c:\newusers.vbs d. cscript c:\newusers.js

11. Using a file, you try to create a user account for Terry Adams in an organizational unit (OU) named Sales. The file is in the following format:

Dn: cn=Terry Adams,cn=sales,dc=contoso,dc=com

ObjectClass: user

SAMAccountName: TAdams

UserPrincipalName: [email protected]

TelephoneNumber: 602-555-1234

When you run the file an error message appears: Directory Object not found. You must find the error with this file and correct it. Which part of the file is causing the error?

a. cn=Terry Adams b. cn=sales c. dc= contoso

d. dc=com e. ObjectClass: user

12. You want to use a batch file to create a user account named Nancy in an OU named TeleSales. The user account password must be set to MSPress#1. Which of the following commands will accomplish this goal?

a. dsadd user cn=Nancy,ou=TeleSales,dc=contoso,dc=com -pwd MSPress#1

b. dsadd ou ou=TeleSales,dc=contoso,dc=com user=Nancy -pwd MSPress#1

c. LDIFDE -e -f c:\Nancy.txt

d. net user Nancy MSPress#1 TeleSales

e. net user Nancy TeleSales MSPress#1

13. Jay Adams has a new telephone number and you need to update his information. When you run the file to update Jay Adams’s telephone number, this error message appears: Directory Object not found. The file is displayed in the following format:

Dn: ou=Jay Adams,ou=sales,dc=cohowinery,dc=com

changetype: modify

replace: telephoneNumber

telephoneNumber: 602-555-4321

-

You must find the error with this file and correct it. Which part of the file is causing the error?

a. ou=Jay Adams b. ou=sales c. dc=cohowinery d. dc=com

14. You are the network administrator of Contoso, Ltd. This company has a single Active Directory domain model. All domain controllers run Windows Server 2003, Standard Edition. The domain functional level is Windows 2000 native. The default Administrator account for this domain is disabled.


Group MemberDomain Admins AndyEnterprise Admins Kim

AdministratorsInstructors

Schema Admins Administrators


Administrators Net AdminsNet Admins AllenLab Users SamInstructors Linda

Net Admins

You need to add an attribute for Social Security Numbers (SSNs) and to link the SSN attribute to the Person class. Which user(s) have the necessary rights to do this?

a. Kelly b. Andy c. John d. Allen

15. You are the network administrator of Coho Winery, Ltd. This company has two Active Directory domains: cohovineyard.com and cohowinery.com. All domain controllers run Windows Server 2003, Enterprise Edition. The functional level of the domains is Windows 2000 native. The default Administrator accounts for the domains are disabled.


Group Member Group TypeEnterprise Admins Charles

Help DeskSecurity

Schema Admins AllenHelp Desk

Security

Administrators John SecurityIT Mgmt Rob DistributionHelp Desk Linda

DT SupportSecurity

DT Support Jason SecurityMgmt Joe

AmyDistribution

Finance Nicole DistributionHR Mary Distribution

Three new employees start work today and require computer access. Terry Adams needs a user account in the cohowinery.com domain. Michael Allen and Karen Archer need user accounts in the cohovineyard.com domain. Which group(s) have the necessary rights to add all users?

a. HR and Finance b. DT Support and Help Desk

c. IT Mgmt and DT Support d. Mgmt and IT Mgmt

16. You are the network administrator of Coho Vineyard & Winery. This company has two Active Directory domains: cohovineyard.com and cohowinery.com. All domain controllers run Windows Server 2003, Enterprise Edition. The functional level of the domains is Windows 2000 native.


Group Member Group TypeEnterprise Admins John

Help DeskSecurity


Security

Administrators Charles SecurityIT Mgmt Susan SecurityIT Support Jason SecurityHelp Desk Linda

IT SupportSecurity

Mgmt JoeAmy

Distribution



Three new employees start work today and require computer access. Terry Adams needs a user account in the cohowinery.com domain. Michael Allen and Karen Archer need user accounts in the cohovineyard.com domain. Susan tries to create the new user accounts, but is unsuccessful. Which group membership would allow Susan to create all of the necessary new user accounts?

a. Schema Admins b. Finance c. Mgmt d. IT Support

17. You are the network administrator of City Power & Light. This company has a single Active Directory domain model. All domain controllers run Windows Server 2003, Standard Edition. The domain functional level is Windows Server 2003.


Group MemberDomain Admins Allen

IT Mgmt

Enterprise Admins Kim

AdministratorsNet Admins

Instructors

Schema Admins IT Support

Administrators

IT Mgmt Susan

IT Support Andy

Administrators Net Admins

Net Admins Jason

Lab Users Linda

Instructors SamNet Admins

Susan tries to add an attribute for Social Security Numbers (SSNs) unsuccessfully. You must make Susan a member of the appropriate group(s) with rights to add attributes. Which group(s) have the necessary rights to add attributes?

a. Instructors b. Net Admins c. Lab Users d. IT Support

18. You are the network administrator of Coho Vineyard & Winery. This company has one Active Directory domain named cohovineyardandwinery.com. All domain controllers run Windows Server 2003, Standard Edition. The functional level of the domains is Windows 2000 native.

Relevant group memberships for cohovineyardandwinery.com are configured as shown in the following table.

Group Member Group TypeEnterprise Admins Help Desk Security


Security

Administrators John SecurityIT Mgmt Susan SecurityIT Support Jason SecurityHelp Desk Linda

IT SupportSecurity

Mgmt JoeAmy

Distribution



Coho Vineyard & Winery is splitting into two companies named Coho Winery and Coho Vineyard. You need to create a new domain for each company and transfer all respective user and computer accounts to the new domains. You ask Susan to create a domain named cohovineyard.com for Coho Vineyard and move the appropriate user and computer accounts from the cohovineyardandwinery.com domain to the cohovineyard.com domain.

Susan tells you that she is unable to create the new domain. You need to assign the task to a user with the correct permissions. Which user accounts should be able to perform the task?

a. Jason and Linda b. Amy and Joe

c. Jason and Allen d. Mary and Nicole


Chapter 6 - Security Planning and Administrative Delegation

1. You are the administrator of Contoso, Ltd., which uses the contoso.com Active Directory domain. All domain controllers run Windows Server 2003, Enterprise Edition. Your company’s Active Directory structure is as shown in the following figure.

Jeff is a new junior network administrator assigned to assist the Accounts Payable department. Jeff’s user account is in the default Users container. Jeff has full control permissions to the AcctPay OU. All other user accounts and resources for Accounts Payable are in the AcctPay OU.

Susan, the junior network administrator assigned to the Accounts Receivable department, has just left your company. Susan had full control permission tothe AcctRec OU. You now want Jeff to be able perform password resets on the AcctRec OU. You don’t want Jeff to be able to modify his own account or anyof the properties of user accounts in the Marketing, Sales, CustSvc, or AcctRec OUs. All OU permissions configurations are at their default state, except for the delegations that you’ve made for Susan and Jeff. Which of the following actions would accomplish your goals?

a. Delegate Jeff full control on the Accounting OU.

b. Delegate Jeff the ability to reset passwords on the Accounting OU.

c. Rename Susan’s user account to Jeff.

d. Place Jeff in the Account Operators group.

2. You are the administrator of Contoso, Ltd., which uses the contoso.com Active Directory domain. All domain controllers run Windows Server 2003, Enterprise Edition. The contoso.com OU structure is as shown in the following figure.


Frank is a new junior network administrator assigned to assist the Accounting department. Frank’s user account is in the default Users container. You want to give Frank full control over the Accounting OU and all subordinate OUs. You accidentally give Frank full control over the Marketing OU. What must you doto correct this problem?

a. Run the Delegation Of Control Wizard on the Marketing OU.

b. Edit the access control list (ACL) on the Marketing OU.

c. Move Frank’s user account to the Accounting OU.

d. Move Frank’s user account to the root of the contoso.com domain.

3. You are an administrator for Trey Research, which has a single Active Directory domain. All of the domain controllers run Windows Server 2003, Standard Edition, and all client computers run Windows XP Professional. The domain is divided into three Active Directory sites; each site has 100 client computers and one domain controller. Your manager gives you 100 smart card readers and tells you to install them on all the client computers in your site.

You install smart card readers on all of the client computers. Once you load the smart card drivers, you see that the Welcome To Windows dialog box displays the message Insert Card Or Press Ctrl-Alt-Del To Begin on all client computers.

You install an enterprise certification authority (CA) along with Internet Information Server (IIS). You then configure and enable the Smart Card Logon template. You configure a user account named Jeff to require smart card logon.

You approach one of the Windows XP Professional computers. When you insert the smart card, the computer requests a personal identification number (PIN). You enter the PIN that you’d like to configure, but you are unable to log on. What must you do in order to use smart card logons?

a. Remove Internet Information Server (IIS).

b. Enable universal group membership caching on your site.

c. Reinstall the smart card drivers.

d. Configure an enrollment station and enrollment agent to place certificates on the smart cards. Issue default PINs to the users.

e. Disable the requirement to use smart cards in order to log on.

4. Which service is required to open Active Directory Users And Computers with the Run As utility?

a. Indexing b. DNS c. Secondary Logon d. Certificate

5. Which of the following situations requires the creation of a group instead of an organizational unit (OU) in an Active Directory domain?


a. Assign access permissions to resources. b. Hide objects within the Active Directory structure.

c. Effective authority delegation and Group Policy assignment.

d. Represent geographic locations or functional needs of a company.

6. Your company has the following naming standard for users: First five letters of the person’s last name and the last two digits of the employee ID. If there is a duplicate account username, the first letter of the person’s first name is added to the end of the account username. Here is a list of usernames and accounts.

Last Name First Name Employee ID Account Username

Zare Robert 5719 Zare57

Zimmerman Kimberly B. 5722 Zimme722K

Zhang Frank 5724 Zhang724F

Zeman Michael 5735 Zeman35

Zhang Larry 5824 ZhangL24

Zimmerman Marc 5822 Zimme822

Which of the above account usernames meets the company’s naming standard?

a. Robert Zare b. Kimberly B. Zimmerman

c. Marc Zimmerman d. Frank Zhang

e. Michael Zeman f. Larry Zhang

7. Your company implemented the following password policy: passwords must be greater than 10 characters. You must use a combination of uppercase and lowercase letters, with at least one number and one symbol. Passwords may not contain usernames, real names, company names, or complete dictionary words. You use a password-auditing tool and it produces the following list of suspicious usernames and passwords.

Username Password

Marc Zimmerman Axatakoxx##

Kevin Liu BatXgir1s#1

Linda Martin Ch1p3ndales

Joseph Mathews F1uffyFr1end

Toby Nixon D0na1d#uck

Which user has a password that meets the password policy requirements?

a. Toby Nixon b. Marc Zimmerman c. Linda Martin

d. Kevin Liu e. Joseph Mathews

8. Your company has the following password policy: passwords must be greaterthan eight characters. You must use a combination of uppercase and lowercase letters, with at least one number and one symbol. Passwords may not contain usernames, real names, company names, or complete dictionary words. You use a password-auditing tool and it produces the following list of suspicious usernames and passwords.


Username Password

Robert Zare Axatakoxx#1

Kevin Liu BatXgir1s#1

Frank Zhang Ch1p3ndales

Rob Young F1u##yFr1end

Toby Nixon D0na1duck#1

Which user has a password that does not meet the password policy requirements?

a. Frank Zhang b. Robert Zare c. Rob Young

d. Toby Nixon e. Kevin Liu

9. You are the system administrator for Contoso, Ltd. You are currently logged on using an account that is a member of only the Domain Users group. You need to add the T_Adams user account to the Marketing OU. Which command line tool can you use to open the Active Directory Users And Computers console, and add the T_Adams user account to the Marketing OU?

a. Run As b. Net user c. Dsadd d. Dsmove

10. You create a new user account named Lnorman and set the password to MSPress#1. You need to verify that the user account can successfully log on to the network. Which command line tool can you use to verify the user credentials allow the user account to log on?

a. Domain.msc b. Ntdsutil c. Run As d. Ipconfig

11. You are the system administrator for Coho Winery. An OU named East-Sales is created on the west.cohowinery.com domain. An administrator adds 100 user accounts to the East-Sales OU. The OU is supposed to be on the east.cohowinery.com domain. You need to fix this issue. What administrative tool can you use to move the OU into the correct child domain?

a. Movetree b. Dsmove c. Netdiag

d. Active Directory Users And Computers e. Active Directory Domains And Trusts

12. Terry is a member of the Snr-Managers organizational unit (OU). Terry has permission to reset user passwords on the Managers OU. You need to stop Terry from resetting user account passwords on the Managers OU. How can you stop Terry from changing user account passwords?

a. Move Terry into the Managers OU from the Snr-Managers OU.

b. Move Terry into the Users container from the Snr-Managers OU.

c. Modify the ACL of the Snr-Managers OU to remove the List Contents permission from the Authenticated Users group.

d. Remove permissions through the Security tab of the Managers OU.

13. Your company has three top-level organizational units (OU) named Marketing, Sales, and HelpDesk. Your manager has asked you to prevent users from the Marketing OU and Sales OU from finding users in the Help Desk OU when searching Active Directory. How can you hide the users in the Help Desk OU from the Marketing OU and Sales OU?

a. Configure the ACL of the HelpDesk OU so that Authenticated Users do not have Read and List Objects permissions.

b. Configure the ACL of the Marketing OU and Sales OU so that Authenticated Users have Read and List Objects permissions.

c. Configure the ACL of the Marketing OU and Sales OU so that Authenticated Users do not have Read Objects permission.

d. Configure the ACL of the Users container so that Authenticated Users do not have Read or List Objects permission.


Chapter 7 - Introduction to Group Policy

1. You are the network administrator for Consolidated Messenger. The organizational unit structure is as shown in the following figure. All member servers and domain controllers run Microsoft Windows Server 2003, Enterprise Edition. All client computers run Microsoft Windows XP Professional.

AV1 is a Group Policy Object (GPO). AV1 is configured with a software package that installs virus-scanning software on computers. AV1 is configured with the No Override setting. DLock1 is a GPO configured as shown in the following figure.

When Amy logs on to Desk1, she sees that the virus-scanning software is installed. However, she is frustrated that she is unable to adjust the display. You want to ensure that computers in the ITS OU receive the virus-scanning software, but you do not want to prevent users in the ITS OU from adjusting display properties. What should you do?

a. Enable Block Policy Inheritance on the ITS OU.

b. Enable the User Group Policy loopback processing mode in DLock1.

c. Configure the Local Computer policy of all computers contained in the Marketing OU or any subordinate OU to disable all of the enabled display settings in DLock1.

d. Move all of the user accounts in the ITS OU hierarchy to the Users container.

2. You are the network administrator for Adventure Works. The Active Directory structure is as shown in the following figure. All member servers and domain controllers run Microsoft Windows Server 2003, Standard Edition. All client computers run Microsoft Windows XP Professional.


You create an unlinked Group Policy Object (GPO) named GPO1 that installs virus-scanning software on computer objects. You need to ensure that this policy is applied to all computers in the entire forest. What should you do?

a. Link GPO1 to the adventureworks.com domain.

b. Link GPO1 to Site1.

c. Enable No Override on GPO1.

d. Create two new GPOs that deploy virus-scanning software and link them to west.adventureworks.com and east.adventureworks.com.

3. You are the network administrator for the Baldwin Museum of Science. The organizational unit structure is as shown in the following figure. All member servers and domain controllers run Microsoft Windows Server 2003, Standard Edition. All client computers run Microsoft Windows XP Professional.

The domain has three sites: North_Site, East_Site, and West_Site. Each site has 100 to 200 client computers, five to ten member servers, and two or more domain controllers. You need to deploy virus-scanning software to all the computers in the museum.

You create an unlinked Group Policy Object named Antivirus1. Antivirus1 is configured with a software distribution policy that deploys the virus-scanning software to computers. What should you do next to complete deployment?

a. Link Antivirus1 to North_Site. b. Link Antivirus1 to the domain.


c. Enable No Override on the Antivirus1 GPO.

d. Create two new GPOs that deploy virus-scanning software and link them to East_Site and West_Site.

4. By default, which objects are affected by the Default Domain Policy GPO settings?

a. All users and computers in the domain b. All domains in a site

c. Domain controllers in the domain only d. All sites in the forest

5. Which tool is used to modify Group Policy settings?

a. Ntdsutil b. Gpresult

c. Active Directory Domains And Trusts d. Active Directory Users And Computers

6. You are the network administrator for Coho Vineyard. There are three organizational units for the Accounting department named Accts, AcctPay, and AcctRec. You have a Group Policy Object named Excel1 linked to the Accts OU. The Group Policy Object (GPO) is configured to install Microsoft Excel to computers. Your manager wants this software installed on all computers in the Accounting department. How can you arrange these organizational units to achieve this goal and efficiently apply the Excel1 GPO?

a. Create a new OU named Excel and move the existing top-level OU into the Excel OU as subordinates.

b. Make the AcctPay OU and AcctRec OU subordinate to the Accts OU.

c. Make the AcctPay OU subordinate to the Accts OU, and the Accts OU subordinate to the AcctRec OU.

d. Configure the ACL of the Accts OU so that Authenticated Users have Read and List Objects permissions.

7. You are the system administrator for Contoso, Ltd. The contoso.com domain is structured as shown in the following figure.


A new Group Policy Object (GPO) named Antivirus1 is linked to the contoso.com domain. Antivirus1 installs antivirus software on all computers. You do not want the antivirus software to install on computers that are members of the Help Desk organizational unit (OU). How can you stop the GPO from installing the antivirus software on the Help Desk OU?

a. Enable Block Policy Inheritance on the Help Desk OU.

b. Enable Block Policy Inheritance on the Desktop Support OU.

c. Enable No Override on the Antivirus1 policy link to the contoso.com domain.

d. Enable No Override on the Default Domain Policy link to the contoso.com domain.

8. You are the system administrator for Coho Winery. The cohowinery.com domain is structured as shown in the following figure.

A Group Policy Object (GPO) is linked to the I.T. Services organizational unit (OU). This GPO is configured with the Prevent CD And DVD Media Information Retrieval setting enabled. Which objects receive the group policy by default?

a. Human Resources, Accounts, and Marketing b. Desktop Support, Accounts, and Human Resources

c. I.T. Support, Desktop Support, and Help Desk d. Users, Computers, and Domain Controllers

9. You are the system administrator for Coho Vineyard. The cohovineyard.com domain is structured as shown in the following figure.

A Group Policy Object (GPO) is linked to the Human Resources organizational unit (OU). This GPO is configured with the Configure Automatic Updates setting disabled. Which objects receive the group policy by default?


a. The Management OU and all subordinate OUs b. The Human Resources OU only

c. The Human Resource OU and all subordinate OUs d. The Domain Controllers OU

10. You are the system administrator for City Power & Light. The cpandl.com domain is structured as shown in the following figure.

A Group Policy Object (GPO) is linked to the Management organizational unit (OU). This GPO is configured with the Do Not Allow Windows Messenger To Be Run setting enabled. Block Policy Inheritance is enabled on the Domain Controllers OU and the Marketing OU. You should expect users in which of the following OUs to be able to run Windows Messenger?

a. HR and all subordinate OUs b. I.T. Dept. and all subordinate OUs

c. Accts and all subordinate OUs d. Sales OU and TeleSales OU

11. You are the system administrator for Fabrikam, Inc. The fabrikam.com domain is structured as shown in the following figure.


All client computers are running Windows XP Professional. A Group Policy Object (GPO) is linked to the fabrikam.com domain. This GPO is configured with the Do Not Automatically Start Windows Messenger Initially setting enabled. Block Policy Inheritance is enabled on the Domain Controllers organizational unit (OU) and the Management OU. You should expect users in which (OUs) to load Windows Messenger when they log on?

a. Marketing OU and all subordinate OUs b. Accounts OU and all subordinate OUs

c. I.T. OU and all subordinate OUs d. Human Resources OU only

12. You are the system administrator for Proseware, Inc. The proseware.com domain is structured as shown in the following figure.

A Group Policy Object (GPO) is linked to the proseware.com domain. This GPO is configured with the Prohibit Access To The Control Panel setting enabled. Block Policy Inheritance is enabled on the I.T. Services OU. You should expect users in which OU to not be able to access Control Panel?

a. Desktop Support b. Help Desk c. Marketing d. I.T. Services



A Group Policy Object (GPO) is linked to the I.T. Services organizational unit (OU). This GPO is configured with the Remove My Pictures Icon From Start Menu setting enabled. Which users in the I.T. Services OU hierarchy do not see the My Pictures icon in the Start menu?

a. All users b. Desktop Support users only

c. I.T. Services users only d. The Desktop Support users and Help Desk users only


The Default Domain Policy is configured with the Remove Run Menu From Start Menu setting disabled. A Group Policy Object (GPO) is linked to the Human Resources organizational unit (OU). This GPO is configured with the Remove Run Menu From Start Menu setting enabled. You should expect users in which OUs to not be able to see the Run command in the Start menu?

a. The Management OU and all subordinate OUs b. All OUs in the domain

c. The Marketing OU and all subordinate OUs d. The Domain Controllers OU



The Default Domain Policy is configured with the Prohibit Adjusting Desktop Toolbars setting enabled. A Group Policy Object (GPO) is linked to the I.T. Dept. organizational unit (OU). This GPO is configured with the Prohibit Adjusting Desktop Toolbars setting disabled. You should expect users in which OUs to be able to adjust the desktop toolbars?

a. Help Desk OU b. Domain Controllers OU

c. Marketing OU d. All organizational units



A Group Policy Object (GPO) is linked to the fabrikam.com domain. No Override has been enabled on the GPO link. This GPO is configured with the Remove Search Menu From Start Menu setting enabled. Block Policy Inheritance is enabled on the Domain Controllers organizational unit (OU) and the I.T. OU. You should expect users in which OUs to not be able to see the Search menu option in the Start menu?

a. Marketing OU and all subordinate OUs b. Accounts OU and all subordinate OUs

c. All users in the domain d. Human Resources OU only

17. You are the system administrator for City Power & Light. The Default Domain Policy is configured with the following settings:

Type Setting State

User Prevent CD And DVD Media Information Retrieval Enabled

Computer Configure Automatic Updates Disabled

Computer Do Not Allow Windows Messenger To Be Run Enabled

Another GPO named Messenger1 linked to the Domain Controllers organizational unit (OU) configured with the Do Not Allow Windows Messenger To Be Run setting for computers is disabled. Based on the configuration, for what can computers in the Domain Controllers OU be used?

a. Configure Automatic Updates b. Run Windows Messenger

c. Configure Automatic Updates and retrieve CD/DVD information

d. Run Windows Messenger and configure Automatic Updates

18. You are the system administrator for Proseware, Inc. The Default Domain Policy is configured with the following settings:

Type Setting State

Computer Enforce Disk Quota Limit Enabled

Computer Enable Disk Quotas Enabled

Computer Default Quota Limit And Warning Level Enabled


The No Override setting is enabled on the Default Domain Policy Link. There is another GPO named DiskQuota1, linked to the Marketing organizational unit (OU), and configured with the Enforce Disk Quota Limit setting disabled. How do these settings affect the computers in the Marketing OU?

a. Disk quota management is enabled, disk quota limits are enforced, and quota limit and warning levels are configured.

b. Disk quota management is disabled, disk quota limits are enforced, and quota limit and warning levels are configured.

c. Disk quota management is enabled, disk quota limits are not enforced, and quota limit and warning levels are configured.

d. Disk quota management is enabled, disk quota limits are enforced, and quota limit and warning levels are not configured.


Chapter 8 - CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY

1. You are the network administrator for the Alpine Ski House. You manage a single Windows Server 2003 Active Directory domain. Your domain has a single Active Directory site named Alpine_Site. There are seven top-level organizational units (OUs). One of the top-level OUs is named SkiStaff. There are 50 user accounts and 50 computer accounts inside the SkiStaff OU.

Andy, a fellow network administrator, ran a password-cracking tool with your permission last week. After running the tool for three days, Andy was able to compromise all 50 user accounts in the SkiStaff OU. Andy reported that the password-cracking tool was able to compromise most accounts in the first 75,000 permutations.

You want to configure your domain so that accounts are locked out until an administrator resets the account after a password is entered 10 times incorrectly. You configure the settings shown in following table and save them in a GPO named AcctPol.

Account lockout duration 0 minutes

Account lockout threshold 10 invalid logon attempts

Reset account lockout counter after 30 minutes


What should you do next?

a. Set the account lockout duration for 99999 minutes.

b. Clear the Define This Policy Setting check box on the Account Lockout Duration setting.

c. Link the policy to the Domain Controllers OU with a higher priority than the Default Domain Controllers Policy.

d. Link the policy to the Default Domain Controllers OU with a lower priority than the Default Domain Controllers Policy.

e. Link the policy to the domain with a higher priority than the Default Domain Policy.

2. Which administrative tool can be used to link a Group Policy Object (GPO) to a site?

a. Active Directory Users And Computers (MMC snap-in)

b. Active Directory Sites And Services (MMC snap-in)

c. Gpupdate.exe d. Ntdsutil.exe e. Movetree

3. Which administrative tool can be used to link a Group Policy Object (GPO) to an OU?

a. Active Directory Users And Computers (MMC snap-in)

b. Active Directory Sites And Services (MMC snap-in)

c. Gpupdate.exe d. Ntdsutil.exe e. Movetree



A Group Policy Object (GPO) named Smart1 is linked to the contoso.com domain. Smart1 is configured to distribute certificates to smart cards using the autoenrollment feature. Block Policy Inheritance is enabled on the Marketing organizational unit (OU). Which users cannot use autoenrollment to receive a certificate for their smart cards?

a. Terry and Patricia b. Susana and Patricia

c. Elle and Luis d. John and Sean


A Group Policy Object (GPO) named SCard1 is linked to the cohowinery.com domain. SCard1 is configured to distribute certificates to smart cards using the autoenrollment feature. The Block Policy Inheritance setting is enabled on the Accounts organizational unit (OU) and the Financial Mgmt OU. Which of the following user(s) can use autoenrollment to receive a certificate for their smart cards?

a. John b. Sean c. Chris d. Terry



A Group Policy Object (GPO) named DQ1 is linked to the cohovineyard.com domain. DQ1 is configured to enforce disk quota limits. Block Policy Inheritance is enabled on the Finance organizational unit (OU). Which computer or computers enforce disk quota limits?

a. UK b. Asia c. Italy d. NorthAmerica



A Group Policy Object (GPO) named DiskQ1 is linked to the Finance organizational unit (OU). DiskQ1 is configured to enforce disk quota limits. No Override is enabled on the Finance OU. Block Policy Inheritance is enabled on all subordinate OUs of the Finance OU. Which computer is not configured to enforce disk quota limits?

a. NorthAmerica b. UK c. Italy d. France

8. You are the system administrator for Coho Vineyard & Winery. The cohovineyardandwinery.com domain is structured as shown in the following figure.


A Group Policy Object (GPO) named ReDir1 is linked to the Sales organizational unit (OU). ReDir1 is configured to redirect the users’ My Documents folder to a data server named Data1. Which of the following user’s My Documents folder files are redirected to Data1?

a. Kim b. Sean c. Nancy d. Gary



A Group Policy Object (GPO) named ADReDir1 is linked to the Marketing organizational unit (OU) and the Finance OU. ADReDir1 is configured to redirect the users’ Application Data folder files onto a data server named Data2. Which user’s Application Data folder files are not redirected to Data2?

a. Amy b. Julie c. Gary d. Sean

10. You are the system administrator for Fourth Coffee. The fourthcoffee.com domain is structured as shown in the following figure.


The Default Domain Policy is configured to redirect the users’ Application Data folder files onto a data server named Data3. A Group Policy Object (GPO) named ADReDir1 is linked to the fourthcoffee.com domain. ADReDir1 is configured to redirect the users’ Application Data folder files to a data server named Data1. The GPO named ADReDir1 is given a higher priority than the Default Domain Policy. A Group Policy Object (GPO) named ADReDir2 is linked to the Finance organizational unit (OU). ADReDir2 is configured to redirect the users’ Application Data folder files onto a data server named Data2. Which of the following user’s Application Data folder files are redirected to Data1?

a. None b. Elle c. John d. Luis e. Gary

11. You work for Contoso, Ltd., as a system administrator. There is a domain controller on the network named ServerA. There is a member server on the network named ServerB. There are three client computers named Client1, Client2, and Client3. A GPO named RemoveRun1 is linked to the domain. The RemoveRun1 GPO is configured with the Remove Run Menu From Start Menu setting. Client2 is showing the Run menu when you click on the Start menu. You must ensure that the Run menu is removed from the Start menu immediately. Where do you execute the gpupdate.exe utility to apply the RemoveRun GPO?

a. ServerA b. ServerB c. Client1

d. Client2 e. Client3

12. You work for Coho Vineyard as a system administrator. There are two domain controllers on the network named ServerA and ServerB. There is a member server on the network named ServerC. There is a DHCP server named ServerD and a DNS server named ServerE. A GPO named RemoveRun1 is linked to the domain controllers organizational unit (OU). The RemoveRun1 GPO is configured with the Remove Run Menu From Start Menu setting as Enabled. ServerB is showing the Run menu when you click on the Start menu. You must ensure that the Run menu is removed from ServerB immediately. Where do you execute the Gpupdate.exe tool to apply the RemoveRun GPO?

a. ServerA b. ServerB c. ServerC d. ServerD e. ServerE

13. You are the system administrator for Litware, Inc. The litwareinc.com domain is structured as shown in the following figure.


A Group Policy Object (GPO) named SmartCard1 is linked to the Marketing, Sales, and Shipping organizational units (OUs). SmartCard1 is configured to distribute certificates to smart cards using the autoenrollment feature. Which of the following users cannot use autoenrollment to receive a certificate for their smart cards?

a. Brian b. Corinna c. Patricia d. Angela



There are two Group Policy Objects (GPOs) named PWD1 and PWD2. The GPOs are configured as shown in the table below:

GPO Name GPO Link GPO Setting

Default Domain Policy

contoso.com Account lockout threshold: three invalid login attempts

Default Domain Controllers Policy

Default Domain Controllers

Account lockout threshold: three invalid login attempts

PWD1 Sales Account lockout threshold: four invalid login attempts

PWD2 Telesales Account lockout threshold: four invalid login attempts


Kelly’s user account is locked out. She has typed her password incorrectly three times in a row. Company Password Policy requires that user accounts are not locked out unless a password is entered incorrectly five times in a row. You must enforce company Password Policy. Which GPO link would you modify to comply with the company Password Policy?

a. Default Domain Policy b. Default Domain Controllers Policy

c. PWD1 d. PWD2

15. You are the system administrator for Litware, Inc. The Litwareinc.com domain is structured as shown in the following figure. The domain has only one Active Directory site. The site is named Default-First-Site-Name.

There is a GPO named GPO1 configured to meet the company requirements for password security. The Password Policy settings in GPO1 are configured as shown in the following table:

Policy Policy SettingEnforce Password History Five passwords rememberedMaximum Password Age 25 daysMinimum Password Age One dayMinimum Password Length Seven charactersPassword Must Meet Complexity Requirements

Disabled

Store Passwords Using Reversible Encryption

Disabled


GPO1 is linked to Default-First-Site-Name. You attempt to create a user account named Bob in the Financial Mgmt OU. You set the password for Bob as mspress. The password is rejected. What must you do so that the company Password Policy defined in GPO1 is enforced?

a. Link GPO1 to the domain with a higher priority than the Default Domain Policy.

b. Link GPO1 to the domain with a lower priority than the Default Domain Policy.

c. Link GPO1 to the domain controllers OU with a higher priority than the Default Domain Controllers Policy.

d. Link GPO1 to the domain controllers OU with a lower priority than the Default Domain Controllers Policy.

e. Link GPO1 to the Financial Mgmt OU and enable Block Policy Inheritance on the Financial Mgmt OU.

16. You are a system administrator for Contoso, Ltd. The contoso.com domain is structured as shown in the following figure.

Another administrator changed the Default Domain Policy multiple times. You are tasked to ensure that the company Password Policy is enforced. You create an unlinked Group Policy Object (GPO) named PWD1 with a Password Policy as shown in the following table:

Policy Policy SettingEnforce Password History 24 passwords rememberedMaximum Password Age 25 daysMinimum Password Age One dayMinimum Password Length Seven charactersPassword Must Meet Complexity Requirements EnabledStore Passwords Using Reversible Encryption Disabled


When creating a user account named John in the Marketing OU, you type Tuesday as the password. The password is accepted. What must you do so that the company requirements for password security are satisfied?

a. Link PWD1 to the Marketing OU and enable Block Policy Inheritance on the financial Marketing OU.

b. Link PWD1 to the domain with a higher priority than the Default Domain Policy.

c. Link PWD1 to the domain with a lower priority than the Default Domain Policy.

d. Link PWD1 to the Sales OU and configure the Loopback Processing setting in PWD1 to Enabled.

17. You are the administrator for Coho Winery. There is one domain controller named DC1 for the cohowinery.com domain. There are two file servers named ServerA and ServerB. There is a Group Policy Object (GPO) named Redirect1 linked to the Sales OU and configured as shown in the following figures.


You remove the Redirect1 GPO link from the Sales OU. However, Julie’s My Documents folder is still being redirected. What should you do?

a. Use the Default Domain Controllers Policy to redirect the My Documents folder to the \\DC1\Sysvol.

b. Delete the Redirect1 GPO.

c. Link the Redirect1 GPO to the domain and set the Target Folder Location setting to redirect to the local user profile.

d. Use the Default Domain Policy to configure a folder for each user under the root path.


Chapter 9 - MANAGING SOFTWARE


1. What is the default security of Software Restriction Policies when they are first enabled?

a. Unrestricted b. Disallowed c. No Override d. Not Configured

2. Which of the following has path rules configured by default when you enable Software Restriction Policies in that Group Policy Object (GPO)?

a. Only the Computer Configuration portion of the Default Domain Policy

b. Only the User Configuration portion of the Default Domain Policy

c. The Computer Configuration portion of every GPO

d. The User Configuration portion of every GPO

3. You are the network administrator for Coho Vineyard. You manage a single Windows Server 2003 Active Directory domain. Your domain has two Active Directory sites. One is named Main_Site and the other is named Branch_Site. There are 5 Windows Server 2003 domain controllers, 2 Windows Server 2003 member servers, and 450 Windows XP Professional client computers on your network. One member server and 50 client computers are located in Branch_Site. The OU structure of your network is as shown in the following figure.

You create a Group Policy Object (GPO) named SP_Dist to distribute service pack software to your client computers. In this policy, you configure update.msi for deployment to computers. You link SP_Dist to the Finance OU. A user named John restarts the computer named Asia and then confirms that the service pack is installed. A user named Patricia then restarts the UK computer. She reports that the computer does not receive the service pack. You need to ensure that the service pack is deployed to all client computers on the network. What should you do?

a. Enable No Override on the SP_Dist link to the Finance OU.

b. Ensure that SP_Dist is configured with the Install This Application At Logon setting.

c. Link SP_Dist to the domain and enable No Override.


d. Link SP_Dist to Main_Site and enable No Override.

e. Configure SP_Dist to be published to users and leave the default settings.

4. You are the network administrator for Coho Vineyard & Winery. You manage a single Windows Server 2003 Active Directory domain. Your domain has a single Active Directory site named HQ_Site. There are three Windows Server 2003 domain controllers, two Windows Server 2003 member servers, and 300 Windows XP Professional client computers on your network. Each department in your company has an OU named after the department. All user and computer accounts for the department are configured in that OU. The OU structure of your network is as shown in the following figure.

You want the users in the Sales department to be able to use Microsoft Office XP. However, you have enough software licenses to allow only users in the Sales department to use Microsoft Office XP. You create a Group Policy Object (GPO) named Office_XP that deploys the Microsoft Office XP application to computers. You link this policy to the Marketing OU.

When Amy logs on to a computer in the Marketing OU, she has no access to Microsoft Office XP applications. She is also unable to open a Microsoft PowerPoint file. There are 50 computers and 50 users in the Marketing OU. You want all Sales department users to have access to Microsoft Office XP applications regardless of which computers they use. What should you do?

a. Link Office_XP to the domain.

b. Change Office_XP to assign software to users instead of computers.

c. Configure the Office_XP link to the Marketing OU for No Override.

d. Configure the Marketing OU with the Block Policy Inheritance setting.

5. You are the network administrator for Fourth Coffee. You manage a single Windows Server 2003 Active Directory domain. Your domain has a single Active Directory site named Buzz_Site. There are 4 Windows Server 2003 domain controllers, 4 Windows Server 2003 member servers, and 500 Windows XP Professional client computers on your network. Each department in your company has an OU named after the department. All user accounts for the department are configured in that OU. All client and member server computer accounts are in the default Computers container. The OU structure of your network is as shown in the following figure.


You need to deploy a service pack to all client computers on your network. You create a network share named SP and share that on the network to the Everyone group. You create a Group Policy Object (GPO) named SP_Fix and link it to the Finance OU. You configure SP_Fix to publish the update.msi file to users. A week later, you check five different computers that are used by Patricia, Luis, Nancy, and Elle. None of these computers have the service pack installed. You need to ensure that all client computers are updated with the service pack. What should you do?

a. Link the SP_Fix to the Default Domain Controllers OU.

b. Move the computer accounts for the Finance department to the Finance OU.

c. Change the deployment option to assign SP_Fix to users and link it to the Buzz_Site.

d. Change the deployment option to assign SP_Fix to computers and link it to the domain.

6. You are the network administrator for Wide World Importers. You manage a single Windows Server 2003 Active Directory domain. Your domain has a single Active Directory site named Globe_Site. You have an application created by software developers in your company that must be installed on all computers in the domain regardless of whether a user ever logs on to the computer. You want to use Group Policy to deploy this application to all Windows XP Professional and Windows 2000 Professional computers on your network. The application consists of only an executable (.exe) and several dynamic link library (.dll) files. What should you do in order to prepare this application for distribution to all computers through Group Policy?

a. Create a file with a .zap file extension. b. Create a file with an .msp file extension.

c. Use repackaging software to create a file with an .msi file extension.

d. Use the Custom Installation Wizard from the Microsoft Office XP Resource Kit Tools to create a file with an .mst file extension.

7. You are the network administrator for the School of Fine Art. The School of Fine Art has a single Active Directory domain model. All domain controllers run Windows Server 2003 and all client computers run Windows XP Professional.

You create a path rule in a Group Policy Object (GPO) linked to the domain that prevents users from running applications from the C:\CustomApps folder. The path rule is configured under the Computer Configuration portion of the GPO.

You notice that several students are running an application named Litware.exe that is typically installed to the C:\CustomApps folder. You want to prevent students from running Litware.exe on client computers, even if they move it to another folder, or e-mail it to each other. What can you do?


a. Configure the path rule in the User Configuration portion of the GPO.

b. Configure an Internet zone rule that specifies Litware.com as a Restricted Site.

c. Create a hash rule to disallow use of Litware.exe.

d. Configure the GPO you created and linked to the domain with No Override.

8. You are the network administrator for Adventure Works. The Active Directory structure is as shown in the following figure. All member servers and domain controllers run Microsoft Windows Server 2003 Standard Edition. All client computers run Microsoft Windows XP Professional.

You have created an unlinked Group Policy Object (GPO) that is configured to assign Microsoft Excel to computers. The GPO is named GPO1. You need to ensure that this policy is applied to all computers in the entire forest. What should you do?

a. Link GPO1 to the adventureworks.com domain. b. Link GPO1 to Site1.

c. Enable No Override on GPO1.

d. Create two new GPOs that deploy Microsoft Excel and link them to west.adventureworks.com and east.adventureworks.com.

9. You are the network administrator for the Baldwin Museum of Science. The organizational unit (OU) structure is as shown in the following figure. All member servers and domain controllers run Microsoft Windows Server 2003 Standard Edition. All client computers run Microsoft Windows XP Professional.


The domain has three sites: North_Site, East_Site, and West_Site. Each site has 100 to 200 client computers, five to ten member servers, and two or more domain controllers. You need to deploy Microsoft Works Suite 2004 to all the computers in the company.

You create an unlinked Group Policy Object (GPO) named MSWorks1. MSWorks1 is configured with a software distribution policy that deploys Microsoft Works Suite 2004 to computers. What should you do next?

a. Link MSWorks1 to the North_Site. b. Link MSWorks1 to the domain.

c. Enable No Override on the MSWorks1 GPO.

d. Create two new GPOs that deploy virus-scanning software and link them to East_Site and West_Site.

10. You are the network administrator for Coho Vineyard & Winery. The Active Directory structure is as shown in the following figure. All domains are in the same forest and cohovineyardandwinery.com is the forest root domain. All member servers and domain controllers run Microsoft Windows Server 2003 Enterprise Edition. All client computers run Microsoft Windows XP Professional.

Each domain has a Group Policy Object (GPO) linked to it. The following table illustrates the GPOs and their respective links and software installation settings.

GPO Name Linked To Assigned to Computers

GPO1 cohovineyardandwinery.com Microsoft Office XP Professional

GPO2 cohovineyard.com Microsoft Works Suite 2004

GPO3 cohowinery.com Microsoft Word 2002


None of these GPOs install antivirus software. You want to install antivirus software for all computers in the entire forest. You repackage your antivirus software as av.msi. What should you do?

a. In GPO2 and GPO3, assign the av.msi package to computers.

b. In GPO1, assign the av.msi to computers and configure that policy for No Override.

c. Create a new GPO that assigns av.msi to users and link that policy to cohovineyardandwinery.com.

d. Create a new GPO that assigns av.msi to computers and link that policy to Site1 and Site2.

11. You are the network administrator for Coho Vineyard. There are three organizational units (OUs) for the Marketing department named MKT, Sales, and TeleSales. You have a Group Policy Object (GPO) named FP1 linked to the MKT OU. The Group Policy Object (GPO) is configured to assign Microsoft FrontPage 2002 to computers. Your manager wants this software to be installed on all computers in the Marketing department. How can you arrange these organizational units to achieve this goal and efficiently apply FP1?

a. Create a new OU named FP2 and move the existing top-level OU into the FP2 OU as subordinates.

b. Make the Sales OU and TeleSales OU subordinate to the MKT OU.

c. Make the Sales OU subordinate to the MKT OU and the MKT OU subordinate to the Telesales OU.

d. Move the Sales and TeleSales OUs into the Default Domain Controllers OU.


A new Group Policy Object (GPO) named MSA1 is linked to the contoso.com domain. MSA1 installs Microsoft Access 2002 on all computers. You do not want the Microsoft Access 2002 software to install on the computers that are members of the Help Desk organizational unit (OU). How can you stop the GPO from installing the Microsoft Access 2002 software on the Help Desk OU?

a. Enable Block Policy Inheritance on the Help Desk OU.

b. Enable Block Policy Inheritance on the Desktop Support OU.

c. Enable No Override on the MSA1 policy link to the contoso.com domain.

d. Enable No Override on the Default Domain Policy link to the contoso.com domain.

13. You are the system administrator of the fabrikam.com domain. All member servers and domain controllers run Microsoft Windows Server 2003 Standard Edition. All client computers run Microsoft Windows 2000 Professional.


A new Group Policy Object (GPO) named MSN1 is linked to the fabrikam.com domain. MSN1 is configured to assign MSN Messenger to users. The software is configured by default to be advertised only in the user’s Start menu. You must reconfigure the policy so that the software is ready to use when run. Which option makes the software ready to use when run?

a. Publish b. Install This Application At Logon

c. Auto-install This Application By File Extension Activation

d. Do Not Display This Package In The Add/Remove Programs Control Panel

14. You are the network administrator for Coho Winery. There is a Group Policy Object (GPO) named ST1 and configured as shown in the following figure.


There are three organizational units (OUs) for the Marketing department named Mkt, Sales, and R&D. ST1 is linked to the R&D OU. The Default Domain Policy has not been modified. You move Andy’s user account from the R&D OU to the Mkt OU. When Andy logs on to the network, Windows Support Tools continue to be available to Andy. You must configure Group Policy to remove software from users that are removed from the R&D OU. What can you do?

a. Enable No Override on the cohowinery.com domain.

b. Enable Block Policy Inheritance on the Mkt OU.

c. In Windows Support Tools Properties for ST1, select the settings for deployment options in ST1 to uninstall the application when it falls out of the scope of management.

d. In Windows Support Tools Properties settings for ST1, change the deployment type to Published.

15. You are the network administrator for Alpine Ski House. There is one domain in the forest named alpineskihouse.com. The domain has three sites: North_Site, East_Site, and West_Site. You need to deploy Microsoft Office XP Professional to all the computers in the company. You create an unlinked Group Policy Object (GPO) named MSPM1. MSPM1 is configured with a software distribution policy that deploys Microsoft Business Solutions for Project Management to computers. Where should you link MSPM1?

a. North_Site only b. Domain Controllers OU

c. East_Site and West_Site d. Alpineskihouse.com

16. You are the network administrator for Fourth Coffee. The company has three sites within their domain: North_Site, South_Site, and MidWest_Site. All member servers and domain controllers run Microsoft Windows Server 2003 Standard Edition. All client computers run Microsoft Windows 2000 Professional.

All domain controllers are located in Midwest_Site. There are client computers in each Active Directory site. You need to deploy Windows Support Tools to all domain controllers in the company without deploying the Support Tools to the client computers. You create an unlinked Group Policy Object (GPO) named STP1. STP1 is configured with a software distribution policy that deploys Windows Support Tools to computers. Where should you link STP1?

a. MidWest_Site b. Domain Controllers OU

c. South_Site and North_Site d. Company domain

17. You are the network administrator of the fabrikam.com domain. All member servers and domain controllers run Microsoft Windows Server 2003 Standard Edition. All client computers run Microsoft Windows XP Professional. Company policy prohibits the use of the cmd.exe program on all computers. A Group Policy Object (GPO) named SR1 is linked to the domain. You need to configure SR1 with a software restriction rule that prevents users from running the cmd.exe program regardless of the location. What type of rule can do this?

a. Path b. Hash c. Internet zone d. Least privilege

18. You are the network administrator of the contoso.com domain. All member servers and domain controllers run Microsoft Windows Server 2003 Enterprise Edition. All client computers run Microsoft Windows XP Professional. All domain controllers are located in the default container. There are two organizational units (OUs) named Sales and Finance. Each OU contains computer and user accounts. Company policy prohibits the use of the mspaint.exe program on all domain controllers. A Group Policy Object (GPO) named SR1 is configured with a hash rule to prevent mspaint.exe from running. To which Active Directory container should you link SR1?

a. Contoso.com domain b. Domain Controllers OU

c. Sales OU d. Finance OU


Chapter 10 - LANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY


1. You are the network administrator for The Phone Company. All of the domain controllers and member servers on the network run Windows Server 2003, Standard Edition. Client computers on the network run Windows XP Professional and Windows 2000 Professional. The domain is configured as shown in the following figure.

You want the AntiVirus Group Policy Object (GPO) to apply to all computers in your domain. What must you do?

a. Configure the AntiVirus GPO to be enforced.

b. Remove the Client filter link from the AntiVirus GPO.

c. Enable Block Policy Inheritance on the thephone-company.com container.

d. Configure the Default Domain Policy so that it is not enforced.

2. You are the network administrator for Tailspin Toys. All of the domain controllers and member servers on the network run Windows Server 2003, Standard Edition. Client computers on the network run Windows XP Professional and Windows 2000 Professional. The domain is configured as shown in the following figure.

You want the Desktops Group Policy Object (GPO) to apply only to your client computers. What must you do?

a. Link X filter to the Desktops GPO. b. Enable Block Policy Inheritance on the Servers OU.

c. Configure the Desktops GPO to be enforced. d. Configure the Servers GPO to be enforced.


3. You are the network administrator for Proseware, Inc. All of the domain controllers and member servers on the network run Microsoft Windows Server 2003, Standard Edition. All client computers on the network run Microsoft Windows XP Professional. There are member server accounts in the Servers OU and the Executives OU. There are client computer accounts in the Clients OU and the Executives OU. The domain is configured as shown in the following figure.

You want to ensure that the Secure Group Policy Object (GPO) is applied to every account in the Executives OU. What must you do?

a. Remove the X filter link to the Secure OU and replace it with a link to Y filter.

b. Modify X filter to include computers with a caption of Windows Server 2003, Standard Edition.

c. Link the Secure GPO to the proseware.com container and configure the Secure GPO to be enforced.

d. Remove the X filter link to the Secure GPO and link the Secure GPO to the Executives OU.

4. You are the network administrator for Fourth Coffee. All of the domain controllers and member servers on the network run Windows Server 2003, Standard Edition. All of the client computers on the network run Windows XP Professional. The domain is configured as shown in the following figure.

You want to ensure that the Desktops Group Policy Object (GPO) applies to all 50 user accounts in the Clients OU. What must you do?

a. Configure the Desktops GPO as Enforced.


b. Remove the Block Policy Inheritance setting on the Executives OU.

c. Increase the Link Priority of the Desktops GPO on the fourthcoffee.com container.

d. Link the Desktops GPO to the Clients OU.

e. Add the Domain Users group to the Security Filtering section of the Desktops GPO Properties dialog box.

5. You are the network administrator for Fabrikam, Inc. All of the domain controllers and member servers on the network run Windows Server 2003, Standard Edition. All client computers on the network run Windows XP Professional. The domain is configured as shown in the following figure.

The Desktops Group Policy Object (GPO) settings are not configured on any of the 50 client computer accounts in the Clients OU. Why?

a. The Desktops GPO is blocked by the Executives OU.

b. The Desktops GPO is disabled.

c. The Desktops OU is not linked to the domain.

d. Computer objects in the Clients OU don’t have the right to Read or Apply Group Policy on the Desktops GPO.

6. You are the network administrator for A. Datum Corporation. All of the domain controllers and member servers on the network run Windows Server 2003, Standard Edition. All client computers on the network run Windows XP Professional. The domain is configured as shown in the following figure.


The manager of the Central OU wants to know why the Desktops Group Policy Object (GPO) is not applying to the resources in the Central OU. What is the reason?

a. The Central OU has Block Policy Inheritance configured.

b. The Desktops GPO is not linked to the Central OU.

c. The Desktops GPO link to the domain is disabled.

d. The Default Domain Policy is overriding the Desktops GPO.

7. You are the network administrator for Alpine Ski House. All of the domain controllers and member servers on the network run Microsoft Windows Server 2003, Standard Edition. All client computers on the network run Microsoft Windows XP Professional. The domain is configured as shown in the following figure.

All of the computers with computer accounts in the SkiTeam OU are Windows XP Professional computers. However, none of the computers receive the applications that are deployed using the SkiTeamApps Group Policy Object (GPO). Why?

a. XP filter is designed to prevent the GPO from applying to computers running Windows XP Professional.

b. The SkiTeam OU has Block Policy Inheritance configured.

c. The SkiTeamApps GPO is disabled.


d. The Default Domain Policy is overriding the SkiTeamApps GPO.

e. Block Policy Inheritance in configured on the domain.

8. You are the network administrator for Coho Winery. You manage a single-domain Active Directory structure. There is a Group Policy Object (GPO) named SoftPack. This GPO has several software applications configured to be assigned to users. SoftPack has the Security Settings shown in the following figure.

Although this GPO is linked to the domain, it is not applying to any of your users. You ask all users to log off and then log on, but no user has access to the new applications. How do you solve this problem?

a. Allow the Full Control permission for Creator Owner on SoftPack.

b. Enable No Override on SoftPack.

c. Allow the Apply Group Policy permission for Authenticated Users on SoftPack.

d. Enable Block Policy Inheritance on the domain.

9. You are the network administrator for Coho Vineyard. You manage a single-domain Active Directory structure. There is a Group Policy Object (GPO) named CompDist. This GPO has custom software applications configured to be assigned to computers. ComptDist has the Security Settings shown in the following figure.



The CompDist GPO is linked to the domain. You restart all of the computers in your domain, but do not see the application installed on any of these systems. You do not want this GPO deployed on a user basis; you specifically want it deployed on a computer basis. What must you do?

a. Configure Authenticated Users to be allowed to read and apply Group Policy on CompDist Security Settings.

b. Configure Allow Full Control permissions for Enterprise Domain Controllers on CompDist Security Settings.

c. Configure the System account for Allow Full Control permissions on CompDist Security Settings.

d. Enable No Override on the CompDist GPO.

e. Configure Block Policy Inheritance on the domain.

10. You are the network administrator for Trey Research. The Trey Research OU structure is as shown in the following figure. The company has a single Active Directory domain model. You configure a Group Policy Object (GPO) named UserConf that removes several items from a user’s desktop as well as preventing the user from accessing the Control Panel.

You want this policy to apply to a group of computers in the Public_Systems OU no matter which users actually log on to these computers. What must you do?

a. Grant the System account Full Control on the access control list (ACL) of UserConf.

b. Configure Block Policy Inheritance on the Public_Systems OU.

c. Place all the computers in a single group. Configure the access control list (ACL) UserConf so that users in the Public_Systems OU have Read and Apply Group Policy permissions.

d. Link the Policy to the Public_Systems OU and enable User Group Policy Loopback Processing Mode in Replace Mode.

e. Configure a Windows Management Instrumentation (WMI) filter that includes all computer objects except for those in the Public_Systems OU and link that filter to the UserConf GPO.

11. How can you prevent restrictive Group Policy Objects (GPOs) from applying to administrators?

a. Add the Administrators group to the GPO access control entry (ACE) and configure the Administrators group in the GPO ACE to Deny on Apply Group Policy.

b. Configure the Enterprise Admins group in the GPO access control list (ACL) so that Enterprise Admins do not have Read permissions.

c. Configure the Domain Admins group in the GPOs access control list (ACL) so that Domain Admins have Full Control.

d. Configure the Authenticated Users group in the GPOs access control list (ACL) so that Authenticated Users have Full Control.

12. Which of the following tools allow you determine what group policies are applied to a computer account?


a. Rsop.msc b. Netdiag c. Dcdiag d. Adsiedit.msc

13. Which of the following tools allow you determine what group policies are applied to a user account?

a. Netdiag b. Dcdiag c. Ntdsutil

d. Adsiedit.msc e. Gpresult

14. Which tool can be used to delegate administrative control of Group Policy management tasks when planning a decentralized administrative approach?

a. Adsiedit.msc b. Gpmc.msc c. Ntdsutil d. Netdiag

15. You are the network administrator for Contoso Pharmaceuticals. The organizational unit (OU) structure is as shown in the following figure.

There is a Group Policy Object (GPO) named GPO1. GPO1 is configured to publish Microsoft Encarta Encyclopedia Deluxe 2004. GPO1 is linked to the US and Mexico organizational units (OUs). You want GPO1 to apply to all users in the US and Mexico OU except those users who are part of the Production OU that is subordinate to the Mexico OU. Which of the following options can be used to filter out the Production OU that is subordinate to the Mexico OU with the least administrative effort?

a. Create a Windows Management Instrumentation (WMI) filter on GPO1.

b. Use security filtering on GPO1.

c. Enable Block Policy Inheritance on the Production OU, which is subordinate to the Mexico OU.

d. Enable No Override on GPO1.

16. You are the network administrator for Contoso, Ltd. The organizational unit structure is as shown in the following figure.


There is a Group Policy Object (GPO) named MPO1. MPO1 is configured to publish Microsoft Project 2002. MPO1 is linked to the Finance organizational unit (OU). You want MPO1 to be applied only to Terry and Corinna. How can you configure the domain controller so that MPO1 is applied only to Terry and Corinna?

a. Create a Windows Management Instrumentation (WMI) filter and link it to MPO1.

b. Enable Block Policy Inheritance on the Finance OU.

c. Add Terry and Corinna to the Security Settings of MPO1. Give these accounts Read and Apply Group Policy permissions.

d. In GPMC on MPO1’s Scope tab, under Security Filtering, remove Authenticated Users and add MGMT.

17. You are the network administrator for Coho Vineyard. The organizational unit (OU) structure is as shown in the following figure.

There is a Group Policy Object (GPO) named EX1. EX1 is configured to assign Microsoft Excel version 2002 to computers. EX1 is linked to the Accounts organizational unit (OU). You want EX1 to be applied to all computers in the Accounts OU except computers with less than 315 MB of available disk space. How can you prevent Microsoft Excel version 2002 from being installed on client computers that do not have 315 MB of available disk space?

a. Create a Windows Management Instrumentation (WMI) filter and link it to EX1.

b. Enable No Override on EX1.

c. Create a group named Sec1 in Active Directory Users And Computers. In GPMC on EX1’s Scope tab, under Security Filtering, remove Authenticated Users and add Sec1.


d. Enable Block Policy Inheritance for the Marketing OU.


Chapter 11 - Active directory maintenance, Troubleshooting, and disaster recovery

1. Which of the following utilities would you use for an authoritative restore that you do not require for a normal restore?

a. Ntbackup b. Gpupdate c. Ntdsutil d. Netdiag e. Replmon

2. You are the network administrator for Consolidated Messenger, which has the Active Directory domain named consolidatedmessenger.com. All three domain controllers on your domain have failed. You are about to restore the entire domain from a backup. You determine that a domain controller named ServerA has the most recent good backup of the Active Directory database. You want ServerA’s copy of the Active Directory data to replicate to all other restored domain controllers. What type of restore should you use on ServerA?

a. Normal restore b. Primary restore

c. Restore subtree d. Sc dc1 sdset

3. You are the network administrator for A. Datum Corporation, which has a single Active Directory domain named adatum.com. You need to restore a top-level OU named Marketing. You want to restore objects subordinate to the Marketing OU. Which of the following Ntdsutil commands would accomplish your goal?

a. restore database “ou=Marketing,ou=Corp,dc=adatum,dc=com”

b. restore tree marketing.adatum.com

c. restore subtree “ou=Marketing,dc=adatum,dc=com”

d. restore ntds.dit marketing.adatum.com

4. You need to perform an authoritative restore using your domain controller. You complete a restore using the Backup tool in Windows Server 2003. You see the Backup tool warning message box shown in the following figure. What should you do next?

a. Click Yes. b. Click No.

c. Run the Netdiag command and then restart the computer.

d. Disconnect the computer from the network before clicking Yes.

5. You are a network administrator of contoso.com. A colleague of yours is trying to restore an account named Admin that is located in the Users container of your domain. He enters the commands as shown in the following figure.


Which of the following commands should your colleague be using instead?

a. restore database

b. restore subtree admin.users.contoso.com

c. restore database admin.users.contoso.com

d. restore subtree ou=admin,dc=contoso,dc=com

e. restore subtree cn=admin,cn=users,dc=contoso,dc=com

6. You are a network administrator for Trey Research. There are three domain controllers on the network. All domain controllers run Windows Server 2003. The domain has two Active Directory sites. One site is named Main_Site and the other is named Branch_Site. Server1 and Server2 are domain controllers in Main_Site. Server3 is a domain controller in Branch_Site. While monitoring the network, you discover that the Active Directory data on Server3 does not match the Active Directory data on the other two servers. You review the services that are running on Server3 as shown in the following figure.

You need to allow Server3 to receive updates from the other servers. What should you do on Server3?

a. Restart Server3. b. Stop the Netlogon service.

c. Start the Messenger service. d. Start the HTTP SSL service.

e. Stop the Distributed File System.

7. You are the network administrator for Graphic Design Institute, which has the Active Directory domain named graphicdesigninstitute.com. You have seven domain controllers and all run Windows Server 2003 Standard Edition. You ask your colleague to defragment and compact the Active Directory database on Computer07, which is one of your domain controllers. Your colleague tells you that the System State data backup is not working. You check the Event Viewer of Computer07 and see the error message, as shown in the following figure.



You need to complete the System State data backup before your colleague defragments the Active Directory database. What should you do?

a. Use Ntdsutil to perform an authoritative restore on Computer07.

b. Use Ntbackup to perform a System State data restore on Computer07.

c. Restart Computer07 and press F8 during the startup sequence.

d. Restart Computer07 and do not press F8 during the startup sequence.

e. Use Ntbackup and disable the Volume Shadow Copy option.

8. You are a network administrator for A. Datum Corporation, which uses the Active Directory domain named adatum.com. There are five domain controllers on the network. Three are configured as global catalog servers. All domain controllers run Windows Server 2003 Standard Edition. You learn about a new malicious worm that queries global catalog servers repeatedly requesting universal group membership information. You are concerned that your global catalog servers are performing slowly. You want to receive an alert if any global catalog server is servicing more than 20 universal group membership queries per second. What should you do on all global catalog servers?

a. Configure a Performance console alert. b. Enable audit object access.

c. Configure the CrashOnAuditFail setting in the registry.

d. Configure a capture trigger in Network Monitor.

9. You are a network administrator for Woodgrove Bank, which uses the Active Directory domain named woodgrovebank.com. There are three domain controllers on your network. The domain controllers are named DC1, DC2, and DC3. There are two Active Directory sites on the network. One site is named HQ and the other is named Branch. DC3 is in the Branch site and the other two domain controllers are in the HQ site.

A technician at the Branch site calls to tell you that several objects you created yesterday on DC2 are not displayed in Active Directory Users And Computers on DC3. You want to review the differences between the database on DC2 and DC3. Which of the following tools might help you make this determination?

a. Netdom b. Gpupdate c. Dsastat d. Sysdiff

10. You are a network administrator for Southridge Video, which uses the Active Directory domain named southridgevideo.com. All domain controllers on the network run Windows Server 2003 Standard Edition. Client computers on the network run Windows XP Professional, Windows 2000 Professional, and Windows 98 SE.

A security-consulting group recently reviewed your network configuration and determined that there are a significant number of NTLM authentication requests on the network. You want to determine the number of client authentications that use Kerberos versus the number of client authentications that use NTLM. Which of the following could you use to make this comparison?

a. Performance console counters b. Netdom query c. Object access auditing

d. Gpotool e. Repadmin

11. You are the network administrator of cohovineyard.com. You need to restore a top-level OU named Accounting that was deleted by mistake. You run the command shown in the following figure.

What must you do in order to resolve this error?


a. You must type authoritative restore at the Ntdsutil prompt.

b. Restart the domain controller in Directory Services Restore Mode.

c. Type files and then press ENTER.

d. Restore your System State data backup first.

12. You are the network administrator for Fabrikam, Inc., which uses the Active Directory domain named fabrikam.com. There are three domain controllers in your domain. The domain controllers are named ServerA, ServerB, and ServerC. All domain controllers run Windows Server 2003 Enterprise Edition. Each domain controller is in a different Active Directory site, but all are in the same time zone. These sites are configured to replicate twice per day, once at 6:00 A.M. and once again at 6:00 P.M. You want to back up each domain controller’s copy of the Active Directory database every day at 5:00 P.M. What should you do every day at 5:00 P.M.?

a. Configure a script to run sc create systemstate on each domain controller.

b. Configure a script to run sc create systemstate on only the forest root domain controller.

c. Configure a script to run the command ntdsutil files copy DB c:\backup.

d. Backup the System State data on each computer.

e. Backup the System State data of only the forest root domain controller.

P.M.A.M.P.M.13. You are a network administrator for Contoso Pharmaceuticals. The network has 3 domain controllers, 5 member servers, and 500 client computers. All server computers run Windows Server 2003 Standard Edition and all client computers run Windows XP Professional. One of your colleagues is tasked to disable all unnecessary services from all computers. After completing this task on the domain controller computers, the systems are restarted. They take an unusually long time to start up. Once they start, you are unable to access Active Directory Users And Computers without receiving an error. The error says that you are unable to connect to the domain. You review the services that are running on the domain controller, as shown in the following figure.


You need to be able to use the Active Directory Users And Computers console on this domain controller. What should you do?

a. Start the HTTP SSL service and set its startup type to Automatic.

b. Start the Net Logon service and set its startup type to Automatic.

c. Stop the Distributed File System service and set its startup type to Disabled.

d. Stop the File Replication Service and set its startup type to Disabled.

14. You are a network administrator for Wingtip Toys. One of your colleagues is tasked to disable unnecessary services on ServerA. ServerA is a domain controller for the Wingtip Toys Active Directory domain. Your colleague restarts ServerA. Several network users report problems connecting to resources. You review the services that are running on ServerA, as shown in the following figure.


You want to ensure that all services that allow your domain controller to operate efficiently and securely are running. What should you do?

a. Start the HTTP SSL service and set its startup type to Automatic.

b. Stop the Netlogon service and set its startup type to Automatic.

c. Stop the Distributed File System service and set its startup type to Disabled.

d. Stop the File Replication Service and set its startup type to Disabled.

e. Start the Kerberos Key Distribution Center (KDC) service and set its startup type to Automatic.

15. You are the network administrator for the Alpine Ski House, which uses an Active Directory forest root named alpineskihouse.com. The network also has two child domains named west.alpineskihouse.com and east.alpineskihouse.com. There are 7 domain controllers and 25 member server computers on the network. All computers run Windows Server 2003 Standard Edition. Alpineskihouse.com has 1,500 Windows XP Client computers and the two child domains have 500 Windows XP client computers.

The east.alpineskihouse.com domain has two domain controllers: ServerA and ServerB. All domain controllers’ System State data is backed up daily to a network drive. The hard disk in ServerB crashes. You replace the hard disk and rebuild the server as ServerC. You want ServerA to propagate the latest Active Directory database changes to ServerC. What should you do?

a. Restore the System State data backup from ServerA to ServerC.

b. Promote ServerC to replica domain controller for the alpineskihouse.com domain.

c. Promote ServerC to replica domain controller for the east.alpineskihouse.com domain.

d. Rename ServerC to ServerB and then run dcpromo.

16. You are the network administrator for City Power & Light. The company uses the Active Directory domain named cpandl.com. The network contains three domain controllers. ServerC is one of those domain controllers. On ServerC, the hard disk space that holds the Active Directory database has fewer than 2 GB of space available. You install and configure a new hard disk in ServerC. To free up space on theC drive, you run the following command:

move %systemroot%\ntds\ntds.dit d:\ntds


When you restart ServerC, you see the error that is shown in the following figure.

You restart in Directory Services Restore Mode. You need to ensure that the domain controller can start normally. Which of the following would allow the domain controller to start normally?

a. Run the command repadmin /syncall cpandl.com.

b. Copy D:\ntds\ntds.dit to %systemroot%\.

c. Copy ntds.old to D:\ntds.

d. Restore the System State data backup from ServerA or ServerB to ServerC.

17. You are a network administrator for Lucerne Publishing, which uses the Active Directory domain named lucernepublishing.com. There are three domain controllers on the network. The domain controllers are named ServerA, ServerB, and ServerC. ServerA was the first domain controller on the network and has a larger hard disk and faster processor than the other two domain controllers. ServerA runs Windows Server 2003 Enterprise Edition. The hardware and software configurations of ServerB and ServerC are identical. Both of these servers run Windows Server 2003 Standard Edition.

ServerC fails and you are unable to recover the Active Directory database. ServerC is offline for two weeks before it can be repaired. Your colleague determines that the System State data backups from ServerA and ServerB are more recent than the backups from ServerC. Your colleague uses the System State data backup from ServerA to perform a normal restore on ServerC. When ServerC restarts, the computer displays an IP conflict error and duplicate name error. What should you do?

a. Change the IP address of ServerA. b. Change the IP address of ServerB.

c. Change the IP address of ServerC. d. Restore the System State data for ServerB to ServerC.

e. Restore the System State data for ServerC to ServerC.


Chapter 12 - upgrading and migrating TO windows server 2003


1. Which of the following tools can you use to prepare a Microsoft Windows 2000 domain for the addition of a Microsoft Windows Server 2003 domain controller?

a. Movetree b. Netdom c. Adprep

d. ClonePrincipal e. Active Directory Migration Tool (ADMT)

2. If you plan to migrate SID History, which of the following tools automatically create the domain$$$ account in the source domain during a migration?

a. Movetree b. Netdom c. Adprep d. (ADMT

3. You are the network administrator for A. Datum Corporation, which has an Active Directory domain named adatum.com. All domain controllers in adatum.com run Microsoft Windows Server 2003. You are planning to migrate 300 users froma Microsoft Windows NT version 4.0 domain named DATUM to adatum.com. After you migrate the users, you want them to have access to shared files and printers in the DATUM domain. Most of these resources are shared to DATUM user accounts. Which of the following must you do to accomplish your goal?

a. Upgrade all domain controllers in DATUM to Windows 2000 Server.

b. Clear all passwords on migrated user accounts.

c. Clear all share level passwords.

d. Migrate SID History.

4. You are a network administrator for Adventure Works, which has a Microsoft Windows Server 2003 Active Directory domain named adventure-works.com.The company also has a Microsoft Windows 2000 Active Directory domainnamed adventure-works.local. You must migrate all the user accounts from the Windows 2000 domain to the new Windows Server 2003 domain. Which of the following must you establish before you perform this migration?

a. Interforest trust relationship b. Common NETBIOS names for the two forests

c. Common DNS names for the two domains d. Domain$$$ account in the target domain

5. You are a network administrator for the Alpine Ski House, which has an Active Directory domain named alpineskihouse.com. All domain controllers on the domain run Microsoft Windows 2000 Server. You want to add a Microsoft Windows Server 2003 domain controller to the alpineskihouse.com domain. However, when you run Dcpromo on the Windows Server 2003 domain controller, you see an error message that says: The Version Of The Active Directory Schema Of The Source Forest Is Not Compatible With The Version Of The Active Directory On This Computer. What must you do in order to resolve this issue?

a. Create a computer account on the alpineskihouse.com domain for the Windows Server 2003 computer.

b. Run adprep /forestprep on one of the Windows 2000 domain controllers.

c. Run netdiag /fix on the Windows Server 2003 computer that is to become a domain controller.

d. Run regsvr32 schmmgmt.dll on the Windows 2000 domain controller.

e. Run regsvr32 schmmgmt.dll on the Windows Server 2003 computer.

6. You are a network administrator for Baldwin Museum of Science, which has an Active Directory domain named baldwinmuseumofscience.com. You recently upgrade the Windows NT version 4.0 domain of BALDWINMUSEUMOFSCIENCE to Windows Server 2003. However, your manager informs you that one of the domain controllers that existed on the domain is no longer a member of the domain. You determine that this computer is a Windows 2000 domain controller. During the upgrade, you chose Windows Server 2003 interim domain functional level. What first step must you take in order to join this Windows 2000 domain controller to the existing domain?

a. Create a computer account for the computer in the domain.

b. Use an account that is a member of the Enterprise Admins group to join the computer to the domain.

c. Upgrade the domain controller to Windows Server 2003.

d. Run adprep /domainprep on the Windows Server 2000 computer.


e. Run adprep /forestprep on the Windows Server 2000 computer.

7. You are a network administrator for City Power & Light, which has an Active Directory domain named cpandl.com. The company is currently using another domain, named cpandl.local, which is in a separate forest. You must migrate users from one domain to the other. Both domains use domain controllers running Windows Server 2003, Standard Edition. You want to migrate user passwords from cpandl.local to cpandl.com. You are not allowed to modify the Default Domain Policy of either domain. Which of the following is an appropriate step to accomplish this task?


a. Enable the Let Everyone permissions apply to anonymous users in cpandl.local domain.


b. Add the Anonymous Logon group to the Pre-Windows 2000 Compatible Access group in the cpandl.com domain.

c. Create a cpandl$$$ group in the cpandl.com domain.

d. Create a cpandl$$$ group in the cpandl.local domain.

8. You are a network administrator for Wide World Importers, which has an Active Directory domain named wideworldimporters.com. The company is currently using another domain, named wideworldimporters.local, which is in a separate forest. You must migrate users from one domain to the other. Both domains use domain controllers running Windows Server 2003 Standard Edition. You want to migrate user passwords from wideworldimporters.local to wideworldimporters.com. A colleague assists you in preparation for this migration. When you begin a trial migration, you see the following error message: Unable To Establish A Session With The Password Export Server. The Local Machine Does Not Have An Encryption Key For Course Domain ‘Wideworldimporters.Local’. Please Install A Local Encryption Key. What must you do next in order to resolve this error?

a. Run the ADMT key command on the domain controller in the wideworldimporters.com domain.

b. Run the ADMT key command on the domain controller in the wideworldimporters.local domain.

c. Run SYSKEY on the domain controller in the wideworldimporters.local domain.

d. Run SYSKEY on the domain controller in the wideworldimporters.com domain.

e. Enable the Encrypting File System on the SYSVOL of the domain controller in the wideworldimporters.com domain.

9. You are a network administrator for Fourth Coffee, which has an Active Directory domain named fourthcoffee.com. The company is currently using another domain, named fourthcoffee.local, which is in a separate forest. You must migrate users from one domain to the other. Both domains use domain controllers running Microsoft Windows Server 2003, Standard Edition. You want to migrate user passwords from fourthcoffee.local to fourthcoffee.com. A colleague assists you in preparation for this migration. When you begin a trial migration, you see the following error message: Unable To Establish A Session With The Password Export Server. The Source Server Does Not Have The Password Migration Component Installed.

What must you do next in order to resolve this error?

a. Run the ADMT key command on the domain controller in the fourthcoffee.com domain.

b. Run SYSKEY on the domain controller in the fourthcoffee.com domain

c. Install Pwdmig.exe on the domain controller in the fourthcoffee.local domain

d. On the domain controller in fourthcoffee.com, set the AllowPasswordExport value to 0.

e. Create a fourthcoffee$$$ group in the cpandl.com domain

10. You are a network administrator for Trey Research, which has an Active Directory domain named treyresearch.net. The company is currently using another domain, named treyresearch.local, which is in a separate forest. You must migrate users from one domain to the other. Both domains use domain controllers running Microsoft Windows Server 2003, Standard Edition. You must migrate objects from the treyresearch.local domain to the treyresearch.net domain. You attempt to create a cross-forest trust, but the domain controller in treyresearch.local is unable to locate the domain controller in treyresearch.net. Which of the following actions resolves this problem?

a. Configure an LMHOSTS file with the IP address and hostname of a domain controller in treyresearch.net on a treyresearch.local domain controller.

b. Configure a hosts file with the IP address and hostname of a domain controller in treyresearch.net on a treyresearch.local domain controller.

c. Configure conditional forwarding for the treyresearch.local domain to a DNS server in that domain on a DNS server in the treyresearch.net domain.

d. Configure conditional forwarding for the treyresearch.net domain to a DNS server in that domain on a DNS server in the treyresearch.local domain.


11. You are a network administrator for Consolidated Messenger. Company management wants to migrate all user and computer accounts from its former Microsoft Windows 2000 domain named consolidatedmessenger.local to the newly installed consolidatedmessenger.com. All domain controllers on consolidatedmessenger.com run Microsoft Windows Server 2003, Enterprise Edition. Which of the following must be true in order for you to migrate passwords from the Windows 2000 domain to the Windows Server 2003 domain?

a. The Everyone group must be part of the Pre-Windows 2000 Compatible Access group in the consolidatedmessenger.com domain.

b. The Everyone group must be part of the Pre-Windows 2000 Compatible Access group in the consolidatedmessenger.local domain.

c. You must configure a password export server in the consolidatedmessenger.com domain.

d. You must install the Pwdmig.exe application to a domain controller on the consolidatedmessenger.com domain.

12. You are a network administrator for Fabrikam, Inc., which has an Active Directory domain named fabrikam.com. You are planning to migrate passwords from a Microsoft Windows NT version 4.0 domain to the fabrikam.com domain. All domain controllers on fabrikam.com run Microsoft Windows Server 2003, Standard Edition. The domain controllers on the Windows NT version 4.0 domain run Windows NT Server 4.0 with Service Pack 2. Which of the following is necessary in order to migrate passwords from the Windows NT version 4.0 domain to the Windows Server 2003 domain?

a. Install the high-encryption pack on the domain controllers of the fabrikam.com domain.

b. Install Windows NT version 4.0 Service Pack 6a High Encryption on the Windows NT version 4.0 domain controllers.

c. Install the PwdMig.exe application on the domain controllers of the fabrikam.com domain.

d. Run the ADMT key utility on the Windows NT version 4.0 domain controllers.

13. You are a network administrator for Lucerne Publishing, which has an Active Directory domain named lucernepublishing.com. You and your colleague, Terry, are finalizing upgrades from the company. You ask Terry to upgrade the last Microsoft Windows NT 4.0 Server to Microsoft Windows Server 2003. Terry tells you that he receives an error message when he attempts the upgrade from CD-ROM. He thinks there is something wrong with the CD-ROM drive. You check the CD-ROM and see that he is using a Microsoft Windows Server 2003, Standard Edition CD-ROM. What should you tell Terry to do in order to complete his upgrade?

a. Run Adprep /domainprep on the Windows NT version 4.0, Enterprise Edition computer

b. Run Adprep /forestprep on the Windows NT version 4.0, Enterprise Edition computer

c. Run Winnt32 /checkupgrade only on the Windows NT version 4.0, Enterprise Edition computer

d. Use a Windows Server 2003, Enterprise Edition CD to perform the upgrade

14. You are a network administrator for Margie’s Travel, which has an Active Directory domain named margiestravel.com. The domain was recently upgraded from Microsoft Windows 2000 to Microsoft Windows Server 2003. However, not all of the domain controller upgrades were completed. You are assigned to complete these upgrades. Your manager mentions that you should modify the User Rights assignment to complete the upgrade. He cannot remember specifically what you must do. You log on to one of the Windows Server 2000 domain controllers using the default administrator account. You attempt the upgrade and receive the following error message: You Must Be An Administrator To Run This Application.

The user rights for the Domain Controller Security policy are configured as shown in the following figure.


What must you do in order to be able to complete the upgrade?

a. Add the Everyone group to the Pre-Windows 2000 Compatible Access group.

b. Give the default administrator account the Back Up Files And Directories right.

c. Give the default administrator account the Create A Token Object right.

d. Create a margiestravel$$$ account on the Windows 2000 domain.

e. Create a margiestravel$$$ account on the Windows Server 2003 domain.

15. You are a network administrator for Woodgrove Bank, which has an Active Directory domain named woodgrovebank.com. All domain controllers on the domain run Microsoft Windows Server 2003, Standard Edition. Client computers on the domain run Windows 95, Windows 98, Windows NT version 4.0, Windows 2000 Professional, and Windows XP Professional. Once you upgrade the domain from Windows NT version 4.0 to Windows Server 2003, your client computers cannot log on to the domain.

Your manager does not want you to install any additional software to the client computers. Which of the following solutions allow the client computers to log on to the domain?

a. Disable the SMB signing requirement on the domain controllers.

b. Require Kerberos logons on the domain controllers.

c. Require IPSec on the domain controllers.

d. Add the Authenticated Users group to the Pre–Windows 2000 Compatible Access group on the domain controllers.

16. You are a network administrator for Proseware, Inc., which has an Active Directory domain named proseware.com. All domain controllers on the domain run Microsoft Windows Server 2003, Standard Edition. Client computers on the domain run Windows 95 and Windows XP Professional. You complete an upgrade of the domain from Windows 2000 to Windows Server 2003. Users on the network who use Windows 95 client computers are now unable to log on to the domain. They report they see the error message: The Domain Password You Supplied Is Not Correct, Or Access To Your Logon Server Has Been Denied.

What can you do to allow these clients to log on to the domain?

a. Install the Directory Services Client Update for Windows 95.

b. Require Kerberos logons on the domain controllers.

c. Require IPSec on the domain controllers.

d. Add the Authenticated Users group to the Pre–Windows 2000 Compatible Access group on the domain controllers